AD Password Sync Agent and JIT Account creation Skip to main content
https://support.okta.com/help/answers?id=906f0000000i01piac&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Okta ADAgent WSSOkta ADAgent WSS 

AD Password Sync Agent and JIT Account creation

Hello,

Has anyone else noticed that the AD Password Sync Agent will JIT create user accounts when a user changes their password within the AD Domain?

I found this after seeing our licening costs shoot up but the reports said only a fraction of users were using Okta applications. Tech support said it was a known byproduct of using the AD Password Sync Agent.

I feel the AD password sync filter should only UPDATE an existing Okta user password, it should to create new Okta users.

Anyone else want to chime on this? I am looking to get this change soon, any help appriciated.

 
Edward HollidayEdward Holliday (Okta, Inc.)
Do you have the following for new user creation under AD Agent > settings
'manually confirm new user'

If you do you should find new users are left on the AD Aget import tab, until they actually access Okta for the 1st time...

or are you saying Password sync agent ignores/ overrides this ?

AD Agent JIT settings
Okta ADAgent WSSOkta ADAgent WSS

So in a way, Yes, the AD Password Sync Agent overrides this.

In my case, the "No Import Match" is set to "Mannual confirm new user"
The users are being imported, but not activated.  However, the next time a user changes their password on the domain (We are talking Ctrl+Alt+Delete, change my password, or password expired changed at login), the Okta AD password Sync agent will activate the user if the JIT Activation (which is Enabled).

Here is why, the Okta AD Password Sync Agent on the domain controllers does not use the Okta API to update the user's password in the Okta cloud.  Instead, when notified by the domain controller about the password update, via the password filter API, the AD Password Sync Agent performs an login to Okta with the user's credentials at the [org].okta.com page. This login counts as a "AD Delegate Authentication" (see right side of attached jpeg) and triggers the JIT provisioning even though the end user never went to the [org].okta.com nor used an application managed by Okta.

Okta JIT Setting