Configure Active Directory provisioning settings

When you install the Okta AD agent or the needs of your business change, you define how user data is managed and updated.

  1. On the Okta Admin Console, click Directory > Directory Integrations.
  2. Click Active Directory and then click the Settings tab.
  3. Scroll to Create Users and click Enable.

Enabling Create Users lets Okta create users in Active Directory (AD). This allows you, for example, to import users from an HR system, create the users in Okta, and then have Okta create the users in AD. The HR system is the master, with Okta and AD being updated based on changes in the HR master. Or, another use case may include Okta being the source of truth for all user information and pushing those updates into AD.

To implement this functionality, you first need to create a group in Okta and then assign that group to your AD instance. When users are added to the group, they are also created in AD. A common scenario is to use group rules in this kind of flow to add users to the AD provisioning group automatically.

  1. In the Activation email recipient field, enter the email address of the Okta admin who receives activation emails with the Okta user's password. The admin is responsible for giving the end user their Okta password.
  2. In the AD username format list, select the format for the AD username:
    • Custom — Select this option to use a custom AD user name. Enter the Okta expression language to map the define the user name format. To validate your mapping expression, enter a user name and click the view icon. See Modify attributes with expressions.
    • Email — Select this option to use an email address for the AD user name.
    • Email prefix — Select this option to use an email prefix for the AD user name.
    • From Okta username — Select this option to use the Okta to generate the AD user name from the Okta user name.
    • LDAP UID + custom suffix — Select this option to use the LDAP user ID and a custom suffix as the AD user name.
    • Okta username — Select this option to use the Okta user name as the AD user name.
    • Okta username prefix — Select this option to use the Okta user name prefix as the AD user name.
  1. Click Enable next to Update User Attributes to update a user's attributes in AD when an app is assigned. Future attribute changes made to the Okta user profile automatically overwrite the corresponding attribute value in AD. See Enable Okta-mastered user Organizational Unit updates.
  2. Select Update OU when the group that provisions a user to AD changes to update an Okta-mastered user's organizational unit (OU) when the group that provisions a user to AD changes.

    If an Okta-mastered user's OU changes in AD, that change will not be reflected in Okta since Okta is the master for that user. The next time the user is update in Okta, they will be provisioned back to the OU as set in Okta.

    Warning:When Profile Push is enabled, Okta will update the CN attribute in AD. If there is a mapping defined for the cn property in the Profile Editor that mapping is applied. If there is no mapping or if the behavior for the CN mapping is set to Do not map then the CN is set to First Name + " " + Last Name.

  3. Click Enable next to Deactivate Users to deactivate a user's AD account when it is unassigned in Okta or their Okta account is deactivated.

  4. Click Enable next to Profile Master to make AD the identity authority for connected users. When selected, user profiles are not editable in Okta and changes are synchronized to Okta during provisioning events.

  5. In the When a user is deactivated in the app list, select one of these options:

    • Do Nothing — Select this option to keep the user account active.
    • Deactivate the Okta user — Select this option to automatically deactivate the Okta user when they are deactivated in the target app.
    • Suspend Okta User — Select this option to automatically suspend the Okta user when they are deactivated in the target app.
  6. For When a user is reactivated in the app, select one of these options:

    • Reactivate suspended Okta users — Select this option to reactivate a suspended Okta user when they are reactivated in the app.
    • Reactivate deactivated Okta users — Select this option to reactivate a deactivated Okta user when they are reactivated in the app.
  7. Click Enable next to Sync Password to make a user's AD password the same as their Okta password.

  8. Click Save Settings.