Disabling Active Directory as a Profile Master Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka0f0000000u3d7kac&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2fdisabling-active-directory-as-a-profile-master
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Average Rating:
Disabling Active Directory as a Profile Master
Published: Jun 4, 2015   -   Updated: Aug 29, 2015

Active Directory (AD) can be disabled as the profile master, meaning that the user updates you perform in AD will not be pushed back to the user in Okta. For example, if you were to change a user's name in Active Directory, this change would not affect the Okta user name.

When disabling AD as the profile master, you cannot reset the user's AD password in Okta, as their credentials are still being managed by Active Directory. You can, however, disable Delegated Authentication, and enable Active Directory Password Sync. This means that your users will have their delegated Okta password, but any subsequent password updates are pushed to Active Directory.

Note: You can still provision new AD accounts from Okta.

Active Directory Password Sync

In addition to the option of disabling AD as a profile master, we've also added the ability to ensure that a user's AD password is always the same as their Okta password. So, your users' AD password will become an Okta password, but any subsequent password changes they make will be pushed to their user profile in Active Directory. Please note, in order for the Active Directory Password Sync option to be enabled, Delegated Authentication must be disabled.

To enable these options, do the following:
  1. From the Okta Administrator Dashboard, go to Directory > Directory Integrations, then click on your Active Directory Instance.
  2. Click on the Settings tab, and under the Provisioning Features section, do the following:
  • Under Profile Master, disable AD as the profile master by deselecting the Enable button.
  • Under Sync Password, select the Enable button. This ensures that a user's AD password is always the same as their Okta password.
  1. Click the Save Settings button.
User-added image

Post a Comment