An updated AD attribute is not being pushed to an application that has provisioning and "Update User Attributes" enabled Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka02a000000bnbhsaa&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2fan-updated-ad-attribute-is-not-being-pushed-to-an-application-that-has-provisioning-and-update-user-attributes-enabled
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
An updated AD attribute is not being pushed to an application that has provisioning and "Update User Attributes" enabled
Published: Aug 16, 2017   -   Updated: Jun 22, 2018

Issue: Okta is not pushing an updated Active Directory attribute value to a downstream application (ie Office 365, ServiceNow)

Applies to: 
  • Active Directory as Profile Master
  • Office 365
  • ServiceNow

Cause: The Okta > Downstream Application attribute mapping is set to use the default expression hasDirectoryUser()?findDirectoryUser
  • this expression can successfully create attribute values when Okta provisions a new user object in the downstream application.  However, updates to the AD user object will not trigger an application profile update task when this expression is in use

Resolution: Replace the default attribute mapping expression with a strategy that maps from AD > Okta > Application by performing the following steps:

  • if there is currently no Okta attribute that corresponds to the AD attribute (i.e. ProxyAddresses, ManagerID), create a matching custom attribute in Okta (please refer to the "Add Custom Attributes to a user profile" section in our Profile Editor Guide for details).

  • map the Active Directory attribute to the corresponding Okta attribute (please refer to the "Mappings" section in our Profile Editor Guide for details).
  • map the Okta attribute to the Application attribute 

Additional Details
  • if you are encountering this behavior with ServiceNow's ManagerID attribute, you may need to use an expression that populates a custom Okta attribute with a value retrieved from Active Directory, and then map the Okta attribute to ServiceNow's ManagerID attribute.  Please consult the "Manager/Assistant Functions" section of our Okta Expression Language Guide for more details.