For organizations running both Active Directory and Okta, seamless integration eliminates the complexity of managing dual identity systems. Okta’s Directory Integration automatically synchronizes user accounts from your existing AD infrastructure, enabling you to preserve your established user management processes in Active Directory while extending modern authentication capabilities—including single sign-on, multi-factor authentication, and adaptive security policies—to your SaaS applications.
The installation process is straightforward and similar to AD Connect or Entra Connect Sync. In this post, I’ll walk through the installation and synchronization process using two test employee accounts created in an AD environment. In upcoming posts, I’ll demonstrate Global and Authentication policies along with enrollment procedures.
One important consideration: carefully plan your AD username format. If you’re testing in a lab environment with a domain like lab.local, you may encounter issues later when users need to receive activation emails. For the smoothest experience, use a username format that ends with a domain where users can receive email— more on this later.
I’m logged into the Okta Admin dashboard and have created an OU named ‘Okta-sync’ in Active Directory, populated with two test employees: Judith and Larue. These will be our first accounts to sync as a test. Once the integration is configured, any additional users added to this OU will automatically sync with Okta according to the synchronization schedule.
We’ll download the sync agent from the Directory Integration tab in the Okta Admin dashboard. Note that both Linux and Windows agents are available for LDAP environments, though the setup process is slightly more complex. For large production environments with 30,000+ users, Okta recommends installing the agent on member servers to ensure high availability. For this lab demonstration, I’ll install the agent directly on the domain controller.
Download the agent and copy your Okta Organizational URL and Admin login credentials from the bottom of the page. The installation wizard will prompt you for several configuration details: the AD domain to sync, whether to let Okta create the background service automatically, a password for the service account, proxy settings (if required), and your organizational URL. After completing these steps, you’ll receive an activation code and link to proceed with activation.
Once the installation is complete, select the OUs from which the agent will sync users and groups. In my case, I’ll select the Okta-sync organizational unit. Remember the username format consideration mentioned earlier—Okta requires four key attributes: first name, last name, username, and email address. The username must be formatted as an email address for the sync to work correctly. Ideally, you want the username and email address to match, as is typically the case in most Active Directory environments.
Directory users (imported from AD/LDAP) are not automatically activated upon import; instead, they are staged for future activation. When an administrator attempts to activate a staged user, the activation email will fail to deliver if the email address is incorrect. Below is an example of this issue, along with a couple of potential solutions.
This AD environment has a domain of nx1.naxslabs.com, but there are no email services configured for that domain. You can set a different email address in the user’s AD profile before syncing to Okta, and then select ‘Email’ instead of ‘UPN’ for the username format during the sync configuration.
Alternatively, use PowerShell to set an alternative UPN suffix with your actual domain name. Then modify the domain portion in each user’s profile to use the new suffix. This allows you to leave Okta configured to use UPN for the username format.
Get-AdForest | Set-ADForest -UPNSuffixes @{add="naxslabs.com"}
Next, Okta scans Active Directory attributes and maps them to corresponding Okta attributes. There’s extensive configuration available for attribute mapping, which I’ll cover in a separate post. Navigate to the Directory Integrations tab and review the provisioning section, where you can configure the import schedule and manually map additional attributes if you want to extend beyond the default AD schema.
Okta can also write back to the domain controller with additional configuration—ensure you’re on the ‘to-okta’ tab for the import settings we’re focusing on here. To manually import users instead of setting up a schedule, navigate to the Import tab, review the list of users, and select the ones you want to import. Confirm the assignments and navigate to Directory > People to view the newly imported accounts.
That’s it—nothing to it. Note the ‘staged’ status of the imported users. Clicking ‘Activate’ will send an activation email to the user to begin the enrollment process. See Okta Policies for more information about enrollment and authentication policies.
Empowering individuals and businesses through cybersecurity knowledge, training, and insights.
© NAXS LABS All Rights Reserved