Manage Active Directory accounts
Early Access release
Okta Privileged Access Active Directory (AD) integration helps reduce the risks that are associated with undermanaged privileged AD accounts. This solution enables admins to discover and manage accounts and their passwords. It enforces access controls such as Role-Based Access Control (RBAC), MFA Access Requests, and time-limited check-out capabilities. It also offers an audit trail to support monitoring and compliance efforts.
Key capabilities
-
Connect to Active Directory environments using the existing Okta AD agent.
-
Discover privileged AD accounts and manage their passwords, requiring users to obtain them from Okta Privileged Access.
-
Create robust policies for accessing privileged AD accounts, such as requiring phishing-resistant MFA.
-
Require users to check out privileged AD account passwords. After a user checks in or the time limit expires, the passwords are automatically rotated. This prevents users from saving them.
-
Audit all admin and user activities.
Okta Active Directory agent
The AD agent is used to communicate with domains that manage AD account passwords within Okta Privileged Access. The AD agent must already be set up and integrated with Okta to enable the Okta Privileged Access AD account management features. See Manage your Active Directory integration.
The Okta AD agent service account must have permission to perform password resets on the accounts that are managed by Okta Privileged Access. See Grant Okta Active Directory (AD) agent password management permissions.
Account discovery and mapping
In the Okta Admin Console, admins must select organizational units (OUs) with privileged access to manage them using Okta Privileged Access. Once the OUs within a domain are identified, Okta Privileged Access resource admins must establish rules for account discovery and for mapping accounts to Okta users.
Okta super admin and Okta Privileged Access resource admin are two distinct roles. Both roles are required for setting up AD account discovery and mapping.