Active Directory (AD) integrations in Okta do not map the distinguishedName and objectGUID attributes by default under the To App provisioning settings. While these attributes are visible in the schema, they are managed directly by the directory service rather than through manual attribute mapping.

The message below will be seen in the directory provisioning settings:

One or more required attributes are not mapped. To prevent provisioning failures, scroll down to <domain name> Attribute Mappings and set mappings for the attributes that are marked with a warning icon.

• Directories
• Active Directory (AD)
• Provisioning
• Okta Identity Engine (OIE)
• Okta Classic Engine

Why are certain Active Directory attributes not mapped by default?

These mappings are not required for a functional AD integration. Mapping these fields from Okta to AD is either unnecessary or restricted by the directory service.

DistinguishedName Attribute

Mapping the distinguishedName attribute from Okta to AD is not required for successful provisioning. When the system pushes a user from Okta to AD, the directory service automatically generates the attribute value. This value is based on the Organizational Unit (OU) defined within the Okta Provisioning Group settings.

ObjectGUID Attribute

Mapping the objectGUID attribute is not possible because it is a read-only attribute within AD. The directory service generates and writes a unique value for this attribute when the object is created. Because this field cannot be modified by external applications during the provisioning process, any warnings regarding the lack of mapping for objectGUID can be safely ignored.