Import Active Directory users

You import users from Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. (AD) into Okta using one of these methods:

You can combine import methods. For example, you can set an import schedule, but also do an "on demand" import if you've added new users in AD and want to import them into Okta immediately. After importing users, you complete these tasks:


The Okta AD agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. must be installed and configured.


  • Activate/Activation — When users are imported from AD, an Okta user account is created. The confirmation process associates the Okta account with the AD account . You need to activate the Okta account created during the import process before it can be used.
  • Assign and unassign — The Okta appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. assignment process for AD is used to assign users to AD. AD users imported into Okta do not see an AD app icon on their home page.
  • Import— The act of Okta requesting user information from AD and then importing this information into Okta.
  • Match — When users are imported from AD, Okta searches for an existing account in Okta based on the matching rules you have set. When an existing account matches an AD account, the accounts are matched and confirmed. If a matching account is not found, a new user account is created.
  • Confirm match - Account match confirmation. Your confirmation settings determine if this occurs automatically or you manually match accounts.

Import AD users one time

You can manually import users when needed.

  1. On the Okta AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console, click Directory > Directory Integrations > Active Directory.
  2. Click the Import tab.
  3. Click Import Now.
  4. Select which type of import you want to do:
  5. Click Import.
  6. Your AD users are imported and a summary of the number of users and groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. imported displays. Click OK.

Schedule imports

Use the schedule import setting to define how often you want Okta to import users from AD. Select Do not import users to keep user profiles and groups synchronized without importing new users from your directory. Use this option when you want to use import functionality to synchronize groups, but want to create new Okta users using Just In Time (JIT) provisioning. When Do not import new users is selected as the scheduled import option for your AD instance, incorrect or NULL values are returned when using a manager or assistant expression. To view the list of manager and assistant expressions, see Okta Expression Language.



Following a successful import, under specific conditions Okta automatically sends an email to designated administrators. The email details the number of users and groups scanned, added, updated, or removed during the import. Okta only sends the email if the scan detects any new users or groups, or changes to any existing user profile or group membership.

  1. On the Okta Admin Console, click Directory > Directory Integrations > Active Directory and open the AD instance.
  2. Click Settings.
  3. Scroll to the Import and ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. section.

  4. Select the import frequency at the Schedule import field.
  5. Scroll to the bottom of the page. Click Save Settings.

Add and update end users with Just In Time provisioning

Just In Time (JIT) provisioning enables automatic user account creation in Okta the first time a user authenticates with Active Directory (AD) Delegated AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect., Desktop SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones., or inbound SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated..

JIT account creation and activation only works for end usersEnd users are people in your org without administrative control. They can authenticate into apps from the icons on their My Applications home page, but they are provisioned, deprovisioned, assigned, and managed by admins. who are not already Okta end users. (JIT updates the accounts of existing end users during full imports.) This means that end users who are confirmed on the import results page, regardless of whether or not they were subsequently activated, are not eligible for JIT activation. When JIT is enabled, users do not receive activation emails.

If delegated authentication is enabled, you do not need to import users from AD first for JIT provisioning to create Okta accounts.

If you do not have delegated authentication enabled, you must import the AD accounts first, and they must appear on the imported users list for JIT provisioning to create Okta accounts.

  1. On the Okta Admin Console, click Directory > Directory Integrations and select an AD instance.
  2. Click Settings.
  3. Scroll to the Import and Provisioning section.
  4. Select the Create and update users on login check box next to JIT Provisioning.
  5. Scroll to the bottom of the page and click Save Settings.

Confirm imported user assignments

When users are imported from AD, Okta intelligently processes the results of the user import. Matching algorithms are applied to analyze the incoming AD users and to determine if there is a match to existing Okta users or to accounts that you have imported. During import and account creation, a duplicate account is created in Okta that mirrors (field mapping and data) and is associated with the imported AD account.

Super adminThe super admin receives full access to every item in the Administrative Console and is the only role that can assign administrator roles to other user accounts. Accounts with other administrator role assignments have reduced functionalities to different permission sets. Contact Okta support to create an Okta Mastered account with Super Admin rights. or OrgThe Okta container that represents a real-world organization. admin permissions are required to perform this task.

  1. On the Okta Admin Console, click Directory > Directory Integrations > Active Directory > Import.
  2. Review the imported users and the matching Okta user assignments. Click the down arrow in the upper right-hand corner of the Okta user to modify the Okta user assignments as follows:
    • Exact— The imported AD user must match an existing Okta user exactly.
    • New  — If there is no existing match in Okta, the imported AD user is assigned to a new Okta user.
    • Existing  — You can match an imported AD user with an existing Okta user. Click Specify and begin typing the Okta username. A list of matching usernames displays. Select the correct user from the list.
    • Ignore  — You can opt to ignore this user. The user will not be assigned an Okta user assignment.


  3. Click Confirm Assignments to confirm the user assignments. You can confirm individual assignments or select all check boxes at once.
  4. The Confirm Imported Users Assignments dialog displays a summary of actions. Select Auto-activate users after confirmation if you want users to be activated immediately.
  5. Click Confirm. The assignments are processed. There should be no more records displayed in the Import Results pane.

After you have confirmed the user assignments, you will need to activate the users manually unless you have enabled Just In Time (JIT) provisioning.

Activate users

Activating user accounts in your org changes their account status from Pending to Active. When a user account is activated, end users are sent an email with instructions for setting up their account within your org. When set up is complete, users can access all the provisioned applications assigned to them.

The Status column on the Okta Admin Console People page displays the status of your end users.

If the user appears in the Person & Username list and their status is Staged, click Activate to activate their account.

To bulk activate users with a Pending Activation status, click Directory > People, select Pending Activation , and then click Bulk Activate.

If you reactivate a user who was previously deactivated, the user is re-imported, but their apps remain unassigned.

To activate one or more users who have been recently added, do the following:

  1. On the Okta Admin Console, click Directory > People.
  2. Click More Actions > Activate.
  3. Select users to activate and click Activate Selected. Or, click Activate All to activate all users.
  4. In the Activate People dialog, click Activate. The Status column displays Active for activated users.

What's next?

If you are configuring your Okta org and have just imported users for the first time, review the following topics: