Microsoft Active Directory (AD on-premises) integration

Integrate your Microsoft Active Directory on-premises (AD on-premises) instance with Okta Identity Security Posture Management (ISPM) to get the clarity and visibility you need to harden your environment against modern threats and secure your domains. You can use your existing Okta AD agent to integrate your AD on-premises instance with ISPM.

By bringing your on-premises identity lifecycle into Okta's unified platform, you get the following key capabilities:

  • Visualize nested groups: ISPM maps complex, nested group structures to help you find overprivileged access and help reduce your attack surface.

  • Detect vulnerable identities: ISPM automatically detects unused human and service accounts or identities with stale passwords, including high-privilege admin accounts.

  • Discover unsynced accounts: ISPM identifies shadow identities and groups that exist in AD on-premises instance but haven't been synced to Okta or Entra ID.

Before you begin

Ensure that you have the following setup:

  • The Okta data connector is integrated with ISPM. If it isn't, follow the steps in Okta integration.

  • The Okta AD agent is installed and connects the required Okta org to the required service account in the AD environment.

    If an agent isn't configured for the required Okta org, complete steps 1 – 3 in Install the Okta Active Directory agent.

    You must have an Okta AD agent installed and connected to each Okta org that you want to integrate with ISPM. Domains without the agent aren't available for integration in the ISPM console.

  • The required Okta AD agent status is Operational. See View Okta Active Directory (AD) agent status information. Only domains with at least one agent in an Operational status are available for this integration in the ISPM console.

    Alternatively, you can use the Okta AD agent management utility that's available on the domain controller itself to check the agent's status. The agent must be running and its service account must be a member of the Domain Administrators group for the domain to be available in the ISPM console for this integration.

Start this task

  1. In the ISPM console, go to Settings > Sources gallery.

  2. Click Connect on the On-prem AD tile.

    If you just have one Okta source connected to your AD on-premises instance, do the following steps:

    1. Click Next.

    2. Review the AD domain that Okta found. If it's the right one, click Submit.

    If you have multiple Okta sources connected to your AD on-premises instance, do the following steps:

    1. Select the relevant Okta source from the dropdown menu that you want to connect to your AD on-premises instance.

    2. Select one or more domains and click Submit.

If the AD domain you want to connect isn't displayed or you receive an error, check that the agent is operational and ensure that you have the setup listed in the Before you begin section of this topic for that domain.

Once the integration is successful, the data from the domain appears in the ISPM console after approximately one day.