Hi team!

I need to run some tests on the password expiration emails with the client. My understanding is that the email is triggered once a day in the morning.

The sign in method uses Active Directory, and the password policy is configured based on the AD pwdLastSet attribute. This attribute cannot be changed.

Is there any way to manually trigger this password reminder notification for specific identities or to change the time at which the notification is triggered?

Hi @ArielM,

Based on my understanding, you’re correct… SailPoint ISC password expiration reminder for AD accounts is tied to the pwdLastSet attribute and runs via a daily scheduled job (typically early UTC). Unfortunately.

You can’t manually trigger the native email for specific users.
The job timing is not configurable.
Since pwdLastSet is managed by AD, it cannot be manipulated for test purposes.

However, there’s a workaround used in non-AD contexts or for custom testing…
Custom Workflow Method:
Create an Identity attribute (e.g., passwordReminderFlag) using a date-based transform that flips to true when the password is about to expire.
Use an Attribute Change Workflow to trigger a custom email template (replicating the standard expiration email) when the flag turns true.

Regards,
Mustafa

Unfortunately, there is no direct way to manually trigger password reminder notifications for specific identities or change the exact time at which the notification is triggered for Active Directory password expiration emails in Identity Security Cloud.

The password expiration notifications are automatically sent based on the configuration of the password policy associated with the Active Directory source. The system checks the last time the password was changed in Active Directory to determine when to send a reminder.

To influence when users receive password expiration reminders, you can adjust the following settings in the password policy:

1. Go to Admin > Password Mgmt > Policies
2. Select the policy associated with your Active Directory source
3. In the Password Expiration panel, ensure “Enable” is selected
4. Set the “Expiration Period” for the number of days the password will be valid before it expires
5. Set the “Reminder Starting” to the number of days prior to expiration to begin sending reminders

Once configured, a reminder will be sent each day within that time until the user resets their password. It’s important to note that for users to receive these notifications:

1. They must be registered as active users in Identity Security Cloud
2. Their email address must be correctly configured in the system

If you need to check when a specific user’s password was last changed:

1. Go to Admin > Identity Management > Identities
2. Find and select the name of the identity to view its details
3. Select Accounts and choose the Active Directory account
4. The “Password Last Changed” timestamp will be displayed at the top of the page under Password Details

This information can help you anticipate when a specific user might receive their next password expiration reminder based on your policy settings.

Hi, thanks for the answers.

I am going to use the custom workflow method you suggested to perform the test. The only issue I see is that you can’t use the “daysToExpire” variable for the days count inside the workflow in the expiration email template. I will see if I can replicate it somehow.

Thanks!