0031Y00005nLZtCQAW.c1.563470337195424E12 (Customer) asked a question.
Sync Okta AD policy with AD password expiry date
For a customer of ours, some while ago we made sure the Okta AD password policy is reflecting the password policy from their AD.
Since this, via automation's, a reminder was created to remind users to change their password in time. The rule which was set is:
Several users mentioned that they indeed receive the email which is generated via the automation, but always to early.
For example a user received the Okta email notification on the 14th of September, while the password is expiring the 13th of October. So the notification was send roughly two weeks to early.
Does anybody have an idea how we can synchronize the password expiry dates from AD ?
How you are currently calculating the notification in your automation?
With Active Directory, if a password policy is set to expire passwords on a specific interval then each user account will have several attributes that can be leveraged:
pwdLastSet.
This is an attribute that specifies the date and time the user's password was last changed.
This can be used in conjunction with Max-Pwd-Age: "pwdLastSet" + "Max-Pwd-Age" will tell you when the password will expire.
ms-DS-User-Password-Expiry-Time-Computed
This contains a date/time value
Are you including either of these attributes from AD into your okta profile to use for your automation?
Hello Brendan,
Thank you for your reply and I will need to check with our customer what they used as they set these rules up themselves.
I should also add there is a feature flag which can be enabled that will automatically message your users 5 days before their password expires, but currently the length of time before cannot be modified.
Once enabled, the option will be under: Security > Authentication > Active Directory Policy
I have made them aware of this option, but they want AD to be the truth for this automation and not Okta.