Install the Okta Active Directory agent

1. Click Add Directory and then select Add Active Directory.
2. Review the installation requirements and click Set Up Active Directory.
3. Click Download Agent.
   

1. Click Run when the message Do you want to run this file? appears.
2. Click Next.
3. Accept the default installation folder, or click Browse and select an alternate location. Click Install.
4. Accept the default AD domain you want to manage with this agent, or enter a domain name in the Domain field. Click Next.
5. Select a domain user for the Okta AD agent to run as:
   • Select Create or use the OktaService account (recommended) and complete the prompt to set a password. Okta recommends using a complex password for security.
   • Select Use an alternate account that I specify if you want to assign the Okta AD agent to run as an existing domain user.

If you're using a group Managed Service Account (gMSA) for the Okta AD agent service account, enter the account name and leave the Password field empty. You must include a dollar sign ($) at the end of the account name. For example, gMSA01$@example.com.

6. Click Next.
7. Optional. Specify a proxy server through which your AD agent will connect.
   If you are installing an AD agent version 3.4.11 or later, in environments where internet traffic is required to go through a proxy, the sign-in flow for the AD agent installer uses the proxy settings specified within the installer. If no proxy settings are specified, the default settings are used.
   
8. Click Next.
9. Select a domain to register the Okta AD agent with Okta. To register the Okta AD agent with the Okta service, enter your Okta subdomain name. This is the <mycompany> part of the example: <mycompany>.okta.com.
10. Click Next.
11. On the Okta Sign In page, enter your admin username and password, and then click Sign in.
12. The Okta AD agent requires several permissions. Click Allow Access. The agent installation completes.

    If the error message "The underlying connection was closed. Could not establish trust relationship for the SSL/TLS service channel" appears you are likely installing a version of the Okta AD agent with SSL pinning enabled by default and this prevents communication with Okta. This is most likely to occur in environments that rely on SSL proxies. To complete the installation, Okta recommends adding the domain okta.com to an allowlist to bypass SSL proxy processing. You can also disable SSL certificate pinning.

13. Click Finish.

1. (First time installations for this domain only) On the Connect an Organizational Unit to Okta screen, select the OUs from which you want to import users and groups.
2. In the Okta Username format list, select one of these formats that you want AD-imported end users to use when logging in to Okta:
   • Email address
   • SAM Account Name
   • User Principal Name (UPN)
   • Custom

   It is critical that the username format selected here be the correct format when you first import users. Changing the value can cause errors for existing users.

3. Click Next.
4. In the Import AD Users and Group dialog, click Next.

Note: To reconfigure OU and import settings, as well as other settings, return to the Settings tab (DirectoryDirectory Integrations Active DirectorySettings). See Configure Active Directory import and account settings.

On the Select the attributes to build your Okta User profile screen, accept the default attributes or select the specific attributes for your Okta user profiles. Attributes can be modified as the needs of your business change.

To learn more about Okta user profiles and attributes, see Work with Active Directory attributes.