<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Users Not Importing from Active Directory: Missing Required Attribute
Nov 27, 2025
Okta Classic Engine
Directories
Okta Identity Engine
Overview

This article provides troubleshooting steps to resolve the issues related to users not importing into Okta from Active Directory imports because they are missing a required attribute.

Applies To
  • Active Directory
  • LDAP
  • Full/Incremental Imports
Cause

If an attribute has the Attribute Required box checked in the profile editor for the Active Directory Instance, users must have the attribute populated in order to import it into Okta. If the attribute is missing, the user will be skipped and noted in the System Log. 

Find the list of users who are skipped by searching the following string in the System Log:

eventType eq "system.agent.ad.import_user"

In the log entry, under Outcome > Reason, the system log will display the attribute that is missing. For example:

Skipping import of user CN=Service Account,OU=Service Accounts Group,DC=Okta,DC=local. Expected required AD attribute: sn, (Okta attribute: lastName) to not be null. Please consult with your Active Directory admin if you believe this user should be imported.


Additionally, search for the missing user by entering the user's distinguishedName in the system log. For example, CN=John Smith,OU=Accounting,OU=Users,DC=Okta,DC=local.  

By default, the following attributes are required: Username, First name, Last name, and Primary email.

NOTE: Because the default expression for the email field is set to appuser.email != null ? appuser.email : appuser.userName, if the email value is blank in AD, Okta will populate the email field using the username.

Solution

There are two ways to resolve the issue of users being skipped. Follow the steps or video below.




The first option is to populate the required attribute with a value. For example, if the user was skipped due to missing the Active Directory Attribute "sn" (Okta Attribute: lastName), then populate a value in the attribute, and the user will be imported into Okta upon the next Import.

The next option is to remove the requirement for the attribute. To remove the required attribute requirement, follow these steps:

  1. Log in to the Okta admin account.
  2. Go to the Directory menu and select Profile Editor.
  3. Locate the Active Directory Integration.
  4. Find the custom attribute that will be required and click on the pencil icon next to it.
  5. In the Edit window for the attribute, uncheck the box next to Attribute Required.
  6. Click Save Attribute to save changes.
  7. If the attribute required box is also checked on the Default (Okta) profile, these actions may need to be repeated. 

Recommended content

Still looking for help?
Loading
Users Not Importing from Active Directory: Missing Required Attribute