Make Active Directory the Profile Master

Profile masteringMastering is a more sophisticated version of read (import) users. Mastering defines the flow and maintenance of user-object attributes and their lifecycle state. When a profile is mastered from a given resource (application or directory), the Okta user profile’s attributes and lifecycle state are derived exclusively from that resource. In other words, an Okta user mastered by Active Directory (or HR system) has an Okta profile. However, the profile isn’t editable in Okta by the user or Okta admin, and derives its information exclusively from Active Directory. If the lifecycle state of the user in Active Directory moves to Disabled, the linked Okta user also switches to the corresponding lifecycle state of Deactivated on the next the read (import). is enabled by default when you install the Okta Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. (AD) agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations.. Profile mastering makes Active Directory (AD) the identity authority for connected users. When profile mastering is enabled, you cannot edit user profiles in Okta and all changes are synchronized to Okta during provisioning events.

If you disable AD as the profile masterA profile master is an application (usually a directory service such as Active Directory, or human capital management system such as Workday) that acts as a source of truth for user profile attributes. A user can only be mastered by a single application or directory at any one time. For more details, see the Profile Master page. When users are mastered by attribute, we call this attribute-level mastery (ALM). ALM delivers finer grain control over how profiles are mastered by allowing admins to specify different profile masters for individual attributes. Profile mastering only applies to Okta user profiles, not app user profiles. For more details, see Attribute Level Mastering., changes made in AD are not pushed to Okta. To push passwords to AD, you can enable Sync Password and disable Delegated Authentication. Users are assigned an Okta password and subsequent password changes are pushed to AD.

Set the lifecycle settings to define what happens when a user is deactivated in AD. They can be deactivated, suspended, or remain an active user in Okta. Only the highest priority profile master for an Okta user can deactivate or suspend an Okta user. To verify the highest priority profile master, review the Profile Masters page.

  1. On the Okta AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console, click Directory > Directory Integrations.
  2. Click Active Directory.
  3. Click the Settings tab and scroll to Profile Master.
  4. Select Enable.
  5. Optional. Select what should happen to the Okta user when the AD user is deactivated in the appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in.:

  • Do Nothing: Prevents activity in the app from controlling the user life cycle. This still allows profile master control of attributes and mappings.
  • Deactivate Okta user: This default setting allows the user to be automatically deactivated when deactivated in the target app.
  • Suspend Okta user: This setting allows the user to be automatically suspended when deactivated in the target app.

  1. Optional. Select what should happen to the Okta user when the AD user is reactivated in the app:
  • Reactivate suspended users: Allows an admin to choose if a suspended Okta user should be reactivated when they have been reactivated in the app.
  • Reactivate deactivated users: Allows an admin to choose if a deactivated Okta user should be reactivated when they have been reactivated in the app.
  1. Scroll down and click Save Settings.