Active Directory (AD) can be disabled as the profile master, meaning that the user updates you perform in AD will not be pushed back to the user in Okta. For example, if you were to change a user's name in Active Directory, this change would not affect the Okta user name.
When disabling AD as the profile master, you cannot reset the user's AD password in Okta, as their credentials are still being managed by Active Directory. You can, however, disable Delegated Authentication, and enable Active Directory Password Sync. This means that your users will have their delegated Okta password, but any subsequent password updates are pushed to Active Directory.
Note: You can still provision new AD accounts from Okta.
Active Directory Password Sync
In addition to the option of disabling AD as a profile master, we've also added the ability to ensure that a user's AD password is always the same as their Okta password. So, your users' AD password will become an Okta password, but any subsequent password changes they make will be pushed to their user profile in Active Directory. Please note, in order for the Active Directory Password Sync option to be enabled, Delegated Authentication must be disabled.To enable these options, do the following: