The Active Directory (AD) attribute accountExpires represents the number of 100-nanosecond intervals since January 1, 1601. A value of 0 or 0x7FFFFFFFFFFFFFFF (9223372036854775807) indicates the account never expires.

Add the accountExpires attribute to the AD schema in Okta and map it to the Okta user profile in a date format to view this information directly within the profile.

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Directories
• Lifecycle Management
• Active Directory (AD)
• Profile Editor

How is the Active Directory account expiration attribute added and converted to a date format in Okta?

Add the attribute to the AD schema in Okta, run a manual import, and map the attribute using an expression to convert the value into a date format.

1. In the Okta Admin Console, navigate to Directory > Profile Editor > Directories and select the appropriate AD integration.
2. Select the + Add Attribute button.
3. Select the box next to accountExpires and click Save.
   
4. Run a manual import to populate the attribute in the AD profile in Okta.
5. Confirm that the value for the attribute on an expected user displays in the Okta profile under Additional Active Directory Attributes.
   
6. Navigate to Directory > Profile Editor > Directories, locate the correct directory, and select Mappings.
7. Search for the accountExpires attribute under the Directory to Okta mappings.
8. Map the following expression to the desired attribute in Okta. If necessary, create a custom attribute for this purpose by following the instructions outlined in the Create a New Custom Attribute for an Okta User Profile documentation:

Related References

• Okta Expression Language
• Create a New Custom Attribute for an Okta User Profile