Okta imports all active users within all Organizational Units (OUs) that are selected under the User OUs connected to Okta as configured on the Integration tab of the Active Directory Provisioning page.
Depending on the scope required, Okta provides different methods to filter all users, a subset of users, or individual users from the import.
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Active Directory (AD)
How to prevent all users from importing?
Perform the following steps to prevent Okta from importing all Active Directory (AD) users:
- Navigate to Directory > Directory Integrations > Active Directory > Provisioning > To Okta.
- Under General, select Edit.
- Locate the Do not import users setting and select the Skip users during import box.
How to prevent a subset of users from importing?
LDAP filters can be used to prevent a subset of users in a connected OU from importing into Okta. The AD LDAP filter is an Early Access feature that creates a field in the Integration page of any Active Directory integration within Okta to allow the addition of an LDAP filter. Okta applies this filter to the selected OUs and imports only the matching users or groups. To enable this Early Access feature, submit an Okta Support ticket.
NOTE: Okta Support cannot assist with configuring LDAP filters. This functionality can have a significant, unintended impact if misconfigured. Test all LDAP filters in Active Directory before applying the filter to the Okta organization and test the feature and filter in a preview org before implementation in a production org. For more information on the AD LDAP filter feature, see Active Directory LDAP Filters Explained.
How to prevent individual users from importing?
Okta provides two methods to prevent individual users from importing: removing a required attribute from the Active Directory user profile or ignoring the user after an import completes.
How can users be prevented from import using required attributes?
Okta skips importing individual users if their profile lacks a required attribute. By default, Okta requires the First name, Last name, and Primary email attributes. Okta skips an Active Directory user missing any one of these attributes. This method is commonly used for preventing the import of service accounts from AD. Additionally, any attribute in Okta can be configured as required, allowing organizations to choose which attribute to use to prevent import on an individual basis.
Perform the following steps to make an attribute required:
- Navigate to Directory > Profile Editor.
- Select User (default).
- Select the desired attribute.
- Select the information icon.
- Select the Attribute Required box to mark the attribute as required.
Review the Users Not Importing from Active Directory: Missing Required Attribute documentation for more information.
How can users be prevented from import using the ignore user option?
Ignoring users once they have been imported from Active Directory will prevent an Okta user from being created for them. This method works only if the Auto-confirm new users setting in the To Okta section of the Provisioning settings page is disabled. To prevent an Okta user profile from being created, select Ignore this user for now after the import finishes processing.
NOTE: Users manually placed in the Ignored list remain ignored after enabling the Auto-confirm exact matches and Auto-confirm new users settings. The Okta AD import architecture treats the "Ignored" status as a persistent suppression flag tied to the objectGUID of the AD object.
