Deactivate user in Active Directory pushed to Okta without waiting for directory import Skip to main content
https://support.okta.com/help/answers?id=9062a000000bmuoqay&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Karl PillerKarl Piller 

Deactivate user in Active Directory pushed to Okta without waiting for directory import

Hi,
Currently, we deactivate a user in Active Directory, to ensure it gets pushed to Okta and assigned applications we run a manual import if we can't wait for the import which is set at every hour.

Does the AD password sync agent (which we don't use currently) also process deactivations on action in AD and not reply on the import?
Or any other way we can accomplish this to disable access immediately without dependency on the Okta directory import?
Thanks
Gabriel SrokaGabriel Sroka (Okta, Inc.)
Hi Karl
If you have JIT enabled for AD
https://help.okta.com/en/prod/Content/Topics/Directory/Okta%20Active%20Directory%20Agent.htm
and a previously-enabled (now disabled) AD user tries to login, they won't be able to, and their Okta account will also be deactivated. Or, an Okta admin can find them in the Okta Admin console under Directory > People, click on their link, and it will do a real-time/JIT sync to AD and disable the user.
Karl PillerKarl Piller
Thank you for the reply. We may have to do it from Okta and let it sync to AD from there.

If disabling someone in active directory there is no action in Okta or assigned apps until the user tries to log in, this leaves assigned applications active and accessible. Some applications are accessed directly and not through Okta and need to be deactivated at the time of deactivation in AD.