Supported Active Directory integration features

This is where you'll find information about supported Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. (AD) integration features and functionality.

Data import and user authentication

This table lists the data import and user authentication features that are available with Active Directory integrations.

Feature	Supported?	Description
Delegated AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect.	Yes	Ability to authenticate user credentials through AD for access into Okta. See Delegated authentication.
Just-In-Time (JIT) Authentication	Yes	Ability to authenticate user credentials through AD for access into Okta AND update group memberships and profile info before access. See Add and update end users with Just In Time provisioning.
InstanceAn instance, or computer instance, is a virtual machine (VM) or individual physical computer, used to host a software appliance.-level Delegated Authentication	Yes	Ability to delegate authentication on a per AD-instance level to support more granular authentication scenarios. See Delegated authentication and Configure provisioning settings.
Import from Directory	Yes	Ability to import user and group details from the directory into Okta. AD supports both full import (full data import) and incremental import (only import changes since last import). See Configure import and account settings.
Import filter - OUAn acronym of Organizational Unit. Organizational units are Active Directory containers into which you can place users, groups, computers, and other organizational units. It is the smallest scope or unit to which you can assign Group Policy settings or delegate administrative authority./container selection	Yes	Ability to filter users and groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. based by specifying an LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services. filter and selecting OUs. See Configure import and account settings.
Provision to Directory	Yes	Ability to provision user and group details down to AD. AD supports pushing users, password, and groups down to AD from Okta. See Configure provisioning settings.

Password policies

This table lists the password policies that are available with Active Directory integrations.

Feature	Supported?	Description
Minimum Length	Yes	See Security Policies.
Complexity Requirements	Yes	See Security Policies.
Common Password Check	Yes	See Security Policies.
Enforce password history for last < X > passwords	Yes	See Security Policies.
Password expires after < X > days	Yes	See Security Policies.
Prompt user < X > days before password expires	Yes	See Security Policies.
Lock out user after < X > unsuccessful attempts	Yes	See Security Policies.
Lock out user after < X number of > minutes	Yes	See Security Policies.
Show lock out failures	Yes	See Security Policies.
Send lock out email to user	Yes	See Security Policies.
Password Soft Lock	Yes	Ability to lock the Okta account of AD-mastered users through password policies, without triggering a lock of the user's AD account. See How does the password policy soft-lock functionality work.
Self-Service Password Reset	Yes	Ability to reset AD password through Okta. See Manage users and Enable self-service registration.
Password Synchronization	Yes	Ability to sync AD and Okta password. See Synchronize passwords from Okta to Active Directory

Password reset

This table lists the password reset options that are available with Active Directory integrations.

Feature	Supported?	Description
Self-service recovery options: Email	Yes	Ability to reset the password through email. See Enable self-service registration.
Self-service recovery options: SMS	Yes	Ability to reset the password through text message. See Enable self-service registration.
Self-service recovery options: Voice Call	Yes	Ability to reset the password through a code sent through voice call. Ability to reset the password through a code sent through a voice call. See Manage users and Enable self-service registration.
Reset, Unlock recovery emails are valid for < X > minutes	Yes	Ability to configure how long recovery email tokens are valid for. See Enable self-service registration.
Additional self-service recovery option: Secret questions	Yes	Ability to reset the password through security questions. See Enable self-service registration.

Infrastructure

This table lists the infrastructure features that are available with Active Directory integrations.

Feature	Supported?	Description
Multiple agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. polling threads	Yes	Ability to increase polling threads on the agent. Increases how many requests the agent can handle per second per thread. See Change the number of Okta Active Directory agent threads

Top