Import Users from AD to Okta

What happens to new AD users during Okta import?

New AD users are created in Okta.

How does Okta handle modified AD users during import?

Modified AD users are updated in Okta.

What occurs in Okta when an AD user is disabled?

The disabled AD user is deactivated in Okta.

What is synced to Okta when there are changes in AD Group/OUs?

Changes are synced to Okta.

What are the matching criteria used to determine if an AD user exists in Okta?

Matching can be based on Okta username, email, a single attribute (like SAMAccountName), or multiple attributes.

What happens when there is an exact match with an existing Okta user during import?

The first name updates to the AD name since AD is the source of truth.

What is the risk of using partial matching during import?

Partial matching is not recommended due to the risk of merging different people.

What types of users can be confirmed during AD import in Okta?

Matched users and new users can be confirmed.

What can you do to disable activation emails during Okta provisioning?

Go to Provisioning → To Okta and select 'Don't send new user activation emails'.

When should you choose Import over JIT provisioning?

Use Import when you want predictable scheduled user sync, need to confirm matches, want staged rollouts, or require full group imports before login.

When is JIT provisioning preferred over manual import?

Choose JIT when accounts should only be created at first login, real-time updates are necessary, or scheduled imports are not desired.

How are scheduled imports defined in Okta?

Scheduled imports run automatically at defined intervals and are incremental, syncing only users changed since the last import.

What is the main difference between manual and scheduled imports?

Manual imports can be triggered at any time, whereas scheduled imports run at regular intervals automatically.

ad_import_deck = """

What does importing from AD do for new users?

Creates new Okta users for new AD users.

What does importing from AD do for modified users?

Updates existing Okta users based on AD changes.

What happens when an AD user is disabled?

They are deactivated in Okta.

Do AD group and OU changes sync to Okta?

Yes they are reflected in Okta during import.

What determines whether AD user becomes new or matched in Okta?

Matching criteria.

What attributes can matching criteria use?

Okta username email SAMAccountName or multiple attributes.

What is an exact match?

When the selected matching attribute(s) match between AD user and Okta user.

Does an exact match require identical first names?

No matches can occur even if names differ as long as the match attribute matches.

What happens after confirming an exact match?

Mapped Okta attributes update with AD values.

What is a partial match?

Match based only on first and last name.

Why are partial matches not recommended?

They may accidentally merge users with identical names.

Should auto-confirm partial matches be enabled?

No always confirm partial matches manually.

What does auto-confirm exact matches do?

Automatically confirms users whose attributes match according to criteria.

When should auto-confirm exact matches be turned on?

After confirming matching rules work correctly.

What does auto-confirm new users do?

Automatically confirms new users created from import.

What does auto-activate new users do?

Automatically activates new Okta accounts after import.

When should auto-activate new users be enabled?

After initial rollout once processes are stable.

What is the effect of activating a user by default?

Sends the user an activation email.

How do you disable activation emails for AD imports?

Provisioning → To Okta → Check “Don’t send new user activation emails for this domain”.

Should you import users when using JIT?

No choose Skip users during import.

What is a manual import?

An admin-triggered on-demand import of users and groups.

What is a scheduled import?

An automated periodic incremental import of changed or new AD users.

What does an incremental import do?

Imports only users created or updated since the last import.

When is importing preferred over JIT?

When you want predictable sync confirmations staged rollouts or full group imports before login.

When is JIT preferred over importing?

When you want real-time creation and updates at first login with no scheduled imports.

"""