<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Active Directory User Matching Fails With "Invalid Credentials" API Error in Okta
Jun 3, 2026
Okta Classic Engine
Okta Identity Engine
Lifecycle Management
Overview

During the Active Directory (AD) import process, an invalid credentials error occurs when attempting to import or confirm a user assignment. An orphaned Group Push mapping on an application that no longer has provisioning enabled causes this issue. Resolve this issue by temporarily enabling provisioning with a valid API key to remove the orphaned mappings, or by temporarily removing the user from the affected AD group. When this error occurs, the import completes, but the user matching job fails.

 

invalid credentials

 

Applies To
  • Okta Classic Engine
  • Okta Identity Engine (OIE)
  • Active Directory (AD) Import
  • Group Push
  • Provisioning
Cause

An orphaned Group Push mapping on an application that no longer has provisioning enabled causes this issue. Specifically, an application has provisioning disabled and contains a stale API token, but still has active Group Push mappings configured. When the AD import attempts to match and activate a user who is a member of the pushed group, the Okta user activation process triggers the group push mapping to update. Because the application has disabled provisioning and stale credentials, the push fails. Okta requires all provisioning subjobs to complete successfully for user activation, causing the entire user matching and activation process to fail.

Solution

How does an administrator remove orphaned Group Push mappings to resolve the "Invalid Credentials" error?

Remove the orphaned group push mappings to prevent future import failures for any users in those groups by temporarily enabling provisioning and deleting the mappings.

  1. Add a valid API key to the affected application.
  2. Temporarily enable provisioning for the application.
  3. Remove all Group Push mappings from the Okta Admin Console.
  4. Deactivate provisioning for the application once the mappings clear.

 

 

What is the workaround if an API key is unavailable?

Bypass the error without an API key by temporarily removing the user from the affected AD group during the import process.

  1. Remove the affected user from the AD group that contains the push group mapping.
  2. Run the import and successfully match and create the user.
  3. Add the user back to the AD group.

 

 

How do administrators prevent future orphaned Group Push mapping errors?

Always remove any Group Push mappings from an application before deactivating the provisioning settings.

Resolve an Okta Active Directory import invalid credentials error by removing orphaned Group Push mappings or temporarily removing the user from the group.

Recommended content

Still looking for help?
Loading
Active Directory User Matching Fails With "Invalid Credentials" API Error in Okta