Active Directory Field Mappings Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka02a0000005ujssaq&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2factive-directory-field-mappings-370419581
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Active Directory Field Mappings
Published: Jan 31, 2018   -   Updated: Jun 22, 2018

 

 

okta-doc-source

Active Directory property mappings

The following table shows how Okta attributes are mapped to corresponding Active Directory (AD) attributes.

Active Directory Attribute Okta Attribute Required?

Mapping Direction

AD to Okta

Mapping Direction Okta to ADNote
loginusernameYesYesYesOnly used if email is not set.
Available as one of the choices for the Okta username preference. If selected, the Okta username is generated by combining the SAMAccountName with the AD domain name (naming context) to form an email-like value.
firstNamefirstNameYesYesYes 
lastNamelastNameYesYesYes 
middleNamemiddleNameNoYesYes 
emailemailYesYesYes 
titletitleNoYesYes 
honorificPrefixhonorificPrefixNoYesYes 
honorificSuffixhonorificSuffixNoYesYes 
displayNamedisplayNameNoYesYes 
mobilePhonemobilePhoneNoYesYes 
primaryPhonetelephoneNumberNoYesYes 
streetAddressstreetAddressNoYesYes 
citycityNoYesYes 
statestateNoYesYes 
zipCodepostalCodeNoYesYes 
countryCodecountryCodeNoYesYes 
preferredLanguagepreferredLanguageNoYesYes 
localelocaleNoYesYes 
employeeNumberemployeeIDNoYesYes 
costCenterdepartmentNumberNoYesYes 
organizationcountryCodeNoYesYes 
countrycodeadCountryCodeNoYesYes 
preferredLanguagepreferredLanguageNoYesYes 
employeeNumberemployeeIDNoYesYes 
organizationorganizationNoYesYes 
divisiondivisionNoYesYes 
departmentdepartmentNoYesYes 
SamAccountNamesubstringBefore(user.login, \"@\")YesNoYes 
cnuser.firstName + \" \" + user.lastNameNoNoYes 
objectGUID None YesYesNoUsed to uniquely identify imported users.
userPrincipalName Primary Email,
Username
YesYesYesOnly used if email is not set.
Available as one of the choices for the Okta username preference. If selected, the Okta username is generated by combining the sAMAccountName with the AD domain name (naming context) to form an email-like value.
  • If any required AD attribute is missing in a user's profile, the user is ignored.
  • If the isCriticalSystemObject attribute is set to true, the users is omitted. This setting is mostly for internal accounts used by the system, but also includes various built-in accounts like Administrator.
  • If a custom attribute is marked as required in Profile Editor (that is, Attribute required is selected in the Add Attribute dialog), and no corresponding field exists in the user's AD profile, the user is deprovisioned during the next import or, if JIT is enabled, the next time the user logs in.

The system treats previously imported users as deleted if any of the following conditions are met:

  • The isDeleted attribute is true. (Detected by incremental import or JIT sign in.)

  • The userAccountControl attribute indicates that the user has been deactivated. (Detected by incremental import or JIT sign in.)

  • The user no longer exists in the directory. (Only detected by a full import.)

If this occurs, the corresponding Okta user (if any) is deactivated. Users are also deactivated if the user goes out of OU selection during the next full import.

Note: Attributes shown as Required in the table are also required for the Okta LDAP connector.

Top