Set up Active Directory account rules

Early Access release

You can create individual account rules, shared account rules, and manage rules by editing their priority or removing them.

Before you begin

• You must have an Okta Privileged Access resource admin role.

• Review requirements and limitations and complete the required steps.

• To create an individual account rule, you must first configure individual account rule settings.

• Accounts must be imported into Okta before they're discovered by Okta Privileged Access. The frequency of AD agent imports affects the frequency in which accounts appear in Okta Privileged Access.

• There are some known issues when managing Active Directory accounts with Okta Privileged Access. See Okta Privileged Access Active Directory Integration Early Access - Known Issues.

Configure individual account rule settings

If you haven't already configured this setting, a notice in a yellow banner will be visible on the Account rules page.

1. On the Okta Privileged Access dashboard, go to Resource Administration Resource assignment.

2. Select the Active Directory tab, and then select the AD domain you want to configure.

3. Click Configure settings on the notification banner.

4. Specify the user matching criteria for exact matches. Select one or more of the following:

   • Account name

   • First and last name

   • Display name

   • Email

   • Starts with (prefix)

   • Ends with (suffix)

     You can configure multiple prefix and suffix strings along with other options. When these options are set up, they function as an OR operation, meaning that any of the configured options can be used to correlate and assign individual accounts. If multiple Active Directory (AD) accounts match a single user, all of those accounts will be assigned to that user. This allows a single user to own and have multiple AD accounts assigned to them.

Examples for Starts with and Ends with configuration

The following are examples on how you can use the Starts with and Ends with operators:

• For naming schemes like admin.Username, you can filter by entering: Starts with = admin

• If you have an Active Directory naming scheme such as Username-A, you can enter Ends with = -A

• For naming schemes such as Username-A, you can filter by entering: Ends with = -A

• For multiple naming schemes like tier0.Username, tier1.Username, tier2.Username, you can filter by entering:

  • Starts with = tier0

  • Starts with = tier1

  • Starts with = tier2

Create an individual account rule

You can create multiple rules for an Active Directory (AD) domain. Each rule specifies whether it's mapping a shared or individual account, the organizational unit (OU) under which the rule is defined, and the resource group and project to which the accounts will be assigned.

You must configure the individual account rule setting to create an individual account rule. Individual account rules are disabled until the individual account rule settings are configured.

1. On the Okta Privileged Access dashboard, go to Resource Administration Resource assignment.

2. Select the Active Directory tab, and then select the AD domain you want to configure.

3. Select the Account rules tab.

4. Click Create account rule Individual, and then complete the following steps:

   Setting	Action
   Rule type	Select a Rule type.
   Rule name	Enter a Rule name.
   Settings	Complete the following configuration: Keep discovered accounts as existing Okta users When this feature is enabled, Okta Privileged Access manages passwords for any AD account discovered by this rule, ensuring the linked Okta user remains active. This secures the Okta account password under Okta Privileged Access and indirectly rotates the AD password by rotating the Okta user's password linked to it. To use this feature, password synchronization from Okta to AD must be enabled in the Okta Admin Console for the AD integration. This is an essential prerequisite, and Okta admins must have one of the following settings configured: Synchronize passwords from Active Directory to Okta: When Okta Privileged Access changes a user's password, the Okta AD Agent updates it in AD. Enable delegated authentication for Active Directory: Allows AD to serve as the primary source for authentication, which also simplifies password synchronization in this process. Rotate password upon discovery Under Settings the Rotate password upon discovery feature is enabled by default. Clear the checkbox to disable it. Disabling this brings the AD Accounts into Okta Privileged Access in an unmanaged state. Users can't reveal the passwords for these accounts until the password is rotated at least once. Security admins should create security policies using Active Directory (AD) rules that allow password rotation permission for these accounts. This enables users with the password rotation privilege to change their account passwords once they are ready.
   Organizational unit	Complete the following steps: Include all accounts in OU, by specifying an organizational unit. For example, ou=AdminAccounts,ou=Privileged,dc=corp,dc=atko,dc=biz Optional. You can Define accounts using conditions. These enhanced filters become available only when the Keep discovered accounts as the existing Okta user option is selected in the previous step. Per OU, an account is only matched if all conditions are met. You can set up the following filter types: Account Name: This filter allows you to filter accounts within an Organizational Unit (OU) based on their User Principal Name (UPN) or sAMAccountName. If there are multiple filters in a rule, the account must match all filters. The following operators are supported: STARTS_WITH, ENDS_WITH, CONTAINS, EQUALS. You can create one or more filters, but each supported operator can be used only once per OU. Okta Group: This filter allows you to filter accounts based on their membership in a specified Okta group. Only the EQUALS operator is supported. For more information on using the filters correctly, see the section on Prioritizing and ordering rules for Active Directory OUs. Optional. Click Add another input to add another OU.
   Resource group	Select a Resource group.
   Project	Select a Project.

