<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Updates to the Active Directory Manager Attribute Are Not Syncing to Okta
Feb 27, 2026
Okta Classic Engine
Directories
Okta Identity Engine
All Engines
Overview

This article explains why the Active Directory (AD) manager attribute is not updated in Okta when modified in AD.

Applies To
  • Active Directory (AD)
  • Profile Editor
Cause

A custom expression uses the getManagerUser("active_directory") function to pull a user's manager information from AD.

  • Using the Okta Expression Language function getManagerUser("active_directory") will not allow Okta to discover changes to a user's manager attribute after it is changed in AD.
  • This is documented in the Okta Expression Language overview developer documentation.
Solution

Use a custom expression that parses the distinguishedName format of the attribute. Depending on the naming conventions used in the AD domain, there are numerous ways to do this. The following examples will store the manager attribute as a display name. Follow the steps or the video below:

 

Display the "CN" value as is:

  • Example 1:

String.substring(String.substringBefore(appuser.managerDn, ",OU"),3,-1)

String.substring(String.substringBefore(appuser.managerDn, ",OU"),3,-1)

 

  • Example 2:

String.substringAfter(String.substringBefore(appuser.managerDn, ",OU"), "CN=")

String.substringAfter(String.substringBefore(appuser.managerDn, ",OU"), "CN=")

 

  • If the manager CN is "lastName, firstName" (for example, "CN=Doe \, John, OU= ..."), then a similar expression would be used but modified to either ignore the escape character or rearranged to display "firstName lastName."

 

Ignoring escape character:

  • String.replace(String.substring(String.substringBefore(appuser.managerDn, ",OU"),3,-1), "\", "" )

String.replace(String.substring(String.substringBefore(appuser.managerDn, ",OU"),3,-1), "\", "" )

 

 

Rearranging display:

  • String.substringAfter(String.substringBefore(appuser.managerDn, ",OU="), "\, ") + " " + String.substringAfter(String.substringBefore(appuser.managerDn, "\,"), "CN=")

String.substringAfter(String.substringBefore(appuser.managerDn, ",OU="), "\,") + " " + String.substringAfter(String.substringBefore(appuser.managerDn, "\,"), "CN=")

 

Update the Attribute Mapping:

  1. Go to Directory > Profile Editor > select the Active Directory domain.
  2. Click Mappings, which will start in "[AD domain] to Okta User" by default.
  3. Enter the chosen expression for the user.manager attribute.
  4. Click Save Mappings.

 

NOTE: 

  • When updating managerId in Okta using the expression from the video example (getManagerUser("active_directory").email), the manager user must be active in Okta for the attribute to update properly.
  • These functions are not supported for user profiles sourced from multiple Active Directory instances.

 

Related References

Recommended content

Still looking for help?
Loading
Updates to the Active Directory Manager Attribute Are Not Syncing to Okta