An error occurs when activating a staged Okta user assigned to an Active Directory (AD) provisioning group, due to a configuration issue, an offline agent, or invalid user attributes that prevent Okta from successfully provisioning the user to AD. Resolve this issue by verifying the AD integration settings, ensuring the Okta AD Agent is online, and validating the user attributes.
When attempting to activate a staged Okta user assigned to an AD provisioning group, Okta generates the following error:
An error occurred while assigning this app.
Automatic activation of user <username> to app Active Directory failed: Matching user not found.
The user's Okta profile reports an Activating status:
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Directories
- Active Directory (AD)
- Lightweight Directory Access Protocol (LDAP)
- Staged Users
- User Activation
This error occurs when a configuration issue, an offline agent, or invalid user attributes prevent Okta from successfully provisioning a user to Active Directory via an Okta provisioning group during a transition from Staged to Active state.
What causes Active Directory provisioning failures and how are they resolved?
Provisioning from Okta to Active Directory fails for several reasons. Review the following potential causes and apply the corresponding resolution to ensure successful user activation.
How is the issue resolved when the Create Users option is unselected?
Enable the user creation feature in the Okta Admin Console by navigating to the Active Directory Provisioning settings and selecting the Create Users checkbox.
- Navigate to Directory Integrations > Active Directory > Provisioning > To App.
- Select the Enable checkbox next to Create Users.
- Retry the provisioning task.
How is the issue resolved when the Okta AD Agent was offline at the time of the provisioning attempt?
Ensure the Okta AD Agents are online and retry the provisioning task.
How is the issue resolved when the saMAccountName value is too long?
Adjust the saMAccountName value to ensure it does not exceed the maximum character limit. Review Okta Active Directory Provisioning Fails With Error "A Device Attached to the System Is Not Functioning" for additional details.
How is the issue resolved when the target OU is missing from the integration?
Update the Active Directory integration settings to include the Organizational Unit (OU) selected in the provisioning group. Review Okta Active Directory Provisioning Fails with "Target OU Is Not an Import OU" Error for additional details.
How is the issue resolved when an invalid cn value is passed?
Correct the directory pathname to ensure a valid cn value is passed during provisioning. Review Invalid Directory Pathname Error Occurs When Provisioning an Okta User to Active Directory for additional details.
How is the issue resolved when the saMAccountName value is not unique?
Ensure the saMAccountName is unique across the directory when matching the Okta user to an existing AD user or creating a new AD user. Review Okta to Active Directory Provisioning Fails with Error "The Object Already Exists" for additional details.
How is the issue resolved when the "Manager" attribute is not a valid Distinguished Name?
Verify that the AD account of the user's manager is active and resides in the correct OU before retrying the task. Review Okta to Active Directory Provisioning Error "There is no such object on the server" for additional details.
