ChristopheS.89009 (Customer) asked a question.
Due to Okta Fast Pass, the Active Directory password expired users or AD Expired accounts users can still access Okta, but we would like to restrict access when it happens. Is there some way to do it? At least for the password expire users, can we add the password last set attribute from the AD to Okta?
Hello @ChristopheS.89009 (Customer)​ Thank you for posting on our Community page!
As per our documentation here, this is expected behaviour when using Fast Pass:
For passwordless authentication with Fast Pass users will not be prompted for password reset. This is due to the password evaluation being done only when a password is being used to log in. Otherwise, the password will not expire if the user is not using it to log in to Okta. This was put in place as if the password would expire even if the user is only using FastPass, which will create a very disconnected authentication experience (for example, users will suddenly start questioning why they are being asked for a password reset when they have been using FastPass to log in to Okta). To ensure users update their passwords, set up an automation to notify them of the requirement to change their passwords.
Thank you for reaching out to our Community and have a great day!
--
Help others in the community by liking or hitting Select as Best if this response helped you.
You could trigger some sort of workflow when password expires that would then revoke the fastpass enrollment. the trigger of the flow may have to come from somewhere outside of okta though because okta won't know when password expires if its an AD password
Thank you Brandon and Paul for your replies,
I will dig on this Brandon.
in an other hand I was wondering if the last password set date from the AD can be imported in Okta.
And of course Paul, we have already an email notifications about the password which need to be changed but some of the users probably don't read the IT emails 😉
We use cookies to provide the best website experience and to help understand marketing efforts. We may also share data with ad partners to reach potential customers across the web. To learn more, visit our Privacy Policy. Click here for Your Privacy Choices. You may also opt out of this sharing by signaling your preference via GPC, applicable only to the browser signaling the opt-out.
More information
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Select All
We use cookies to provide the best website experience and to help understand marketing efforts. We may also share data with ad partners to reach potential customers across the web. To learn more, visit our Privacy Policy. Click here for Your Privacy Choices. You may also opt out of this sharing by signaling your preference via GPC, applicable only to the browser signaling the opt-out.
More information
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Select All
Hello @ChristopheS.89009 (Customer)​ Thank you for posting on our Community page!
As per our documentation here, this is expected behaviour when using Fast Pass:
For passwordless authentication with Fast Pass users will not be prompted for password reset. This is due to the password evaluation being done only when a password is being used to log in. Otherwise, the password will not expire if the user is not using it to log in to Okta. This was put in place as if the password would expire even if the user is only using FastPass, which will create a very disconnected authentication experience (for example, users will suddenly start questioning why they are being asked for a password reset when they have been using FastPass to log in to Okta). To ensure users update their passwords, set up an automation to notify them of the requirement to change their passwords.
Thank you for reaching out to our Community and have a great day!
--
Help others in the community by liking or hitting Select as Best if this response helped you.