When performing an import, one or more Active Directory (AD) users do not appear in the Okta Import tab. This issue occurs due to missing required attributes, incorrect Organizational Unit (OU) configurations, disabled account states in AD, or the user residing in the IGNORE section of the Import tab. Resolve this issue by verifying the AD user attributes, OU selections, and import settings in the Okta Admin Console.

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Directories
• Active Directory (AD)
• Imports

Active Directory users fail to import into Okta due to several potential misconfigurations or states. These include the following:

• The user resides in an unselected Organizational Unit (OU).
• Missing mandatory attributes such as the User Principal Name (UPN).
• The account is in a disabled or locked state.
• The isCriticalSystemObject attribute being set to TRUE.
• The user residing in the IGNORE section of the Import tab.

How are missing Active Directory users imported into Okta?

Verify the Active Directory (AD) user attributes, Organizational Unit (OU) selections, and import settings in the Okta Admin Console to ensure successful user imports.

1. Verify the AD user resides in an OU selected for import in Okta by navigating to Provisioning > Integration within the Directory integration and reviewing the configuration.
2. Verify that the First Name, Last Name, and User Principal Name (UPN) attributes contain values in the AD object of the user.
   • NOTE: If the email address field is blank, Okta uses the UPN as the email address by default.
3. If these attributes are populated in AD, then verify the profile mappings in Okta.
   1. Navigate to Directory > Profile Editor in the Okta Admin Console.
   2. Locate the AD instance and select Mappings.
   3. Examine the mappings for login, firstName, lastName, and email.
   4. If the default mappings have been modified, ensure that any other AD attributes mapped to these fields are populated correctly on the AD object.
   5. Search in the Okta System Log for the following event, which Okta generates when attribute values are missing: eventType eq "system.agent.ad.import_user" and outcome.result eq "SKIPPED".
      • If found, expand the event details to determine the missing required attribute or the reason the account was not imported.

4. Verify the AD object of the user is active and unlocked in AD.
5. Verify the isCriticalSystemObject attribute on the AD object of the user equals FALSE to allow Okta to import the user.
   
6. Verify the user does not appear in the IGNORE section of the Import tab.
   
7. Verify the Skip users during import option remains cleared under Provisioning > To Okta.
   
8. Verify no trailing whitespace exists before or after the user's email address in AD. See Cannot Confirm or Import Active Directory User in Okta Due to Email Format for details.