User accounts are deleted from Active Directory and are deactivated in Okta, however, this is causing import issues when users are rehired. This applies when Full Imports are done and JIT Provisioning is enabled.
- AD to Okta Imports
- Provisioning
The attribute leveraged to create and match Okta users has a different value from the original creation of the Okta user, resulting in failed Okta User creation errors when importing users. In the example below, the attribute that was leveraged for Okta Usernames is the attribute SAMAccountName. The following error is thrown during imports:
Create Okta User failed with the following validation errors: SAMAccountName field failed validation with value 'test.user@okta.com': An object with this field already exists in the current organization.
- Leverage Postman to perform a Bulk User delete:
- How to Bulk Delete Users via Postman (We recommend adding a 1000 ms delay to help prevent API Limits from being hit if running a large batch of users).
- Leverage Workflow(s) to delete users upon deactivation.
- Leverage Automations. Please be aware that Admins will delete a user if Admins only set a delete automation based on User Inactivity after a certain number of days, regardless of Deactivation status. We recommend creating 1-2 automations to deactivate (email the user about inactivity) and delete the user(s) after the desired grace period.
- Here's a sample of what was created in an Okta lab environment:
Please engage Okta Professional Services if Admins would like a custom solution, as the above does not suffice.
