Expired Active Directory accounts are still active in Okta Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Rocky ReyesRocky Reyes 

Expired Active Directory accounts are still active in Okta

Hey Okta Community,

We are using Active Directory as a master. When we manually disable an AD account, the Okta AD sync tool kicks in and that Okta user account is disabled as expected. Downstream apps are deprovisioned and access is revoked.

However, when an AD account expires on a date specified in the user's AD properties, the Okta account remains active and the user can still log in and access all downstream apps.
An AD import does not help.

We have several contractors and we need to confirm that their Okta access is revoked on the same date that their AD accounts expire.

Is there way to let Okta know that Disabled Accounts = Expired Accounts?

Thanks in advance,

David GenenzDavid Genenz
We're using delegated authentication with Okta/AD and I belive when we expires their accounts, it disabled their ability to log into Okta.
Rocky ReyesRocky Reyes
Hi David,

Thanks for your response. We are also using delegated authentication. I have confirmed that expired AD accounts still remain active in Okta. Perhaps there is a setting I am missing?
Dylann FezeuDylann Fezeu (Customer First Programs)
Hi Rocky,

We will doc your question and route it to the proper tech specialist who can give you a more detailed answer.

Thank you for your feedback,

Dylann Fezeu
Okta Help Center Team
Jason HarrisJason Harris
I've realized our org is experiencing the same issue with AD accounts set to expire - they remain active in Okta.  I don't know if it's always been this way, or this has been a gap for a while.