Requirements and limitations
Early Access release
Review the following information before you use Okta Privileged Access to manage your Active Directory (AD) accounts:
-
Contact Okta customer support to enable this feature.
-
You must have an AD agent running on your target domain. See Install the Okta Active Directory agent. In the Connect an organizational unit to Okta section, select the organizational units (OUs) that have the privileged AD accounts.
If a rule targets an OU that isn't selected in the Okta Admin Console, it has no effect.
-
Grant the Okta AD agent service account permissions to change passwords for privileged AD accounts. See Grant Okta Active Directory (AD) agent password management permissions.
-
Privileged AD accounts must be in OUs that contain only privileged AD accounts. These OUs shouldn't include standard user accounts or any accounts not intended for management by Okta Privileged Access. If privileged AD accounts are in the same OU as standard user accounts, they must be moved to a separate OU before Okta Privileged Access can manage them.
-
Okta admins should collaborate with Okta Privileged Access admins to ensure that OUs that contain privileged AD accounts are selected accurately in the Admin Console and properly configured with the management rules in Okta Privileged Access.
-
Okta recommends deactivating the AD domain in Okta Privileged Access before an Okta admin deletes the app integration from the Okta Admin Console. Deactivating or deleting the Okta app removes all entries from Okta Privileged Access.
-
Delegated authentication with managed accounts is not currently supported.
-
Okta AD agent performs password reset operations and should be on high-performance hosts that are well connected to Active Directory domain controllers. See AD agent host requirements.
AD agent host requirements
-
Review network port requirements for AD Agent host communication with domain controllers. See Configure DMZ server ports for Active Directory integrations.
-
Ensure that AD Agent hosts are sized correctly. AD Agent hosts should have at minimum 2 CPU and 8 GB of RAM and should be connected to domain controllers over high-speed networking.
-
Ensure that there are a sufficient number of AD Agent hosts for the environment type and size. Production environments should have multiple AD Agents for high availability and disaster recovery.
-
AD Agent is minimum
-
AD Agent is recommended for multi-user environments
-
AD Agents+ - If there are more than 30,000 users, deploy a minimum of three AD agents
-
-
Consider increasing the number of polling threads. See Change the number of Okta Active Directory agent threads.
-
AD Agent should run on a supported OS.
Related topics
Set up Active Directory domains