RichardS.51517 (Customer) asked a question.
I want to test Okta doing password reset for Active Directory. Currently we have 3 auth policies in this order: Legacy (okta auth), Active Directory (ad auth) and Default (okta auth). The Active Directory Policy applies to Everyone. If I were to put a new AD Policy in prior to the Active Directory one and limit it to a group (not everyone) and enable password reset for that policy, would it only permit those users to do password reset while the rest of the company would still be unable to do them. My assumption is that Okta checks the policies sequentially and stops at the one the is matched. I don't have the ability to easily set this up in sandbox or I would do it there and not be worried.
That's correct, like all policies in Okta, the password policies are evaluated in hierarchical order, so you can create a new AD policy that targets a specific group and place that policy above the existing AD policy. Users in the group will get the new policy while everyone else will skip past that one and get the AD policy assigned to the Everyone group.
Perfect that is exactly what I needed to know.
Thank you!