Configure Active Directory provisioning settings

When you install the Okta AD agent or the needs of your business change, you define how user data is managed and updated.

1. In the Admin Console, go to DirectoryDirectory Integrations.
2. Select the Active Directory entry whose settings you want to configure.
3. Click the Provisioning tab and select To App in the Settings list.
4. Click Edit in the Provisioning to App section.
5. Select Enable for Create Users. When you enable this option, Okta can create users in Active Directory (AD). This allows you to import users from an external system and create accounts in both Okta and in AD. For example, you can import users from an HR system, create the users in Okta, and then have Okta create the users in AD. The HR system is the source, and any changes made there are propagated to both Okta and AD. Another use case may have Okta as the source of truth for all user information and pushing any updates made in Okta to AD.

   To implement this functionality, you first need to create a group in Okta and then assign that group to your AD instance. When users are added to the group, they're also created in AD. A common scenario is to use group rules in this kind of flow to add users to the AD provisioning group automatically.

6. In the Activation email recipient field, enter the email address of the Okta admin who receives activation emails with the Okta user's password. The admin is responsible for giving the end user their Okta password.
7. In the AD username format list, select the format for the AD username:
   • Custom: Select this option to use a custom AD username. Use the Okta Expression Language to define the username format to use for the mapping. To validate your expression, enter a username and click the view icon. See Modify attributes with expressions.
   • Email: Select this option to use an email address for the AD username.
   • Email prefix: Select this option to use an email prefix for the AD username.
   • LDAP UID + custom suffix: Select this option to use the LDAP user ID and a custom suffix as the AD username.
   • Okta username: Select this option to use the Okta username as the AD username.
   • Okta username prefix: Select this option to use the Okta username prefix as the AD username.
   • From Okta username: Select this option to use the Okta to generate the AD username from the Okta username. The generated username includes the Okta username as a prefix and the AD domain as a suffix.

8. Select Enable for Update User Attributes to update a user's attributes in AD when an app is assigned. Future attribute changes made to the Okta user profile automatically overwrite the corresponding attribute value in AD. See Enable Okta-sourced user Organizational Unit updates.

9. Select Update OU when the group that provisions a user to AD changes to update an Okta-sourced user's organizational unit (OU) when the group that provisions a user to AD changes.

   If an Okta-sourced user's OU changes in AD, that change isn't reflected in Okta because Okta is the source for that user. The next time the user is updated in Okta, they're provisioned back to the OU as set in Okta.

   Warning: When Profile Push is enabled, Okta updates the CN attribute in AD. If there's a mapping defined for the cn attribute in the Profile Editor, that mapping is applied. If there's no mapping or if the behavior for the CN mapping is set to Do not map, then the CN is set to First Name + " " + Last Name. See Profile Push.

10. Select Enable for Deactivate Users to deactivate a user's AD account when it's unassigned in Okta or their Okta account is deactivated.

11. Select Enable for Sync Password to synchronize users' AD passwords to be the same as their Okta passwords.

12. Click Save.
13. Optional. Map Active Directory attributes to Okta attributes in the Attribute Mappings section. The attributes listed in the table are your Active Directory attributes. To edit these mappings, click the edit icon. See Map application attributes on the Provisioning page