Users fail to import from Active Directory (AD) into Okta when a required attribute is missing from the user profile. Resolve this issue by populating the missing attribute in AD or removing the requirement in the Okta Profile Editor. When this issue occurs, Okta skips the user during the import process and logs the missing attribute in the System Log. Identify skipped users by searching for the following event type string in the System Log:

eventType eq "system.agent.ad.import_user"

In the log entry, under Outcome > Reason, Okta displays the missing attribute.

Skipping import of user CN=Service Account,OU=Service Accounts Group,DC=domain,DC=local. Expected required AD attribute: sn, (Okta attribute: lastName) to not be null. Please consult with your Active Directory admin if you believe this user should be imported.

Additionally, search for the missing user by entering the user's distinguishedName in the System Log. For example: CN=<user>,OU=<department>,OU=Users,DC=<domain>,DC=<local>.

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Active Directory (AD)
• LDAP

If an attribute has been configured as required in the Profile Editor for the AD instance, the user profile must contain the populated attribute to import into Okta. By default, Okta requires the following attributes: Username, First name, Last name, and Primary email.

NOTE: Because the default expression for the email field uses appuser.email != null ? appuser.email : appuser.userName, Okta populates the email field using the username if the email value is blank in AD.

How are user import failures caused by missing required attributes resolved?

Resolve user import failures by either populating the missing required attribute directly in Active Directory or removing the attribute requirement within the Okta Profile Editor, as demonstrated in the video or written instructions below.

How is the required attribute populated in Active Directory?

Populate the required attribute with a value directly in AD. For example, if Okta skips the user due to the missing AD attribute "sn" (Okta attribute: lastName), populate a value in the sn attribute directly in AD. Okta will import the user during the next import.

How is the attribute requirement removed in Okta?

Remove the requirement for the attribute in the Okta Admin Console by navigating to the Profile Editor, locating the AD integration, and clearing the required checkbox.

1. Go to Directory and select Profile Editor.
2. Locate the AD integration.
3. Find the custom attribute and select the pencil icon next to it.
4. In the Edit window for the attribute, clear the checkbox next to Attribute Required.

5. Select Save Attribute to save the changes.
6. Repeat these actions if the default Okta profile also requires the attribute.