<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00008bPt5ECASOkta Classic EngineAuthenticationAnswered2026-04-01T09:00:20.000Z2023-01-05T14:36:30.000Z2023-01-09T12:10:25.000Z

lr6h2 (lr6h2) asked a question.

January 5, 2023 at 2:36 PM
The user status does not change after the password expires

Hello,

 

I have an issue with the user's account status after the password has expired.The password should expire after 7 days and I added an automation to prompt the user by email when the password expires . The user does receive the email but the status is always ACTIVE and never changes to PASSWORD EXPIRED.

By downloading the PASSWORD HEALTH, the status is also active.

Users are managed directly in Okta.

 

Thank you in advance for your help.

 

BR,

L.D

  • 4 answers
  • 551 views

  • k5fuw (k5fuw)

    I noticed similar behavior earlier today. The Okta-mastered service account that I use to install our AD agents showed a status of Active, yet when I attempted to sign in using that account, it failed. Only then did the status of that account change to password expired - which was correct since we have a 90-day expiration policy and the last time I used that account was on Sept 1. It would seem that password expiration is only calculated/detected during login, therefore the account status change to password expired will only occur at the first login attempt after the password has already expired.

     

    And that kinda makes sense. There is no password expiration date stored in the account. It is only during login that the password policy is evaluated, the expiration date is calculated and only then does Okta decide if that account's password is expired.

    Expand Post
    Selected as Best

  • DonF.81354 (Customer)

    Quick question I do want to make sure I understand fully - you are sending the user an email before password expiry to change their password, correct? And if they do not change their password, you are saying that it never changes to password_expired?

     

    Apologies for my confusion! Thanks much.

    • lr6h2 (lr6h2)

      Hello Don Furline,

       

      Thank you for you feedback,yes that's right.

       

      Br,

      Laure

  • k5fuw (k5fuw)

    I noticed similar behavior earlier today. The Okta-mastered service account that I use to install our AD agents showed a status of Active, yet when I attempted to sign in using that account, it failed. Only then did the status of that account change to password expired - which was correct since we have a 90-day expiration policy and the last time I used that account was on Sept 1. It would seem that password expiration is only calculated/detected during login, therefore the account status change to password expired will only occur at the first login attempt after the password has already expired.

     

    And that kinda makes sense. There is no password expiration date stored in the account. It is only during login that the password policy is evaluated, the expiration date is calculated and only then does Okta decide if that account's password is expired.

    Expand Post
    Selected as Best

    • lr6h2 (lr6h2)

      Hello Mike Koch,

       

      I just tested and indeed the status changes when the user tries to log in.

      Thank you very much for your help.

       

      BR,

      Laure

      Expand Post
This question is closed.
Loading
The user status does not change after the password expires