Import Users from AD to Okta

OCA Exam Notes: Import Users from AD to Okta

What Importing From AD Does

When you run an import (manual or scheduled):

New AD users → created in Okta
Modified AD users → updated in Okta
Disabled AD users → deactivated in Okta
AD Group/OUs changes → synced to Okta

This is the alternative to JIT provisioning.

Matching Criteria

Matching criteria determine whether an imported AD user:

  • matches an existing Okta user

  • or creates a brand new Okta user

Matching can be based on:

  • Okta username

  • Email

  • A single attribute (e.g., SAMAccountName)

  • Multiple attributes

Example

Sarah Wood (AD) → existing Okta user "Sara"

  • Email matches → Exact match

  • After confirmation → First name updates to “Sarah” since AD is source of truth

If no match → Okta assigns as new user.

Partial Matching

  • Matches based on first + last name only

  • NOT recommended (risk of merging different people)

Confirming Imported Users

During AD import, Okta requires confirmation:

You can confirm two types:

  1. Matched users

  2. New users

Options:

Action

Default

Recommendation

Auto-confirm exact matches

OFF

Turn on once you're confident your matching rules are accurate

Auto-confirm partial matches

OFF

Do NOT turn on—always review manually

Auto-confirm new users

OFF

Turn ON to streamline

Auto-activate new users

OFF

Start manually → enable after rollout

Activation Emails

By default, activating a user sends an email.

You can disable activation emails:

Provisioning → To Okta → "Don't send new user activation emails"

Recommended during early integration so users aren’t notified prematurely.

How Imports Occur

Manual Import

You can trigger user + group imports at any time.

Scheduled Import

  • Located under Provisioning → Settings

  • Runs automatically at defined intervals

  • Incremental, meaning only users changed since last import are synced

When Should You Choose Import vs JIT?

Use Import when:

  • You want predictable scheduled user sync

  • You need to confirm or review matches

  • You want staged rollouts

  • You require full group imports before login

Use JIT when:

  • You want accounts created only at first login

  • You want real-time updates

  • You don't want scheduled imports