Enable AD as the Profile Master


Enabled by default, profile mastering makes Active Directory the identity authority for connected users. When enabled, user profiles are not editable in Okta and all changes are synced to Okta during provisioning events. AD defaults as a profile masterA profile master is an application (usually a directory service such as Active Directory, or human capital management system such as Workday) that acts as a source of truth for user profile attributes. A user can only be mastered by a single application or directory at any one time. For more details, see the Profile Master page. When users are mastered by attribute, we call this attribute-level mastery (ALM). ALM delivers finer grain control over how profiles are mastered by allowing admins to specify different profile masters for individual attributes. Profile mastering only applies to Okta user profiles, not app user profiles. For more details, see Attribute Level Mastering., but you can disable this option to have AD treated as a normal application.

If you disable AD as the profile master, user updates performed in AD are not pushed back to the user in Okta. For example, if you change a user's name in AD, the name change is not pushed to the Okta user account. In addition, you cannot reset a user's AD password in Okta because their credentials are still being managed by AD. You can, however, enable the Sync Password option to push passwords to Active Directory and disable Delegated Authentication. Your users will have their delegated Okta password, but any subsequent password updates are pushed to AD.

Top