<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Create Custom Roles and Resource Sets for Okta Active Directory Integrations
Mar 24, 2026
Okta Classic Engine
Directories
Okta Identity Engine
Overview

Connecting Okta Active Directory (AD) Agents to Okta requires specific permissions to avoid activation failures. Creating a custom role and resource set provides the necessary privileges without assigning Super Administrator rights. Without these permissions, Okta may generate the following errors during the AD Agent configuration:

 

Device not activated

 

Your device cannot be activated because of an internal error

 

Failed to poll for a registration token: User is not assigned to the client application

 

AD Agent error: Device not activated. Your device cannot be activated because of an internal error.       AD Agent error: Failed to poll for a registration token: User is not assigned to the client application 

Applies To
  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • Active Directory (AD) Agent
  • Okta Administrator Roles
  • Okta Administrator Resource Set
Cause

Connecting an Okta AD Agent previously required Super Administrator permissions. Recent updates to administrator roles and resource sets allow this configuration using limited permissions. Errors occur when the administrator account lacks the specific custom role and resource set required to register and manage the AD Agent.

Solution

How does an administrator create custom roles and resource sets for Active Directory integrations?

Follow these steps to create a custom role and resource set for the administrator account:

  1. In the Okta Admin Console, navigate to Security > Administrators and select Roles.
  2. Select Create new role.
  3. Enter a role name and an optional description.

Administrators

  1. Select the following permissions:
    • Agents
      • Manage Agents
      • Register Agents
    • Directories
      • Manage application directory integration

Create new role

  1. Select Save role.
  2. Select Resources, and then select Create new resource set.

Resources

  1. Enter a name and description for the new resource set.
  2. In the dropdown menu, select Applications, and then choose Select Applications.

"Application" resourceResource

  1. Search for and select All Active Directory applications.

Find All Active Directory applications

  1. Select Save selection.
  2. Select Create.

Create new resource set

  1. Go to Security > Administrators > Admins, and select Add administrator.

Admin Console: Add administrator

  1. In the Select admin field, select the user who requires the custom role.

Admin Console: Custom Role and Resource Set Assignment

  1. Select the newly created custom role and resource set.
  2. Select Save Changes to complete the administrator assignment.

Recommended content

Still looking for help?
Loading
Create Custom Roles and Resource Sets for Okta Active Directory Integrations