This article explains the consequences of revoking the Super Administrator role from the Okta Account used to install the Okta Active Directory (AD) Agent.
NOTE: This article applies only to AD agent versions 3.17 and earlier.
- Directories
- Okta AD Agent v3.17 and earlier
- Super Administrator role
- Okta Identity Engine (OIE)
- Okta Classic Engine
NOTE: Starting with version 3.18.0, the AD agent operates independently of any Okta account. This ensures that the Okta AD integration continues to work as expected, regardless of the account status used to register the agent. More information regarding the changes to agent operation can be found in the Related References section below.
The Okta AD Agent requires an Okta Super Administrator account to log into Okta during installation. In agent versions 3.17 and earlier, this creates an API token that the agent uses to communicate with Okta.
If the Okta Account used to generate the API key during the installation of the Okta AD Agent loses Super Administrator rights, Okta will not be able to connect to the AD agent.
- The API token will remain active, and if Super Administrator rights are granted back to the service account, Okta can reconnect with the AD Agent.
- If the user is deactivated in Okta, the token cannot be reinstated, and the agent must be reinstalled to use a different Okta Service account.
- Changing the password for the Okta Administrator account that was used to generate the API token will not affect the token's functionality.
