Okta uses two distinct methods to synchronize data from Active Directory (AD): Incremental Imports and Full Imports. While Incremental Imports optimize performance by targeting only modified objects, Full Imports provide a comprehensive reconciliation of the directory to ensure data integrity for deletions and complex attribute changes.

• Active Directory (AD)
• Incremental imports
• Domain Controller (DC) Affinity
• Incremental converted to full
• Okta Identity Engine (OIE)
• Okta Classic Engine

How do incremental and full imports differ in Okta?

The primary difference between import types is the scope of objects scanned and the mechanism used to identify changes.

Incremental Import Mechanism

Scheduled AD imports run as incremental imports by default. During this process, the Okta AD Agent sends a Lightweight Directory Access Protocol (LDAP) query to the Domain Controller (DC) to identify specific changes.

The query appears similar to the following: (&(&(objectClass=user))(uSNChanged>=X)(uSNChanged<=Y))

• X (First Number): This represents the highest uSNChanged value recorded on that specific DC from the start of the previous import.

• Y (Second Number): This represents the highest uSNChanged value on that same DC when the current import begins.

The uSNChanged attribute is unique to each AD user object and is assigned by the DC. The value increases each time a direct attribute of the user object is modified. If an object's value falls within the range of X and Y, the incremental import identifies the user as updated and prompts Okta to sync the changes.

NOTE: uSNChanged values are not replicated across different Domain Controllers. For this reason, if a domain controller other than the one used in the last incremental import is used for a scheduled import, the import will be converted to Full as the uSNChanged values will differ and cannot be used to identify changed objects.

Incremental Import Characteristics

An incremental import is designed for maximum efficiency during routine synchronization tasks.

• It processes only users and groups created or modified since the previous import.

• It leverages the uSNChanged attribute to quickly identify specific changes rather than scanning the entire directory.

• It significantly improves performance by focusing solely on new or altered data.

Full Import Characteristics

A full import performs a comprehensive scan of the environment.

• It processes all new and existing users and groups within the configured Active Directory integration scope.

• It is more resource-intensive than an incremental import but is essential for the initial setup and integration of Active Directory with Okta.

• It provides the only reliable way to detect certain types of changes that do not trigger a uSNChanged update.

Critical Scenarios for Full Imports

Certain directory changes are not captured by incremental imports because they do not modify the uSNChanged value. A full import is required for the following scenarios:

• Constructed Attributes: These are attributes calculated by Active Directory at the time of access (e.g., certain group memberships) rather than being directly stored.

• Deletions: The complete removal of a user or group from Active Directory is only detected during a full import.

• Organizational Unit (OU) Moves: Changes to an object's OU if that new OU falls outside the current import scope configured in Okta.

For further technical details regarding attribute synchronization limitations, refer to the article: Incremental Imports Do Not Sync Some Active Directory Attributes.