How to prevent user accounts being deactivated when their email is updated in AD Skip to main content
https://support.okta.com/help/answers?id=906f0000000i0imia0&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Okta AdminOkta Admin 

How to prevent user accounts being deactivated when their email is updated in AD

When a user has their email address updated in AD it is syncing with OKTA and updating the user account, but it is then setting the account to deactivated in OKTA. Has anyone ran into this before? Thanks in advance for any assistance.
Krishnan VenkatramanKrishnan Venkatraman (Okta, Inc.)
This is odd. This should never be the case. Email update is just like any other attribute change.  But system logs should say what triggered this. You should probably work with Okta support.
Parth SwadasParth Swadas
Email ID update should never deactivate user in OKTA.

But if there are any changes related to user OU in AD, it might cause deactivation if the OU is not imported in OKTA.

/Parth
Shawn SaucierShawn Saucier
We found the use of the Email Address to be a HIGHLY unreliable matching and mapping mechanism (and to be honest, I'm a little frustrated by OKTA's continued requirement for it).

I'm thinking you might be mapping the AD mail attribute to the OKTA userid.  In our environment, everyone has an UPN, but only some have email.  If they have both, they are always the same.  

We have taken to using the UPN of the user as the UserID in OKTA, and if there is no email, we map the UPN to their okta Email as well.  The way we did it is mapping the following from the AD user to the Email attribute in OKTA:

appuser.email != null ? String.toLowerCase(appuser.email) : String.toLowerCase(appuser.userName)

That says "if the email is null, put the lowercasee "username" (aka UPN)

HTH!