Enable Okta-mastered user Organizational Unit updates

When you enable Okta-mastered user Organizational Unit (OUAn acronym of Organizational Unit. Organizational units are Active Directory containers into which you can place users, groups, computers, and other organizational units. It is the smallest scope or unit to which you can assign Group Policy settings or delegate administrative authority.) updates, the user's OU in Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. (AD) is automatically updated when the user moves from one Okta group to another. This functionality is applicable only to Okta-mastered and HR-mastered users in groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. associated with AD instances. AD should not be the Profile MasterA profile master is an application (usually a directory service such as Active Directory, or human capital management system such as Workday) that acts as a source of truth for user profile attributes. A user can only be mastered by a single application or directory at any one time. For more details, see the Profile Master page. When users are mastered by attribute, we call this attribute-level mastery (ALM). ALM delivers finer grain control over how profiles are mastered by allowing admins to specify different profile masters for individual attributes. Profile mastering only applies to Okta user profiles, not app user profiles. For more details, see Attribute Level Mastering..

If an existing Okta-mastered or HR-mastered user changes groups, the user's AD OU is not updated unless you enable Update OU. For example, a user who is a member of the Sales group is promoted and moves to the Marketing group. With Update OU enabled, the OU associated with the user is updated in Okta and the change is pushed to AD.

Note: The provisioning flow is from Okta to AD. If the OU is changed in AD, the change is not reflected in Okta. The next time Okta pushes updates to AD, the AD changes are overwritten by the Okta-master information.

Enable Organizational Unit updates

  1. On the Okta AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console, click Directory > Directory Integrations
  2. Click an Active Directory (AD) instance.
  3. Click the Settings tab and scroll to Update User Attributes.
  4. Select Update OU when the group that provisions a user to AD changes.

View users and groups associated with an Active Directory instance

  1. On the Okta Admin Console, click Directory > Directory Integrations
  2. Click an Active Directory (AD) instance.
  3. Click the Assignments tab.
  4. Optional. To view only the people or groups associated with an AD instance, click People or Groups in the FILTERS list.

Remove a group from Active Directory provisioning

When you remove an AD group, Okta identifies the next priority AD group. If the group has a different Organizational Unit (OU) assigned to it than the group you removed, Okta updates the users to the new OU.

  1. On the Okta Admin Console, click Directory > Groups.
  2. Click a group name.
  3. Click Manage Directories.
  4. In the Members list, click an AD directory.
  5. Click Next and then Confirm Changes.

Related topics

Install and configure the Okta Active Directory agent