Install and Configure the Active Directory Password Sync Agent

Install the Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. (AD) Password Sync agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. on domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). controllers in your domain to synchronize AD password changes and send them to Okta automatically. This functionality keeps your users' AD passwords in sync with apps that are configured to use Sync Password, such as SWAAn acronym for Secure Web Authentication. SWA is a SSO system developed by Okta to provide single sign-on for apps that don't support proprietary federated sign-on methods or SAML. Users can enter their credentials for these apps on their homepage. These credentials are stored such that users can access their apps without entering their credentials each time. When users first sign-in to a SWA app from their homepage, they see a pop-up message asking if they were able to sign-in successfully. apps set up to use the user's Okta password.

If you've integrated AD and desktop SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones., configured apps to delegate authority to AD, and your users change their AD passwords through their machine sign-in prompt, the AD Password Sync agent detects this change and sends it to Okta automatically so that when your users sign in, change their passwords, and click on apps they use, their new passwords are automatically synced.

If you have integrated AD and configured provisioning with sync password enabled (for example, pushed your Okta password to Google Apps), the AD Password Sync agent detects a user's password change and makes sure the passwords are automatically synced.

Using Password Sync and Okta Mobility Management

For mobile workflows, AD password resets from the Active Directory Password Sync agent do not require sync password to be enabled. Reset password notifications trigger the distribution of an updated Exchange ActiveSync (EAS) email configuration to the corresponding devices enrolled in Okta Mobility Management (OMMAn acronym for Okta Mobility Management. OMM enables you to manage your users' mobile devices, applications, and data. Your users enroll in the service and can then download and use managed apps from the Apps Store. Managed apps are typically work-related, such as Box or Expensify. As an administrator, you can remove managed apps and associated data from users' devices at any time. You can configure policies, such as data sharing controls, on any of your managed apps. See Configuring Okta Mobility Management for more information.). In such cases where sync password is not enabled for any application, the encrypted AD password is removed from Okta after pushing it to the device. For devices enrolled in Okta Mobility Management (OMM), sync password does not need to be enabled.

To use the agent, see Using Sync Password.