Supported Active Directory integration features

This is where you'll find information about supported Active Directory (AD) integration features and functionality.

Data import and user authentication

This table lists the supported data import and user authentication features that are available with AD integrations.

Feature Description
Delegated Authentication Ability to authenticate user credentials through AD for access into Okta. See Enable delegated authentication.
Just-In-Time (JIT) Authentication Ability to authenticate user credentials through AD for access into Okta and update group memberships and profile info before access. See Add and update users with Active Directory Just-In-Time provisioning.
Instance-level Delegated Authentication Ability to delegate authentication on a per AD-instance level to support more granular authentication scenarios. See Enable delegated authentication and Configure Active Directory provisioning settings.
Import from Directory Ability to import user and group details from the directory into Okta. AD supports both full import (full data import) and incremental import (only import changes since last import). See Configure Active Directory import and account settings.
Import filter - OU/container selection Ability to filter users and groups by specifying an LDAP filter and selecting OUs. See Configure Active Directory import and account settings.
Provision to Directory Ability to provision user and group details down to AD. AD supports pushing users, password, and groups down to AD from Okta. See Configure Active Directory provisioning settings.

Password policies

This table lists the supported password policies that are available with AD integrations.

Feature Description
Minimum Length See Sign-on policies and rules.
Complexity Requirements See Sign-on policies and rules.
Common Password Check See Sign-on policies and rules.
Enforce password history for last < X > passwords See Sign-on policies and rules.
Password expires after < X > days See Sign-on policies and rules.
Prompt user < X > days before password expires See Sign-on policies and rules.
Lock out user after < X > unsuccessful attempts See Sign-on policies and rules.
Lock out user after < X number of > minutes See Sign-on policies and rules.
Show lock out failures See Sign-on policies and rules.
Send lock out email to user See Sign-on policies and rules.
Password Soft Lock Ability to lock the Okta account of AD-sourced users through password policies, without triggering a lock of the user's AD account. See How does the password policy soft-lock functionality work, and About password policies.
Self-Service Password Reset Ability to reset AD password through Okta.
Password Synchronization Ability to sync AD and Okta password. See Synchronize passwords from Okta to Active Directory.

Password reset

This table lists the supported password reset options that are available with AD integrations.

Feature Description
Self-service recovery options: Email Ability to reset the password through email.
Self-service recovery options: SMS Ability to reset the password through text message.
Self-service recovery options: Voice Call Ability to reset the password through a code sent through voice call. See Manage users.
Reset, Unlock recovery emails are valid for < X > minutes Ability to configure how long recovery email tokens are valid.
Additional self-service recovery option: Secret questions Ability to reset the password through security questions.

Infrastructure

This table lists the supported infrastructure features that are available with AD integrations.

Feature Description
Multiple agent polling threads Ability to increase polling threads on the agent. Increases how many requests the agent can handle per second per thread. See Change the number of Okta Active Directory agent threads.