<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Provision Okta Users to a Specific Active Directory Organizational Unit
Apr 15, 2026
Okta Integration Network
Okta Classic Engine
Directories
Okta Identity Engine
Overview

To provision Okta users to a specific Active Directory (AD) Organizational Unit (OU), configure Okta-sourced groups as provisioning groups to use Managed Directories.

Applies To
  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • Active Directory (AD)
  • Organizational Unit (OU)
  • Directories
  • Okta-Sourced Groups
  • Managed Directories
  • Provisioning Users
Solution

How are Okta users provisioned to a specific Active Directory Organizational Unit?

 

 

To provision Okta users to a specific Active Directory OU, verify the directory integration settings, enable user creation, and configure the group directories as described in the video and steps below:

 


 

To prevent unexpected behavior, use an Okta group that is not configured as a Push Group. A group should not be configured as both a provisioning group and a Push Group.

 

For Okta to create users in an OU, that OU must be selected in User OUs connected to Okta.

  1. Navigate to Directory > Directory Integrations > [AD] > Provisioning > Integration.
  2. Verify that the OU targeted for provisioning is selected under User OUs connected to Okta.

Import Settings

 

The Create Users option must be enabled in the AD instance.

  1. Navigate to Directory > Directory Integrations > [AD] > Provisioning > To App.
  2. Verify that Create Users is selected.

To App

 

Configure an Okta group for provisioning to AD.

  1. Navigate to Directory > Groups.
  2. Create a new group in Okta or select an existing Okta group.
  3. Add the desired Okta users to the selected group.
  4. Open the group in Okta, select the Directories tab, and choose Manage Directories.

Directories

  1. Select one or more AD integrations from the Not Members pane on the left to add them to the Members pane on the right.

AD

  1. Select Next.
  2. Choose the specific OU to push users for each AD integration. Select Show More under Default Attributes > Organizational Unit and locate the correct OU. Select only one OU per AD integration.

AD

  1. Optionally, configure any custom attribute fields that each AD user profile shares while in the group.
  2. Select Confirm changes.

 

NOTE:

  • Active Directory profiles are created or updated for all group members. When adding new users to the group, Okta automatically pushes these profiles to the directory.
  • The service account utilized by the Okta AD Agent requires Domain Admin privileges or the necessary permissions to create and update users in Active Directory.

 

Related References

Recommended content

Still looking for help?
Loading
Provision Okta Users to a Specific Active Directory Organizational Unit