<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Configuring Okta to Deprovision Active Directory Users
Mar 13, 2026
Directories
Okta Classic Engine
Okta Identity Engine
Overview
This article explains the settings required for Okta to deprovision an Active Directory (AD) user when the linked Okta account is deactivated.
Applies To
  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • Directories
  • Active Directory (AD)
  • Provisioning
Solution

How to deprovision a user from Active Directory when the user is deactivated in Okta?

Follow the video or the steps below to configure the Active Directory integration to deprovision users automatically.

  1. Ensure the Active Directory service account used for the Okta AD Agent has sufficient permissions to deactivate Active Directory users. See About Okta service account permissions for more information.
  2. Open the Directory integration in Okta.
  3. Select the Provisioning tab and navigate to To App.
  4. Select Edit at the top of the Settings section.
  5. Select the checkbox next to Deactivate Users and select Save.

Provisioning

Okta disables their Active Directory accounts when their Okta account is deactivated.

Recommended content

Still looking for help?
Loading
Configuring Okta to Deprovision Active Directory Users