<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
How to Map the Manager Email/UPN from AD without the getManagerUser() Function
Feb 25, 2026
Universal Directory
Directories
Overview

This article explains why the getManagerUser() function does not work in an Okta environment with multiple integrated AD domains and provides alternatives that allow manager information to update automatically.

Applies To
  • Active Directory (AD)
  • Universal Directory
Cause

In Orgs with more than one Active Directory (AD) domain integration, the default getManagerUser() function will not work. Additionally, the getManagerUser() function does not trigger a user profile update if the AD manager is changed. This is documented in the Okta Expression Language developer documentation. 

 

Instead, use a custom expression that parses the distinguishedName format of the AD "manager" attribute. There are numerous ways to do this, depending on the naming conventions used in the AD domain. Below are several examples.

Solution

NOTE: All of the following examples use the email format of firstName.lastName@domain.com. If email formatting differs from this, the expression must be modified to reflect the proper format.

 

If the CN portion of the manager distinguishedName uses the format "firstName lastName" (for example, CN=John Doe, OU=...):

String.toLowerCase(String.substringAfter(String.substringBefore(appuser.managerDn, " "), "CN=") + "." + String.substringAfter(String.substringBefore(appuser.managerDn, ",OU"), " ")) + "@domain.com"

 

If the CN portion uses the format "lastName, firstName" (for example, CN=Doe\, John, OU= ...), then the expression would be modified to rearrange the first and last name and ignore the escape character:

String.toLowerCase(String.substringBefore(String.substringAfter(appuser.managerDn, "\, "), "OU=") + "." + String.substringBefore(String.substringAfter(appuser.managerDn, "CN="), "\, ")) + "@domain.com"

 

If the CN portion includes a middle name or a middle initial, the expression would be made to omit it:

String.toLowerCase(String.join(".",String.substringBefore(String.substringBefore(String.substringAfter(appuser.managerDn, "="), ",")," "),String.stringContains(String.substringAfter(String.substringBefore(String.substringAfter(appuser.managerDn, "="), ",")," ")," ") ? String.substringAfter(String.substringAfter(String.substringBefore(String.substringAfter(appuser.managerDn, "="), ",")," ")," ") : String.substringAfter(String.substringBefore(String.substringAfter(appuser.managerDn, "="), ",")," ")))  + "@domain.com"

 

Update the Attribute Mapping

  1. Go to Directory > Profile Editor > select the Active Directory domain.
  2. Click Mappings, which will start in "[AD domain] to Okta User" by default.
  3. Enter the chosen expression for the user.managerEmail attribute.
  4. Click Save Mappings.

Related References

Recommended content

Still looking for help?
Loading
How to Map the Manager Email/UPN from AD without the getManagerUser() Function