<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Syncing Active Directory Object SID to Office 365
Mar 5, 2026
Universal Directory
Okta Classic Engine
Okta Identity Engine
Overview

This article explains why the Active Directory (AD) Object SID is not natively synced to Office 365 (O365) for Okta-mastered users and provides the steps to resolve this limitation.

Applies To
  • Active Directory
  • Office 365
Cause

In an Okta-mastered configuration, the SID attribute cannot be generated or synced from Okta because the objectSID value is created and owned by Active Directory when the user account is provisioned there. Okta does not generate or store a SID for Okta-mastered users. The SID only exists after the user is created in AD, and it is not automatically written back to Okta or propagated to Office 365. Additionally, Office 365 does not natively support the SID attribute for provisioning.

Solution

To make the SID available in Okta or Office 365, allow AD to act as the profile source (AD-mastered users) so that the objectSID can be imported into Okta.

Alternatively, if Okta must remain the master, use a custom integration or workflow that reads the SID from AD after provisioning and writes it back to a custom Okta attribute.

Once the SID is available in Okta, use the following steps to map it to Office 365:

  1. Add a custom attribute to the Okta user profile.

    1. Navigate to Directory > Profile Editor.
    2. Select the Okta user profile.
    3. Add a new attribute (for example, FromAD_SID).
    4. Click Save.

  2. Map the AD objectSID to the new Okta attribute.

    1. In Profile Editor, select Active Directory.
    2. Click Mappings.
    3. Select the App to Okta tab.
    4. Locate the ad_objectSID field.
    5. Map it to the new Okta attribute created in Step 1 (for example, FromAD_SID).
    6. Click Save Mappings.

  3. Map the Okta attribute to a supported Office 365 attribute.

    1. In Profile Editor, select Office 365.
    2. Click Mappings.
    3. Select the Okta to App tab.
    4. Locate a supported attribute (for example, ExtensionAttribute1).
    5. Map the Okta attribute (for example, FromAD_SID) to this field.
    6. Click Save Mappings.

  4. Force a re-sync of AD attributes (Optional).

If the mapping does not apply correctly after a full import, trigger a full re-sync of AD attributes (including ad_objectSID).

    1. Temporarily change a dummy attribute mapping to a static value (for example, 1234).
    2. Apply the change to all users.
    3. Revert the change to the original value and reapply.
      • This forces Okta to re-evaluate and update all AD attribute values in Okta profiles.

Recommended content

Still looking for help?
Loading
Syncing Active Directory Object SID to Office 365