This article explains expected behavior when assigning an Okta user to Active Directory in the Staged or Pending User Action statuses.
- Okta Classic Engine
- Okta Identity Engine (OIE)
- Active Directory (AD)
- Provisioning Users
What is the expected behavior when assigning an Okta user to Active Directory in Staged or Pending User Action statuses?
Okta determines the user account status based on the activation and password configurations selected during user creation. Review the following expected behaviors for different configuration selections:
-
Selecting Activate Later during user creation prompts Okta to assign the Staged status to the user account.
-
Okta retains the Staged status for the user when assigning the user to AD.
-
Okta creates the AD user as disabled with the
userAccountControlbit equal to 0x222 (ACCOUNTDISABLE | PASSWD_NOTREQD | NORMAL_ACCOUNT). -
Activating the user in Okta also activates the user in AD. Depending on the configuration, Okta sets the AD account as PASSWORD_EXPIRED or pushes the Okta password to the AD user account.
-
-
Selecting Activate Now during user creation prompts Okta to assign one of the following statuses to the user account:
-
Active: Okta assigns this status when the admin selects the I will set password option.
-
Okta provisions an active user in AD when assigning the Okta user to AD.
-
-
Pending User Action: Okta assigns this status when the admin does not set a password for the user.
-
Okta sends an activation email to the new user.
-
Okta provisions an active user in AD when assigning the Okta user to AD.
-
-
