When the following setting is enabled: "Username match criteria on sign in - Match entire username" in the Okta admin console under Settings > General, the Active Directory (AD) users are still able to log in using firstname.lastname.

• Okta Login
• Okta Identity Engine (OIE)
• General Settings

This happens for AD Users only. Okta created users are not allowed to login using short name when the setting is enabled.

In the Admin console, change the Okta username format under Provisioning > To Okta to Email Address. Then, logging in with a short name is not allowed for AD users. They must log in using the full email.