New rules have the lowest priority, if there are more than one rule. To change the priority, see Edit rule priority.

Create a shared account rule

Create shared account rules to manage accounts that multiple people use.

1. On the Okta Privileged Access dashboard, go to Resource AdministrationResource Management.

2. Select the Active Directory tab, and then select the AD domain you want to configure.

3. Select the Account rules tab.

4. Click Create account rule Shared, and then complete the following steps:

   Setting	Action
   Rule type	Select a Rule type.
   Rule name	Enter a Rule name.
   Settings	Complete the following configuration: Keep discovered accounts as existing Okta users When this feature is enabled, Okta Privileged Access manages passwords for any AD account discovered by this rule, ensuring the linked Okta user remains active. This secures the Okta account password under Okta Privileged Access and indirectly rotates the AD password by rotating the Okta user's password linked to it. To use this feature, password synchronization from Okta to AD must be enabled in the Okta Admin Console for the AD integration. This is an essential prerequisite, and Okta admins must have one of the following settings configured: Synchronize passwords from Active Directory to Okta: When Okta Privileged Access changes a user's password, the Okta AD Agent updates it in AD. Enable delegated authentication for Active Directory: Allows AD to serve as the primary source for authentication, which also simplifies password synchronization in this process. Rotate password upon discovery Under Settings the Rotate password upon discovery feature is enabled by default. Clear the checkbox to disable it. Disabling this brings the AD Accounts into Okta Privileged Access in an unmanaged state. Users can't reveal the passwords for these accounts until the password is rotated at least once. Security admins should create security policies using Active Directory (AD) rules that allow password rotation permission for these accounts. This enables users with the password rotation privilege to change their account passwords once they are ready.
   Organizational unit	Complete the following steps: Include all accounts in OU, by specifying an organizational unit. For example, ou=AdminAccounts,ou=Privileged,dc=corp,dc=atko,dc=biz Optional. You can Define accounts using conditions. These enhanced filters become available only when the Keep discovered accounts as existing Okta user option is selected in the previous step. Per OU, an account is only matched if all conditions are met. You can set up the following filter types: Account Name: This filter allows you to filter accounts within an Organizational Unit (OU) based on their User Principal Name (UPN) or sAMAccountName. If there are multiple filters in a rule, the account must match all filters. The following operators are supported: STARTS_WITH, ENDS_WITH, CONTAINS, EQUALS. You can create one or more filters, but each supported operator can be used only once per OU. Okta Group: This filter allows you to filter accounts based on their membership in a specified Okta group. Only the EQUALS operator is supported. For more information on using the filters correctly, see the section on Prioritizing and ordering rules for Active Directory OUs. Optional. Click Add another input to add another OU.
   Resource group	Select a Resource group.
   Project	Select a Project.

New rules have the lowest priority, if there are more than one rule. To change the priority, see Edit rule priority.

Edit rule priority

All new rules are added as a last priority, if there are more than one rule. You can change the priority of a rule by editing the priority.

1. On the Okta Privileged Access dashboard, go to Resource Administration Resource assignment.

2. Select the Active Directory tab, and then select the AD domain you want to configure.

3. Select the Account rules tab.

4. Click Edit priority.

5. Drag-and-drop a rule to prioritize it, or click the overflow menu and select the available options to move the priority up or down.

6. Click Save priority.

Stop managing AD accounts

If there is a need to remove an AD account from Okta Privileged Access, you must remove the account rule.

1. On the Okta Privileged Access dashboard, go to Resource Administration Resource assignment.

2. Select the Active Directory tab, and then select the AD domain you want to configure.

3. Select the Account rules tab.

4. Find the rule which targets that account's OU, and then delete it

Related topics

Active Directory account rules

Resource assignment

Projects

Security policy

Okta Privileged Access user guide