Re-enabling an account in Active Directory is not seen by OKTA Skip to main content
https://support.okta.com/help/answers?id=906f0000000qtfjiak&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Wayne KalseyWayne Kalsey 

Re-enabling an account in Active Directory is not seen by OKTA

Sometimes we have to disable Active Directory accounts for a period of time.  These accounts may eventually be re-enabled at a later date.  We see that OKTA handles the disabling functionality very effeciently, however, if these Active Directory accounts are re-enabled, OKTA does not pick it up.  The OKTA account remains deactivated.
Darron HellmannDarron Hellmann (Okta)
Hi Wayne

I've just enabled an early access feature that will assist with this issue (user reactivation) for your org. The workflow should go like this now. Once you re-enable the Active Directory account, that account will re-activate in Okta at next import (manual or scheduled).
Jim KnutsonJim Knutson (Okta, Inc.)
Hello Wayne,
Yes, Okta will leave these accounts disabled and require a manual action to re-enable the acount in Okta. This is the default setting in order to give the Okta admin the ability to verify the acount is actually the same individual. If your orginization does not reissue email addresses, and the individual is indeed the same person our support team can update this behavior to automatically enable the account in Okta. Please submit a support ticket and our support team can assist. 
 
Wayne KalseyWayne Kalsey
Hello Darron and Jim,

Thank you for the reply.  I ran 2 tests and only one of them worked.  The one that did not work is presenting the following behavior:

When viewing the "Profile Master" -- "Import" list, this user not seen.  I ran a manual import several times with no success.  If I re-activate the user in OKTA and run a manual import, the user then shows up in the "Import" list.  I can then link the AD import user to the re-activated OKTA user.  Both the AD and OKTA username are identical.

This was the same behavior before you made the change to our environment yesterday.

Any ideas why this user would be presenting a problem?

I do appreciate your feedback.
 
Wayne KalseyWayne Kalsey
When viewing the "Profile Master" -- "Import" list, this user not seen.  I ran a manual import several times with no success.  If I re-activate the user in OKTA and run a manual import, the user then shows up in the "Import" list.  I can then link the AD import user to the re-activated OKTA user.  Both the AD and OKTA username are identical.

This was the same behavior before you made the change to our environment yesterday.

Any ideas why this user would be presenting a problem?
Wayne KalseyWayne Kalsey
Thanks for the assistance.  I just opened a case to address this inconsistent behavior between 2 test users.
Patrick CesardPatrick Cesard
Question about Okta and AD interaction.

1) I understand that if a user is disabled in AD, the Okta agent will detect this, and disable the user in Okta, correct?

2) If the user is subsequently re-enabled in AD, will Okta detect this as well, and automatically re-nable the user in Okta? It wasn't clear from the discussion above if this part was working.
Darron HellmannDarron Hellmann (Okta)
Hi Isaac

1) That is correct
2) With the feature enabled explained above, Okta will detect and reactivate the corresponding Active Directory account in Okta
3) Okta support can enable this feature for you
Wayne KalseyWayne Kalsey
Okta support enabled this for our organization.  It is working as expected.  We have several sub-domains.  I think it had to be done for all our domains seperatly.  We did experience an issue where support had to turn it off and back on again for it to work on one the sub-domains.  It has been working fine since then to my knowledge.
Patrick CesardPatrick Cesard
Hello.

I want to ask Okta support to enable this feature: Is there a specific name for it? 
Is the feature the one described in this doc?
______https://support.okta.com/help/articles/Knowledge_Article/About-Okta-s-Enhanced-Active-Directory-Integration


 
Wayne KalseyWayne Kalsey
I am not sure what the name of this feature is, but if you explain to them as I did in this community post, they will should know exactly what to do. Actually, they had to enabled this for multi-domain functionality. It worked for our top level domain, but the extended sub-domains had to be setup to work. Let me know how it works out for you.