How to prevent user accounts being deactivated when their email is updated in AD
When a user has their email address updated in AD it is syncing with OKTA and updating the user account, but it is then setting the account to deactivated in OKTA. Has anyone ran into this before? Thanks in advance for any assistance.
We found the use of the Email Address to be a HIGHLY unreliable matching and mapping mechanism (and to be honest, I'm a little frustrated by OKTA's continued requirement for it).
I'm thinking you might be mapping the AD mail attribute to the OKTA userid. In our environment, everyone has an UPN, but only some have email. If they have both, they are always the same.
We have taken to using the UPN of the user as the UserID in OKTA, and if there is no email, we map the UPN to their okta Email as well. The way we did it is mapping the following from the AD user to the Email attribute in OKTA: