Add and update users with Just-In-Time provisioning

Just-In-Time (JIT) provisioning enables automatic user account creation in Okta the first time a user authenticates with Active Directory (AD) Delegated Authentication, Desktop SSO, or inbound SAML.

JIT account creation and activation only works for end users who are not already Okta end users. (JIT updates the accounts of existing end users during full imports.) This means that end users who are confirmed on the import results page, regardless of whether or not they were subsequently activated, are not eligible for JIT activation. When JIT is enabled, users do not receive activation emails.

If delegated authentication is enabled, you do not need to import users from AD first for JIT provisioning to create Okta accounts.

If you do not have delegated authentication enabled, you must import the AD accounts first, and they must appear on the imported users list for JIT provisioning to create Okta accounts.

  1. In the Admin Console, go to Directory > Directory Integrations and select an AD instance.
  2. Click Settings.
  3. Scroll to the Import and Provisioning section.
  4. Select the Create and update users on login check box next to JIT Provisioning.
  5. Scroll to the bottom of the page and click Save Settings.