Supported Active Directory integration features

This is where you'll find information about supported Active Directory (AD) integration features and functionality.

Data import and user authentication

This table lists the supported data import and user authentication features that are available with AD integrations.

Feature	Description
Delegated Authentication	Ability to authenticate user credentials through AD for access into Okta. Refer to Enable delegated authentication for LDAP.
Just-In-Time (JIT) Authentication	Ability to authenticate user credentials through AD for access into Okta and update group memberships and profile info before access. Refer to Add and update users with Active Directory Just-In-Time provisioning.
Instance-level Delegated Authentication	Ability to delegate authentication on a per AD-instance level to support more granular authentication scenarios. Refer to Enable delegated authentication for LDAP and Configure Active Directory provisioning settings.
Import from Directory	Ability to import user and group details from the directory into Okta. AD supports both full import (full data import) and incremental import (only import changes since last import). Refer to Configure Active Directory import and account settings.
Import filter - OU/container selection	Ability to filter users and groups by specifying an LDAP filter and selecting OUs. Refer to Configure Active Directory import and account settings.
Provision to Directory	Ability to provision user and group details down to AD. AD supports pushing users, password, and groups down to AD from Okta. Refer to Configure Active Directory provisioning settings.

This table lists the supported password policies that are available with AD integrations.

Feature	Description
Minimum Length	Refer to Sign-on policies.
Complexity Requirements	Refer to Sign-on policies.
Common Password Check	Refer to Sign-on policies.
Enforce password history for last < X > passwords	Refer to Sign-on policies.
Password expires after < X > days	Refer to Sign-on policies.
Prompt user < X > days before password expires	Refer to Sign-on policies.
Lock out user after < X > unsuccessful attempts	Refer to Sign-on policies.
Lock out user after < X number of > minutes	Refer to Sign-on policies.
Show lock out failures	Refer to Sign-on policies.
Send lock out email to user	Refer to Sign-on policies.
Password Soft Lock	Ability to lock the Okta account of AD-sourced users through password policies, without triggering a lock of the user's AD account. Refer to How does the password policy soft-lock functionality work, and Password policies.
Self-Service Password Reset	Ability to reset AD password through Okta. Refer to Manage self-service password reset.
Password Synchronization	Ability to sync AD and Okta password. Refer to Synchronize passwords from Okta to Active Directory.

This table lists the supported password reset options that are available with AD integrations.

Feature	Description
Self-service recovery options: Email	Ability to reset the password through email. Refer to About self-service registration.
Self-service recovery options: SMS	Ability to reset the password through text message. Refer to About self-service registration.
Self-service recovery options: Voice Call	Ability to reset the password through a code sent through voice call. Refer to Manage users. You can also refer to About self-service registration.
Reset, Unlock recovery emails are valid for < X > minutes	Ability to configure how long recovery email tokens are valid. Refer to About self-service registration.
Additional self-service recovery option: Secret questions	Ability to reset the password through security questions. Refer to About self-service registration.

This table lists the supported infrastructure features that are available with AD integrations.

Feature	Description
Multiple agent polling threads	Ability to increase polling threads on the agent. Increases how many requests the agent can handle per second per thread. Refer to Change the number of Okta Active Directory agent threads.