Administrators installing the Okta AD Agent must understand the specific permission requirements for the agent service account to ensure successful deployment. Okta recommends adding the service account to the Domain Admins group to ensure the necessary permissions are assigned, but administrators may instead configure delegated permissions.
The Okta AD Agent service account can be created or selected during agent installation:
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Directories
- Active Directory (AD) Agent
- Service Account Permissions
Does the Okta Active Directory Agent service account require Domain Admin permissions?
The Active Directory service account used by the Okta AD Agent during installation does not require Domain Admin permissions.
Review the documentation in the Related References section to determine the specific, granular permissions required for the various tasks the Okta AD Agent executes.
NOTE: Okta Support cannot assist with the configuration of permissions within Active Directory. Contact Microsoft Support for assistance with configuring granular directory permissions.
