Make Active Directory the Profile Master

Profile mastering is enabled by default when you install the Okta Active Directory (AD) agent. Profile mastering makes Active Directory (AD) the identity authority for connected users. When profile mastering is enabled, you cannot edit user profiles in Okta and all changes are synchronized to Okta during provisioning events.

If you disable AD as the profile master, changes made in AD are not pushed to Okta. To push passwords to AD, you can enable Sync Password and disable Delegated Authentication. Users are assigned an Okta password and subsequent password changes are pushed to AD.

Set the lifecycle settings to define what happens when a user is deactivated in AD. They can be deactivated, suspended, or remain an active user in Okta. Only the highest priority profile master for an Okta user can deactivate or suspend an Okta user. To verify the highest priority profile master, review the Profile Masters page.

  1. In the Admin Console, go to Directory > Directory Integrations.
  2. Click Active Directory.
  3. Click the Provisioning tab and select To Okta in the SETTINGS list.
  4. Scroll down to Profile & Lifecyle Mastering and click Edit.
  5. Select the Allow Active Directory to master Okta users check box.
  6. Optional. Select an option for When a user is deactivated in the app:
    • Do Nothing: Prevents activity in the app from controlling the user life cycle. This still allows profile master control of attributes and mappings.
    • Deactivate Okta user: This default setting allows the user to be automatically deactivated when deactivated in the target app.
    • Suspend Okta user: This setting allows the user to be automatically suspended when deactivated in the target app.
  1. Optional. Select an option for When a user is reactivated in the app:
    • Reactivate suspended Okta users: Allows an admin to choose if a suspended Okta user should be reactivated when they have been reactivated in the app.
    • Reactivate deactivated Okta users: Allows an admin to choose if a deactivated Okta user should be reactivated when they have been reactivated in the app.
  1. Click Save.