JuliaM.04670 (Customer) asked a question.
Hi there,
I would like more clarification about the AD Password policy and how a different password policy in Okta would affect Active Directory.
This message is displayed for the AD policy:
Important: set the Minimum length and Complexity requirements to match your Active Directory password requirements. These requirements are displayed to the user when they reset their password through Okta and help ensure their password complies.
However we would like to create a more stringent password policy for Okta sign-ins and make it known for the user.
Currently the option "Unlock users in Okta and Active Directory" is selected in the event that a user forgets or needs to reset their password.
If there is a different password policy for Okta than in AD, will this force AD to change to Okta's policy for password resets?
If the option "Unlock users only in Okta" is selected, will our IT guys be able to reset AD from Okta even though the password policy is different?
If there is a difference in password policies between the two, then they will both do their own thing. So for example, if you have self-service password reset enabled and Okta's password complexity requirements are more stringent than AD, then when a user goes to reset their password through Okta, Okta will enforce its complexity requirements and not AD's. If the lockout policy is set to only unlock the Okta user, but the AD account is also locked out, I believe that would require unlocking the account on both platforms.
Out of curiosity, why would you want there to be disparity between the password policies? Would making fine-grained password policies in AD work for your org so that Okta's and AD's policies align? Having them in alignment is the "cleanest" way of going about this.
Hi Julia,
My name is Justin with Okta Support. The enforcement and requirements for your AD mastered users come from your Active Directory. The Active Directory policy settings in Okta should match your AD only to ensure the necessary prompts appear when a user is not adhering to the policy you have configured.
My answers to your other questions are below:
If there is a different password policy for Okta than in AD, will this force AD to change to Okta's policy for password resets?
No, if you are using AD for Delegated Authentication, then the password policy is set and enforced from AD.
If the option "Unlock users only in Okta" is selected, will our IT guys be able to reset AD from Okta even though the password policy is different?
If the "Unlock users only in Okta" is selected, it means that a user has the ability to unlock their Okta account through Self-Service. They would require admin assistance to unlock their AD account. If "Unlock Users in Okta and Active Directory" is selected, it means that a user unlocks both accounts when going through Self-Service.
Your admins should be resetting AD passwords in AD, if that is what you've chosen for authentication. If you're pushing passwords from Okta > AD, then they can send the end user a password reset link from the Okta admin console, or use the Okta API to reset the password directly.
For more, check out our documentation on Security Policies from the Help site. If you'd like to discuss in more detail, feel free to open a case with Okta support.
Ref:
https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm
https://developer.okta.com/docs/api/resources/users#reset-password