<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00009GayBSCAZOkta Classic EngineAdministrationAnswered2023-06-09T16:31:10.000Z2023-06-01T17:31:56.000Z2023-06-09T16:31:10.000Z

AbhishekS.61996 (H1 Insights) asked a question.

June 1, 2023 at 5:31 PM
Migrating all users with their passwords to from one okta tenant to another without having to reset password and setup 2FA again

Hi all,

 

We want to migrate all our users, groups and apps from a dev okta preview tenant to a production tenant. We do not want our users to setup their passwords and 2FA again. Can we achieve this in Okta? When we import all users to a new tenant via say Okta API is there a way they won't have to setup password and 2FA again?

  • 4 answers
  • 935 views

  • paul.stiniguta1.508386743840768E12 (Okta, Inc.)

    At this time there is now way to sync any 2FA that a user has setup from one org to an other. The only 2FA that does not require setup and it will be enabled by default would be the email factor, if it would be easier to use that.

    Selected as Best

  • paul.stiniguta1.508386743840768E12 (Okta, Inc.)

    Hello @AbhishekS.61996 (H1 Insights)​ Thank you for reacting out to our Community!

     

    At this time this type of migration is not possible between 2 Okta environments.

    From an application perspective they need to be recreated from scratch. As for the users, they can be created with a password though API's but the 2FA needs to be setup on the Production again.

     

    However you can add a Feature Request on our Idea section, for a chance that this functionality to be added in the future.

    https://support.okta.com/help/s/ideas

     

    Community members help others by clicking Like or Select as Best on responses. Try it today.

    Watch and Learn: New Okta how-to videos, plus what's new this month in the May newsletter.

    Expand Post

    • AbhishekS.61996 (H1 Insights)

      Thanks, Paul for the reply, I understood there is no way to import users with passwords and 2FA. Even through APIs, the passwords in Okta are write-only, so I don't think I can obtain the hash and salt of the passwords present in the dev okta preview instance.

      What about Org2Org?

      If we use "Password Sync" feature of Org2Org app, does it only sync the passwords without the 2FA?

      Expand Post

      • paul.stiniguta1.508386743840768E12 (Okta, Inc.)

        At this time there is now way to sync any 2FA that a user has setup from one org to an other. The only 2FA that does not require setup and it will be enabled by default would be the email factor, if it would be easier to use that.

        Selected as Best

  • NiallM.34104 (Atlas Identity)

    You can look at password migration hooks to migrate the passwords from one tenant to another. 2FA though there is no route to handle that as the keys used for 2FA are highly protected. It's not a big ask to get your users to re-enroll for 2FA though if you've handled the password element for them.

     

    I'm actually working on a route to migrate 2FA from tenant to tenant via a custom application.

    Expand Post
This question is closed.
Loading
Migrating all users with their passwords to from one okta tenant to another without having to reset password and setup 2FA again