<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
JIT and SSO Failure for Tenant with Entra ID as IdP
Oct 20, 2025
Single Sign-On
Okta Identity Engine
Overview

When a user attempts to log in via an external Identity Provider (IdP), such as Entra ID (Microsoft), and the user is matched to an existing Okta user, this can cause a failed Just-In-Time (JIT) provisioning error if Automatic Account Linking is not enabled.

JIT Error  

Applies To
  • Just-In-Time (JIT) Provisioning
  • Identity Provider (IdP)
  • Account Linking
  • Okta Identity Engine (OIE)
Cause

The error occurs because the Account Link Policy setting is not enabled for the IdP configuration and the If no match found Create New User (JIT) option is enabled.

When an inbound user authenticates, Okta's matching logic identifies that a user profile already exists. However, without Account Linking enabled, the system is prevented from linking the external IdP account to the existing Okta profile, so it progresses to the Just-In-Time (JIT) provisioning flow which fails because the user already exists.

Solution

Enable the Enable Automatic Linking option within the Account Link Policy setting in the IdP settings. 

IdP settings  

This allows Okta to correctly match and link an incoming user from the IdP to an existing Okta user profile during authentication. For additional information, refer to Add an Identity Provider.

Recommended content

Still looking for help?
Loading
JIT and SSO Failure for Tenant with Entra ID as IdP