This article explains the expected behavior for LDAP Integrations after encountering an Import Roadblock.

• LDAP
• Imports (Full and Incremental)
• Import Roadblock

If an LDAP Import triggers an Import Roadblock due to exceeding the unassignment threshold, and the Import Roadblock is resolved, the next import must be a Full Import, regardless if the next import is scheduled or manually started as an Incremental Import. 

To find LDAP Imports that are converted to Full, use the following query in System Log:

eventType eq "system.import.start" and debugContext.debugData.importType eq "Full" and debugContext.debugData.importTrigger eq "Schedule"

The reason why a Full Import is required after encountering an Import Roadblock is that Okta would not be able to detect the changes in LDAP that were detected from the previously failed import. When an Incremental Import is started, Okta scans the LDAP environment for updates using the modifyTimestamp attribute. Okta performs the modifyTimestamp scan in the Download object phase of the Import.

Import Roadblocks are triggered after the Download object phase. Therefore, if a Full Import is not performed after an Import Roadblock (or other failed imports), Okta will not be able to process the changes from the previously failed import. Performing a Full Import ensures that all changes are processed and reflected in Okta.