Configure Active Directory provisioning settings
When you install the Okta AD agent or the needs of your business change, you define how user data is managed and updated.
- In the Admin Console, go to Directory > Directory Integrations.
- Click Active Directory and then click the Provisioning tab.
- Click To App in the Settings list and click Edit in the Provisioning to App section.
- Click the Enable check box for Create Users.
Enabling Create Users lets Okta create users in Active Directory (AD). This allows you, for example, to import users from an HR system, create the users in Okta, and then have Okta create the users in AD. The HR system is the source, with Okta and AD being updated based on changes in the HR source. Or, another use case may include Okta being the source of truth for all user information and pushing those updates into AD.
To implement this functionality, you first need to create a group in Okta and then assign that group to your AD instance. When users are added to the group, they are also created in AD. A common scenario is to use group rules in this kind of flow to add users to the AD provisioning group automatically.
- In the Activation email recipient field, enter the email address of the Okta admin who receives activation emails with the Okta user's password. The admin is responsible for giving the end user their Okta password.
- In the AD username format list, select the format for the AD username:
- Custom — Select this option to use a custom AD user name. Enter the Okta expression language to map the define the user name format. To validate your mapping expression, enter a user name and click the view icon. See Modify attributes with expressions.
- Email — Select this option to use an email address for the AD user name.
- Email prefix — Select this option to use an email prefix for the AD user name.
- LDAP UID + custom suffix — Select this option to use the LDAP user ID and a custom suffix as the AD user name.
- Okta username — Select this option to use the Okta user name as the AD user name.
- Okta username prefix — Select this option to use the Okta user name prefix as the AD user name.
- From Okta username — Select this option to use the Okta to generate the AD user name from the Okta user name. The generated username includes the Okta username as a prefix and the AD domain as a suffix.
- Click Enable for Update User Attributes to update a user's attributes in AD when an app is assigned. Future attribute changes made to the Okta user profile automatically overwrite the corresponding attribute value in AD. See Enable Okta-sourced user Organizational Unit updates.
Select the Update OU when the group that provisions a user to AD changes check box to update an Okta-sourced user's organizational unit (OU) when the group that provisions a user to AD changes.
If an Okta-sourced user's OU changes in AD, that change will not be reflected in Okta because Okta is the source for that user. The next time the user is update in Okta, they will be provisioned back to the OU as set in Okta.
Warning: When Profile Push is enabled, Okta will update the CN attribute in AD. If there is a mapping defined for the cn property in the Profile Editor that mapping is applied. If there is no mapping or if the behavior for the CN mapping is set to Do not map then the CN is set to First Name + " " + Last Name.
Click Enable next to Deactivate Users to deactivate a user's AD account when it is unassigned in Okta or their Okta account is deactivated.
Click Enable next to Sync Password to make a user's AD password the same as their Okta password.
- Click Save.
- Optional. Map Active Directory attributes to Okta attributes in the Attribute Mappings section. The attributes listed in the table are your Active Directory attributes. To edit these mappings, click the edit icon. See Map application attributes on the Provisioning page