Okta Active Directory Agent version history

This page lists current and past versions of the Okta Active Directory AgentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations.. This page is updated whenever a new version of the agent is released to General Availability (GA) and/or Early Access (EA). 

Important: To ensure that you have up-to-date functionality and get optimum performance from your Okta AD agent(s), we strongly recommend that you download and install the latest version of the agent on your designated domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). server(s). If you are running multiple Okta AD agents, make sure that all of them are the same version. Running different versions can cause all agents to function at the level of the oldest agent.

Current GA Version


Current EA Version 3.5.0

Version Description Release
3.5.0 This EA release fixes an install issue that occurred when registering a secondary AD domain on a new installation. 2018.19
3.4.12 This GA release provides internal fixes to the installer. 2018.14
3.4.11 This Early Access release includes internal fixes to the installer. 2018.12

This Generally Available release provides the following:

  • All the fixes and enhancements provided by Early Access (EA) versions from 3.4.4 to 3.4.8.
  • Updated the minimum Windows Server version to 2008.
  • Providing a fix for AD-mastered users that had issues signing in with passwords containing unicode characters.
  • Updated default settings.
  • Fixes an issue with installing the agent on some Windows 2012 R2 servers.

This Generally Available release provides the following:

  • All the fixes and enhancements provided by Early Access (EA) versions from 3.4.4 to 3.4.8.
  • Updated the minimum Windows Server version to 2008.
  • Providing a fix for AD-mastered users that had issues signing in with passwords containing unicode characters.
  • Updated default settings.

This Early Access release includes a number of performance improvements which will reduce import times significantly.

  • Domain Controller (DC) affinity – a significant reduction in the number of full imports that occur during normal operation, resulting in improved performance.
  • DC availability checking – more robust checking for DC availability from the agent. Okta tests DC health prior to making a connection and transitions to a new DC more quickly if a DC is offline or unavailable.
  • Improved logging functionality.
  • Other fixes and optimizations.

This Early Access release now sends the following time stamps in milliseconds, instead of seconds:

  • when the agent GETs an Okta request
  • when the agent POSTs a result
  • when the agent sends a request to a Domain Controller
  • when the agent receives a response from the Domain Controller
3.4.6 This Early Access release provides various improvements to the agent log, and improves the way that the Okta AD agent interprets the date formats sent by AD. 2017.24

This Early Access release fixed an issue where Okta failed to recognize users' AD group memberships following JIT profile creation and updates.

Note: This update was initially documented in the release notes for 2017.05.


This Early Access release provides the following:

  • Updated default settings.
  • Internal improvements.

This Generally Available release provides the following:

  • All the fixes and enhancements provided by Early Access (EA) versions 3.4.1 and 3.4.2.
  • Support for writing binary data to an AD object's attribute.
  • Updated default settings.

This Early Access release provides the following enhancements:

  • If your AD agent fails to start because the service account on the domain controller is missing the Log on as a service permission, you can now repair the account with just a few clicks.
  • To allow admins to register the Okta AD agent in our EMEA production environment, we have added a Production-EMEA option to the agent installer.
  • To improve the security of AD integrations, we now default to the TLS1.2 security protocol in orgs running .NET Framework 4.5 or later. Orgs running earlier versions of the .NET Framework continue to use TLS1.1.
  • Okta no longer imports duplicate Universal Security GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. if they are moved to a different domain.
3.4.1 This release allows admins to enforce Active Directory's password policy for end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. who have forgotten their password. 2016.04

This version provides support for SSL certificate pinning. By default, pinning is enabled for new installations. For agent upgrades, your current state of enablement is preserved. †

To allow new installations to complete in environments where SSL pinning may prevent communication with the Okta server, this version also includes a command line option in the installer that lets admins disable SSL pinning. †

Note: The default state of this feature was reversed in GA release 3.4.3.

3.3.5 This version combines the best features of existing Classic Imports and Federated Profiles integration options. For details, see About Okta's Enhanced Active Directory Integration GA – 2015.51

EA – 2015.48

This release uses the FIPS-compliant implementation to perform some cryptographic functions.


Fixed an issue that caused the agent to send empty User Agent strings.


Fixed an issue that prevented the agent from shutting down.


Fixed an issue where, when AD_FEDERATED_PROFILES was enabled, the user AD Group membership information was not always updated.

3.2.0 This update includes repair of a memory leak. This improvement should reduce instances of delegated authentication timeouts. 2015.10 This update changes the default connection configuration to increase scalability in the throughput of processes between Active Directory and Okta. 2014.44 This update now enforces MFA policy during setup of AD. For Universal Directory users, this update also includes enhancements in configuring your AD schema in UD. 2014.41 Changes include several logging enhancements, including performance data. Also includes the following bug fixes:
  • OKTA-24749 - Fixed an issue in which Okta Groups without text in the Description field could not be successfully pushed.
  • OKTA-32138 - Fixed an issue where particular password types caused the AD Agent installation to fail.
3.0.7 This update provides multithreaded polling for AD agents. 07/23/2013
3.0.6 This update supports Federated Profiles. 05/10/2013
3.0.5 This update includes a security enhancement: Currently the agent token is stored in plain text in the configuration file, and with this update it will be encrypted, making it more secure. If you use a proxy, the password you enter will also be encrypted. There are no functional changes to the agent and you can update at your convenience. 02/05/2013
3.0.4.x The AD agent 3.0.4.x supports IWA redundancy. 12/05/2012
3.0.3 You can now configure a proxy server during installation. 10/17/2012
3.0.2 This includes all updates from earlier releases.
Updates to support the following:
  • Provisioning by security groups.
  • AD password reset.
  • AD import improvements.
3.0.1 This update includes the following bug fixes:
  • The AD Agent Manager will fill the combo-box with all Domains of the current Forest and allows you to type the DNS-name of any additional Domain.
  • Agent will now prompt for elevation or administrator credentials when necessary.
3.0 This update includes:
  • Registering Multiple Domains on one agent.
  • Provisioning by security groups.
2.1.4 This update includes:
  • The domain user account for the AD Agent is created by the installer, so that the credentials are not stored in the Okta service.
  • Multiple Domain Support.
  • AD Password Reset.

Note: After October 13, 2014, releases are named by release number; prior to that, they are named by release date. Release numbers indicate the year and week in which the release became available. Occasionally, there are gaps in the numbers.