Hi! Although a bit older, the support question here Password reset email not being sent out to users. Here they recommend that you open a case with Okta so that they can see what is happening on the backend. I reviewed the article that you shared and I can confirm, that is the same configuration I have and I just tested, with success.

Ensuring that box is checked for secondary email, the email authenticator is enabled for password reset, and the user has a valid secondary email are all required, but you have completed. Interestingly, you are saying they do receive activation emails to their secondary?

I hope this helps! Please let me know if I can help in any other way. Based on the information you have provided, seems like the appropriate steps have been taken from your end. Furthermore, assuming these are private emails (gmail, yahoo, etc.) an email filter like Proofpoint probably does not apply.

Please let us know how your next steps!

Thanks!

I tested and can confirm that when the admin sends a password reset link to the user in the Admin Console it is sent to both primary and secondary email as it should.

When a user tries to reset their password they get the following page which does not allow them to select email but tells them that email is only sent to the user's primary email address (under the red marker):I have tested the secondary email using a personal Gmail address and 2 different email addresses having different domains in our org.

Our org is running Version 2023.01.1 E in the OK14 US Cell

Can you confirm there is another kind of page in the end user self-service recovery via email flow that does not only show the primary email with asterisks but tells the user that email is sent to both primary and secondary email or allows the user to select to which email they want it to be sent for?

If we know that there should also be a different kind of UI when the self-service password reset email is sent to both primary and secondary emails it can help us confirm that the problem is not only in the backend but most likely that some parts of the functionality are not enabled for our org by Okta. I am pretty sure it is not because of configurations in the Admin Center because I have checked everything and tried different configurations with overall self-service recovery authenticators, requiring users to add a secondary email attribute to Okta UD via Profile Enrollment policies, and re-enabling the secondary email in the additional fields and so on.

Due to the very limited support cases given to us as a pretty small nonprofit customer, I will open a case with Okta when it is the last option. 🙂

Thank you for your help @DonF.81354 (Customer)​!

Thank you for your reply. I had before tested everything according to those setting you listed. I tested again without making any changes. The emails are now also sent to the secondary address even though the self-service password recovery with email only shows the primary email with asterisks as described in the picture I posted.

I am pretty sure that bug was resolved by the "Version 2023.01.2 E" update released after I last posted since that was the only change. Still thank you @DonF.81354 (Customer)​ ! 😀

For those who might face a similar problem in the future please follow the instructions in the answer marked as Best.