<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta Active Directory LDAP Filter Overview
Mar 13, 2026
Okta Classic Engine
Directories
Okta Identity Engine
Overview

The Okta Active Directory (AD) LDAP filter feature provides granular control over user and group imports by allowing customers to apply LDAP queries during import. This functionality enables administrators to define precise import scopes in large environments where standard Organizational Unit (OU) selection is insufficient.

This Early Access feature may be useful when:

  • Administrators require specific filtering beyond the OU level.

  • Large or complex AD deployments necessitate high-performance import queries.

Applies To
  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • Active Directory
  • Import Settings
  • AD LDAP Filter
Solution

How are Okta AD LDAP filters configured and tested?

The AD LDAP filter functions as a refinement tool for OUs already selected in the AD integration configuration within Okta, providing further filtering only within selected OUs.

The AD LDAP Filter is an Early Access feature. Submit an Okta Support request to have this feature enabled. Once enabled, the feature will add new fields for User Filter and Group Filter within the directory integration settings where custom LDAP queries can be applied.

AD LDAP Filters shown in Okta Active Directory integration configuration

Misconfigured LDAP filters can lead to unintended user deprovisioning or application unassignment. If the filter incorrectly excludes valid users, Okta will assume those users no longer exist in the directory and may deactivate the users.

Before applying a filter to a production environment, use the following steps to verify the LDAP query within the AD environment to prevent accidental deprovisioning:

  1. Open Active Directory Users and Computers.

  2. Right-click Saved Queries, select New, and then select Query.

Active directory

  1. Enter a name for the query and select Define Query....

Query

  1. In the Find field, select Custom Search, and then select the Advanced tab.

Custom search

  1. Enter the LDAP query and select OK.

  2. Review the populated results to ensure all intended objects appear.

NOTE: Objects missing from this list will not be imported into Okta.

Implementation Considerations

Adhere to these guidelines to ensure import reliability:

  • Incremental Imports: If a filter relies on the memberOf attribute, incremental imports might fail to detect changes because group membership updates do not modify the uSNChanged value of a user.

  • Multi-Domain Environments: The memberOf attribute can be unreliable when accessed via the Global Catalog in multi-domain setups.

  • Native Attributes: Filter using attributes native to the user object that remain available in the Global Catalog for the best results.

NOTE: Okta Support does not provide assistance with the design or troubleshooting of custom LDAP queries.

 

Related References

Recommended content

Still looking for help?
Loading
Okta Active Directory LDAP Filter Overview