This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, please contact Okta Support.

Set AD as the identify master (Profile Master)


Enabled by default, profile mastering makes Active Directory the identity authority for connected usersIn Okta literature, we generally refer to "users" as the people who serve as Okta administrators. When we refer to "end users" we are generally referring to the people who the administrators serve. That is, those who use Okta chiclets to access their apps, but have no administrative control.. When enabled, user profiles are not editable in Okta and all changes are synced to Okta during provisioning events. AD defaults as a profile masterA profile master is an application (usually a directory service such as Active Directory, or human capital management system such as Workday) that acts as a source of truth for user profile attributes. A user can only be mastered by a single application or directory at any one time. For more details, see Using the Okta People Page., but you can disable this option to have AD treated as a normal application.

If you disable AD as the profile master, user updates performed in AD are not pushed back to the user in Okta. For example, if you change a user's name in AD, the name change is not pushed to the Okta user account. In addition, you cannot reset a user's AD password in Okta because their credentials are still being managed by AD. You can, however, enable the Sync Password option to push passwords to Active Directory and disable Delegated Authentication. Your users will have their delegated Okta password, but any subsequent password updates are pushed to AD.

This is an Early Access feature. To enable it, please contact Okta Support.

Top