Active Directory (AD) sourced user accounts show a deactivated status in Okta when the account is deactivated in AD or moved to an Organizational Unit (OU) that is not synced with Okta. Resolve this issue by reactivating the account in AD, restoring it to a synced OU, or adding the correct OU to the directory configuration in Okta.
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Active Directory (AD)
- Organizational Unit (OU)
Okta deactivates AD-sourced accounts under the following scenarios:
- The account is deactivated in AD.
- The account is moved to an OU in AD that is not synced with Okta.
What steps resolve the deactivated status for Active Directory sourced accounts?
To resolve an issue where an account is deactivated in AD, reactivate the account in the directory, verify the lifecycle sourcing settings in Okta, and run an import.
- Reactivate the account in AD.
- Verify that user reactivation from AD is enabled in Okta under Profile & Lifecycle Sourcing.
- Run an import from AD to Okta.
To resolve an issue where the account has been moved to an OU that is not synced with Okta, either update the directory configuration in the Okta Admin Console to add the user's new OU to Okta scope or restore the account to a synced OU in Active Directory, and run an import from AD to update the Okta user status.
- In the Okta Admin Console, navigate to Directory > Directory Integrations > [AD] > Provisioning > Integration.
- Under User OUs connected to Okta, select the new OU in which the user's AD account is now located to add the location to Okta import scope.
- Alternatively, move the user's AD account to one of the OUs already selected.
- Perform an import from AD to update the Okta user status.
