<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D5KZ00001WbGaB0AVOkta Identity EngineOkta Device AccessAnswered2025-11-14T22:45:04.000Z2025-11-13T15:33:38.000Z2025-11-14T22:45:04.000Z

TrystinB.30343 (Customer) asked a question.

November 13, 2025 at 3:33 PM
AzureAD / Entra users changing passwords triggers Okta's Unknown Device Policy?

Hello all,

 

My boss recently notified me that both him and another employee were locked out of Okta after changing their passwords this morning, saying he would get the attached banner when viewing his normal account and the other user's on his admin./help/servlet/rtaImage?refid=0EMKZ000000e4RN

He said both him and the other user were using their regular workstations, so no new or unknown devices were involved. He allowed unknowns on both accounts for now to get them signed in.

I had this happen with another user a while ago, but figured it was a one-off since I haven't seen it since. All affected users were migrated to AzureAD / Entra. I have also changed my password at least once since migrating myself to Entra and did not encounter this issue. I've also asked a couple of the guys on my team and they have not encountered this issue either since being on Entra.

/help/servlet/rtaImage?refid=0EMKZ000000e4Rr

I see this in one of the user's logs. The device they are using is their usual workstation from their usual IP. So I am unsure where Okta is misunderstanding the relationship with this user's device, unless changing their password refreshes a token on the device making Okta think its a new/unknown device?

 

Has anyone else encountered this issue with their users on Entra? As far as how integrated Okta is in our org, I'll just say logging into Teams from a new device/browser would redirect you to the Okta login page.

 

Thanks.

  • 2 answers
  • 136 views

  • Paul S. (Okta, Inc.)

    Hello @TrystinB.30343 (Customer)​ Thank you for posting on our Community page!

     

    This is indeed a weird behaviour and something that should not happen.

    First thing that I would recommend is to back-track the System logs and see if the change of password detected a new device or something else.

    Additionally I would also recommend to review what Policy was triggered and if a different Policy may have been triggered which cause the account lockout.

     

    Thank you for reaching out to our Community and have a great day!

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Expand Post

  • RohitU.50441 (Trevonix)

    What does your setup look like, in terms of azure entra/AD and okta. Who owns password.

     

    There's a possibility that the active ws fed not sending context of source IP which could lead to identity itself of new device.

    Or there's a possibility of attack as well. Changing password alone doesn't reset the device history in okta.

    It could be something related to either change of network (VPN) or morphed context in authentication requests interpreted as new device.

    Expand Post
This question is closed.
Loading
AzureAD / Entra users changing passwords triggers Okta's Unknown Device Policy?