<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Active Directory Imports with DirSync is Now EA in Okta
Apr 7, 2026
Okta Classic Engine
Directories
Okta Identity Engine
Overview

Active Directory Imports with DirSync is a new feature that improves the performance of Active Directory (AD) import operations. This feature leverages AD’s DirSync protocol, which provides partial user, group, and group membership updates, allowing Okta to know exactly what was changed in the AD environment.

During imports, AD Group membership can take a long time for Okta to process, as it needs to compare incoming data with existing data to determine which users were newly added to the group and which were removed. With Active Directory Imports via DirSync, Okta can now skip that computation and know exactly which users were added and removed, significantly boosting the speed at which group memberships are processed for larger groups.

Applies To
  • Early Access (EA) Features
  • Active Directory DirSync Feature
  • Okta Classic Engine
  • Okta Identity Engine (OIE)
  • Active Directory (AD)
Solution

Active Directory DirSync can be enabled as a self-service feature in the Okta Admin Console under Settings > Features.

AD DirSync EA Feature   

It requires an additional permission granted to the service account running the Okta AD Agent. Please see the "Permissions for imports with DirSync" section of the Okta service account permissions page on how to grant this additional permission. This permission must be granted to every service account that runs every Okta AD Agent.

Once the feature is enabled, a new setting labeled Imports with DirSync will appear in the AD integration settings under Provisioning > To Okta > General section.

AD DirSync Setting

When this setting is enabled, the next import will run as a full import. DirSync relies on a mechanism called a "DirSync cookie" that tracks changes in Active Directory (AD). Therefore, it is a must to perform a full import to generate this cookie and allow subsequent incremental imports to benefit from performance enhancements. Once this initial full import is complete, every incremental import will see the performance improvements introduced by this feature.

To use this feature, all agents connected to the AD integration must be on version 3.20.0 or newer. Otherwise, enabling the setting will have the import run using the previous mechanism, and the following error will be received as soon as the import is started:

 

An error occurred during import

The agent version does not support imports with DirSync. Upgrade to the minimum supported version to run imports.



Error message 


To resolve this error, deactivate or update all AD agents that are not running 3.20.0 or later on the corresponding AD integration.

NOTE: All AD Agents must be on the same version. Otherwise, the above error will persist.

Recommended content

Still looking for help?
Loading
Active Directory Imports with DirSync is Now EA in Okta