Is it recommended by Okta to set the password policy for AD-sourced user passwords to never expire?

The industry standard and best practices related to password management emphasize that passwords should not be set to never expire, especially for Active Directory (AD)-sourced user passwords. Allowing passwords to never expire can pose significant security risks. If a password remains unchanged indefinitely, it increases the chances of unauthorized access, especially if the password is compromised or if a user's access credentials are obtained through phishing or other malicious attacks.

For organizations that prioritize security, implementing a password expiration policy encourages users to change their passwords at regular intervals, thereby reducing the risk of credential compromise. Regular password updates help to mitigate the impact of potential data breaches and enhance overall security posture.

Thus, not allowing AD-sourced user passwords to have a never-expire setting aligns with recommended security practices aimed at protecting sensitive data and maintaining the integrity of the user accounts.