While running imports from AD (Active Directory) into Okta, it is observed that some newly imported AD users show the following error message on the Active Directory Import tab:
This choice creates a conflict
- Active Directory
- Provisioning
- Okta Expression Language
- Profile Editor
- Universal Directory
- Okta Classic Engine
To resolve this issue, review the custom expression used for the Okta Username Format and ensure that it is within the format specified in the Okta Expression Language documentation.
For example, if the expression is set to something such as active_directory.samAccountName, then the mapping preview will give the right value for users already imported to Okta from AD, but the new users getting imported from AD will get stuck on the import tab with a conflict error. To avoid this, the following expression should be used instead: appuser.samAccountName+"@test.com".
This occurs because active_directory.samAccountName is the variable name for the SAM Account Name attribute. This format is used to access the application user profile attribute. Since new users are still waiting to be confirmed and are not yet created in Okta, the user's AD app profile is still not accessible in Okta. That results in the error. Since existing users are already created in Okta and have an AD app profile created, they do not receive the error. More details on these attributes can be found in Application User Profile.
The error occurs when a conflicting AppUser ID exists within the import data, preventing the system from correctly identifying the user profile. To resolve the conflict, clear the unconfirmed users, perform a full import, and then re-match the user.
- In the Admin Console, go to Directory > Directory Integrations > Active Directory.
- Select the Import tab.
- Click Clear Unconfirmed Users. NOTE: This action removes all unconfirmed users from the import list.
- Click Clear import results
- Perform a full import.
- Match the user.
