Provisioning an Okta user to Active Directory (AD) to link to an existing AD account fails if the AD user object lacks an attribute required by Okta. When this occurs, Okta attempts to create a new user, which causes a conflict. To resolve this issue, populate all required attributes on the AD user object before reattempting the provisioning task.
When this occurs, the System Log displays the following error:
Sync user in external application FAILURE
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Active Directory (AD)
- Attributes
- Provisioning
When Okta attempts to provision a user to AD, Okta first searches AD for the user. If Okta finds a matching user object, Okta imports the object and links it to the Okta user before performing any relevant profile updates. However, if the AD user object is missing any attribute required by Okta, the import step fails, and Okta will instead attempt to provision a new AD user. The attributes of this new user conflict with the existing user, causing the user creation to fail.
How is the AD provisioning error resolved when an existing AD user object is missing an Okta-required attribute?
To resolve the provisioning error, review the AD attributes required by Okta, populate them on the AD user object, and retry the provisioning task.
- Review the Active Directory attribute mappings to Okta properties article to determine the required AD attributes.
- Populate all attributes required by Okta on the AD user object.
- Reattempt the provisioning task in Okta.
