Add and update users with Active Directory Just-In-Time provisioning
Just-In-Time (JIT) provisioning enables automatic user account creation in Okta the first time a user authenticates with Active Directory (AD) delegated authentication or Desktop SSO.
JIT account creation and activation only works for users who are not already Okta users. This means that users who are confirmed on the import results page, regardless of whether or not they were subsequently activated, are not eligible for JIT activation. When JIT is enabled, users do not receive activation emails.
For JIT provisioning, delegated authentication must be enabled. If delegated authentication is not enabled, Okta user accounts can only be created using bulk import.
When JIT is enabled for your org and delegated authentication is selected for your AD, JIT is used to create user profiles and import user data. The username format is used to authenticate AD sourced users. If you use a custom expression to format the Okta username, the last selected and saved non-custom username is used for authentication. The UPN is the default, non-custom username.
- In the Admin Console, go to Directory > Directory Integrations.
- Click Active Directory and then click the Provisioning tab.
- Click To Okta in the Settings list.
- Click Edit in the General area.
- Select the Create and update users on login check box next to JIT provisioning.
- Click Save.