When configuring an AD integration in Okta, the incoming Okta username can be mapped to an AD attribute such as userPrincipalName, sAMAccountName, email, or any Okta Expression Language (OEL) expression that results in a valid, unique Okta username. For an existing Okta user, updating the AD attribute that directly correlates to the Okta username may not update the Okta username after an AD import due to integration settings or profile source configuration.

• Okta Classic Engine
• Okta Identity Engine (OIE)
• Okta Username
• Active Directory (AD)
• Profile Source Priority

Several configurations prevent an AD import from updating the Okta username:

• Active Directory is not a profile source: If AD is not a profile source, the integration establishes the Okta username on Create Only. Subsequent imports do not update the user.login attribute after the initial confirmation of the user.

• Active Directory is a lower-priority profile source: The Okta username does not update from Active Directory if the user has a higher-priority profile source (for example, Workday) assigned to the user.login attribute.

This image shows the user.login attribute settings and profile source priority in the Profile Editor. In this org, a user's highest priority profile source is Workday, and the user also has two connected AD profiles, with those AD instances at source priorities 2 and 5. If either AD profile username is updated, the Okta user.login value for the user would not be updated as that attribute is being sourced from the user's highest priority source (Workday).

• Attribute inheritance: The Okta username does not update if the source priority for the user.login attribute is set to inherit from Okta rather than the external directory.

How is the Okta username configured to update after an Active Directory import?

Identify the applicable cause and follow the corresponding steps to resolve the issue.

Active Directory is not a profile source

If the AD integration is not configured as a profile source, the Okta username can be set from the instance only at user creation. After the initial confirmation of an imported user, subsequent AD imports will not update the user.login attribute. To change this setting, configure the AD instance as a profile source. This action makes the Create and update option available for the username update setting.

1. Navigate to Directory > Directory Integrations > [AD] > Provisioning > To Okta and locate the Profile & Lifecycle Sourcing section.
2. Choose Edit.
3. Select the Allow Active Directory to source Okta users checkbox.
   1. Optionally, select an action for deactivated AD users: Do Nothing, Suspend (Okta user), or Deactivate (Okta user).
   2. Optionally, select an action for reactivated AD users: Reactivate suspended Okta users or Reactivate deactivated Okta users.
4. Choose Save.

Active Directory is a lower-priority profile source, or the Okta username attribute is inherited from Okta

When the username is sourced from a higher-priority profile source, or when the Okta username attribute, user.login, is configured to Inherit from Okta, apply one of the following methods to enable username update from AD. Select the method that best fits the organizational requirements.

• Method 1: Adjust the profile source priority so that AD holds a higher priority than the competing profile source for the affected user.

1. 1. Confirm that the user.login attribute is configured to Inherit from profile source. If this is already selected, proceed to step 6.
   2. Navigate to Directory > Profile Editor > User (default).

NOTE: If the org has custom Okta user types, select the appropriate user type instead of User (default).

1. 3. Select the information icon  in the Username row.
   4. Choose Inherit from profile source from the Source priority dropdown menu.

1. 5. Select Save Attribute.
   6. Navigate to Directory > Profile Sources.
   7. Locate the appropriate profile source and select the up arrow next to its Priority ranking.

1. 8. Repeat the previous step until the profile source is at the correct priority rank.
   9. Navigate to Directory > Directory Integrations > [AD] > Import, and select Import Now.
   10. Choose Full Import and select Import.

• Method 2: Configure attribute-level sourcing to manually set the source priority for the user.login attribute to the AD instance.

1. 1. Navigate to Directory > Profile Editor > User (default).
   2. NOTE: If the org has custom Okta user types, select the appropriate user type instead of User (default).
2.  
   2. Select the information icon  in the Username row.
   3. Choose Override profile source from the Source priority dropdown menu.
   4. Select the AD integration from the new dropdown menu to designate it as the primary profile source for the Okta username.

1. 5. Optionally, select additional profile source priorities for the user.login attribute.
   6. NOTE: Additional profile source priorities must be configured if users are sourced from mutually exclusive profile sources. Users from any omitted profile source will inherit their username from Okta, and updates to the source attribute will not update the Okta user.

Related References

• What is Profile Sourcing
• Attribute Level Sourcing
• Make Active Directory the Profile Source