Requirements and limitations
Early Access release
Review the following information before you use Okta Privileged Access to manage your Active Directory (AD) accounts:
-
Contact Okta customer support to enable this feature.
-
You must have an AD agent running on your target domain. See Install the Okta Active Directory agent. In the Connect an organizational unit to Okta section, select the organizational units (OUs) that have the privileged AD accounts.
If a rule targets an OU that isn't selected in the Okta Admin Console, it has no effect.
-
Grant the Okta AD agent service account permissions to change passwords for privileged AD accounts. See Grant Okta Active Directory (AD) agent password management permissions.
-
Privileged AD accounts must be in OUs that contain only privileged AD accounts. These OUs shouldn't include standard user accounts or any accounts not intended for management by Okta Privileged Access. If privileged AD accounts are in the same OU as standard user accounts, they must be moved to a separate OU before Okta Privileged Access can manage them.
-
Okta admins should collaborate with Okta Privileged Access admins to ensure that OUs that contain privileged AD accounts are selected accurately in the Admin Console and properly configured with the management rules in Okta Privileged Access.
-
Okta recommends deactivating the AD domain in Okta Privileged Access before an Okta admin deletes the app integration from the Okta Admin Console. Deactivating or deleting the Okta app removes all entries from Okta Privileged Access.
-
If you intend to manage AD Domain Admins or members of any protected groups, the Okta AD agent server account requires Domain Admin membership.
Related topics
Set up Active Directory domains