This article explains why the Active Directory attributes cannot be changed from Create to Create and Update on the To Okta provisioning settings of the Integration. (The same steps from this article apply to any Profile Source, not just Active Directory.)
See the screenshot below where the Create and update option is greyed out.
NOTE: Selecting the Create and update option on the To Okta provisioning settings of the Integration does not reapply the mappings; in order to reapply the mappings as well, this change needs to be done from the Profile Editor section located under Directory.
- Directories
- Active Directory (AD)
- Provisioning
This issue is encountered because AD is not configured as the profile master.
Under Directory > Directory Integrations > Active Directory instance > Provisioning to Okta > Profile & Lifecycle Sourcing, the option Allow Active Directory to source Okta users needs to be enabled.
Profile sourcing is enabled by default when the Okta Active Directory (AD) agent is installed. Profile sourcing makes AD the identity authority for connected users. When profile sourcing is enabled, Okta Admins cannot edit user profiles in Okta, and all changes are synchronized to Okta during provisioning events. If AD is disabled as the profile source, changes made in AD are not pushed to Okta.
