When users assigned to Office 365 exist within two Active Directory (AD) instances in Okta, the default expression used within the Office 365 mappings to bring the Immutable ID no longer applies since it does not specify a target AD instance to look for:
This results in a provisioning error for Office 365:
User is assigned to more than one instance of Active Directory, could not set Immutable ID
- Active Directory (AD)
- Office 365
The default expression provided in the mappings cannot handle users present in multiple AD instances.
-
Once the desired AD instance has been identified, bring the Immutable ID for all assigned users, then go to the Okta Admin Dashboard > Directory > Profile Editor > Directories and note down the variable name of the desired directory.
-
Once the variable name of the desired AD instance has been gathered, the following expression will be used, which checks the externalId attribute of each AD instance and uses the first one that is populated:
String.len(active_directory.externalId) > 0 ? active_directory.externalId : String.len(active_directory_gfuif63.externalId) > 0 ? active_directory_gfuif63.externalId: String.len(active_directory_9gce877.externalId) > 0 ? active_directory_9gce877.externalId : null
-
- Where a
ctive_directoryis the variable name of the desired directory noted down in Step 1.
- Where a
Users will be provisioned into Office 365 with the Immutable ID value captured from the specified AD instance.
