Why am I getting "This choice creates a conflict" error for AD users?
We are seeing several "This choice creates a conflict" error for AD users which are not getting Exact or Partial Match found. The settings for this AD are set to auto-confirm new users when No Import Match is found.
We are now unable to proceed getting this user activated. Please advise.
The answer to this question may take some investigation. It may be best to create a support ticket and let the support team help you get to the bottom of this. It sounds like a user already exists and that user conflicts with the user being imported from AD. If the user already exisits in Okta then it will not auto confirm that user because the user is not new. But this is only speculation, a full look into your tenant and configuration would yield a more precise resolution.
I opened a support case and it was determined that email address was missing in Active Directory. It would have been very helpful to have a more description message stating this instead of the cryptic "this choice creates a conflict" especially since there really was no conflict. We have found a feature request regarding more descriptive error messaging here.
We were importing from an ou with a lot of unecessary users. the first time I imported, I ignored 33 of them. Then we moved the necessary users to their own ou and synced with that. After that I had the correct users in Okta, but the 33 "ignored" users were still ignored. I couldn't "create" them as new users because I got "this choice creates a conflict". (Apparently they did not satisfy the AD Agent settings based on their ou properties, but I didn't care about that since that ou was not used anymore and I just wanted to delete them).
To solve that, I created a temporary placeholder user for each of those users in Okta (using a temporary email address that I recognized, something like "firstname.lastname@example.org"). Then I matched each of my "ignored" users to one of those temporary users which was allowed in Okta, and got rid of all the "ignored" users. After that I just deactivated/deleted each of the temporary placeholder users and they were gone.
Now I am syncing from the appropriate ou which only contains the users that I need.