Avoid auto-creation and activation of Okta user upon successful AD user login Skip to main content
https://support.okta.com/help/answers?id=9062a000000xa3wqas&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Vincent TsangVincent Tsang 

Avoid auto-creation and activation of Okta user upon successful AD user login

Hi,

We have AD integration set up with delegated authentication enabled and JIT provisioning disabled. We would like our AD users to be granted Okta access in a controlled manner - so one should not be able to access Okta at all before our Okta admin first selects that user from the Imported User List under "Directory Integrations" to create a new Okta user for him/her. However, right now we realised that any AD user can get onboarded directly by simply logging in with AD username and password and then an Okta user will be auto-created and activated - we can't yet figure out a way to disable this.
Could somebody please help advice how we can disable this auto Okta user creation? We thought it's related to the JIT Provisioning option but we already disabled it.

Thanks.
Vincent
Theo ChimbgaTheo Chimbga
Hi Vincent,

Please check if the Enable Just In Time Provisioning checkbox is selected on the menu under Settings > Customization > Just In Time Provisioning. Try disabling that and see if if stops auto activation.

thanks

Theo
Vincent TsangVincent Tsang
Hi Theo,

Thanks. Tried it and it works.
I didn't realise this setting,  but thought JIT provisioning was already disabled after I unchecked Directory -> Directory Integrations -> Active Directory -> Settings -> JIT Provisioning "Create and update users on login". I guess this option actually means something else then?

Thanks.
Vincent
Theo ChimbgaTheo Chimbga
Hi Vincent,

Glad it worked. I guess the option on the Settings menu allows you to set the JIT across multiple agents while the one on the agent allows you to set JIT on a per agent basis.

Cheers

Theo