Add and update users with Active Directory Just-In-Time provisioning
Just-In-Time (JIT) provisioning enables automatic user account creation in Okta when a user authenticates for the first time either through Active Directory (AD) delegated authentication or Desktop SSO.
JIT account creation and activation only works for new Okta users. Any users who are confirmed on the Import Results page, regardless of whether they're later activated, aren't eligible for JIT activation. When JIT is enabled, users don't receive activation emails.
For JIT provisioning, delegated authentication must be enabled. If delegated authentication isn't enabled, Okta user accounts can only be created using bulk import.
When JIT is enabled for your org and delegated authentication is selected for your AD, JIT is used to create user profiles and import user data. The username format is used to authenticate AD sourced users. If you use a custom expression to format the Okta username, the last selected and saved non-custom username is used for authentication. The UPN is the default, non-custom username.
- In the Admin Console, go to .
- Click Active Directory and then click the Provisioning tab.
- Click To Okta in the Settings list.
- Click Edit in the General section.
- Enable Create and update users on login for JIT provisioning.
- Click Save.