Is there a way to find all disconnected accounts from the AD through the report logs? Skip to main content
https://support.okta.com/help/answers?id=9062a000000bmkeqay&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Clément CHANEClément CHANE 

Is there a way to find all disconnected accounts from the AD through the report logs?

Hello,

We are using AD to manage our users on Okta, but our User Admins can disconnect them from the AD. So i would like a filter that can sort cloud-only users (disconnected or deactivated) through the report logs.
Thank you for your help!
 
Best Answer chosen by Clément CHANE
Clément CHANEClément CHANE
Thank you Gabriel for your help, I found the answer.
With the "Password Health" report, it is possible to see where passwords are managed (wheter by Okta or AD) and the account status (Active or Not).
As User Admin have rights to disconnect users from AD, this is useful to detect Cloud Only Users who are not compliant with our security policies.

All Answers

Gabriel SrokaGabriel Sroka (Okta, Inc.)
Hi Clement,
I disconnected a user from AD. When I looked in the New System Log (Sys Log 2), I see an event with these 3 fields:
eventType eq "application.user_membership.remove"
displayMessage eq "Remove users application membership"
target.displayName eq "Active Directory"

In the Old System Log, I see:
Message: User deprovisioned from app
App: active_directory 
Categories: Application Assignment

Keep in mind that "AD" is considered to be an "app".
Clément CHANEClément CHANE

Hello,

Thank you for your answer!
We do have the new System Log v2, but what we would like is to detect the cloud-only users as we currently have no visibility on them.
The issue with your filter is that users deleted from the AD (because they left the company) are also seen as "removed from the Active Directory" and are no longer in Okta.

Is there any filter for it?

Thank you again !
 

Gabriel SrokaGabriel Sroka (Okta, Inc.)
Hi
If you're open to using the Okta Users API, you could List Users and look at:
credentials.provider.type equal to "OKTA"
see
http://developer.okta.com/docs/api/resources/users.html#list-users
http://developer.okta.com/docs/api/resources/users.html#user-model
 
Clément CHANEClément CHANE
Thank you Gabriel for your help, I found the answer.
With the "Password Health" report, it is possible to see where passwords are managed (wheter by Okta or AD) and the account status (Active or Not).
As User Admin have rights to disconnect users from AD, this is useful to detect Cloud Only Users who are not compliant with our security policies.
This was selected as the best answer