Based on necessity, Administrators may need to suspend/deactivate Okta users when they are not deactivated in the Source application (for example, Active Directory, Workday), as would be the normal deactivation flow.
- Users
- Lifecycle Management
- API calls
- Okta Classic Engine
- Okta Identity Engine (OIE)
The normal flow of user deactivation sourced from an HR application or Active Directory implies that the user deactivation needs to originate from the application side via Import/Sync.
In the provisioning section of the application App > Okta > under Profile & Lifecycle Sourcing, there is the option When a user is reactivated in the app, which is typically set to unsuspend/reactivate the user.
If the user is suspended/deactivated in Okta when the sync/next import occurs, the user will be reactivated (this is expected behavior).
There is a way to suspend the user to no longer be reactivated via sync/import, which implies using a third-party API tool like Postman to run the suspend API call:
api/v1/users/userID/lifecycle/suspend or api/v1/users/userId/lifecycle/deactivate
Unsuspending/ reactivating the user afterward would be a matter of running another API call, such as:
-
For previously deactivated users:
api/v1/users/userId/lifecycle/activate?sendEmail=false -
For previously suspended users:
api/v1/users/userID/lifecycle/unsuspend
