<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008C3jTrSAJOkta Classic EngineLifecycle ManagementAnswered2025-03-24T09:11:12.000Z2018-04-23T18:01:45.000Z2019-05-16T20:53:38.000Z

Rocky (Customer) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
Expired Active Directory accounts are still active in Okta

Hey Okta Community,

 

We are using Active Directory as a master. When we manually disable an AD account, the Okta AD sync tool kicks in and that Okta user account is disabled as expected. Downstream apps are deprovisioned and access is revoked.

 

However, when an AD account expires on a date specified in the user's AD properties, the Okta account remains active and the user can still log in and access all downstream apps.

An AD import does not help.

 

We have several contractors and we need to confirm that their Okta access is revoked on the same date that their AD accounts expire.

 

Is there way to let Okta know that Disabled Accounts = Expired Accounts?

 

Thanks in advance,

  • 8 answers
  • 2.39K views
KyleC.40824, adm-RobertS.44616, and d8o5x like this.

  • David Genenz (Customer)

    We're using delegated authentication with Okta/AD and I belive when we expires their accounts, it disabled their ability to log into Okta.

  • Rocky (Customer)

    Hi David,

     

    Thanks for your response. We are also using delegated authentication. I have confirmed that expired AD accounts still remain active in Okta. Perhaps there is a setting I am missing?

  • j5v7c (j5v7c)

    Hi Rocky,

     

    We will doc your question and route it to the proper tech specialist who can give you a more detailed answer.

     

    Thank you for your feedback,

     

    Dylann Fezeu

    Okta Help Center Team
    Expand Post

  • d8o5x (d8o5x)

    I've realized our org is experiencing the same issue with AD accounts set to expire - they remain active in Okta.  I don't know if it's always been this way, or this has been a gap for a while.

  • David Genenz (Customer)

    I don't think this is so much a missing feature as it is an expected feature. For my organization, we use account expiration as a "hold" on accounts for contingent workers. So, managers aren't perfect at telling us when contingent workers come and go so we set a max three month period for account expiration. This way, we have a fail-safe to remove their ability to use resources until the manager reconfirms their employment. If they are still working for us, we update the expiration and they didn't lose anything as their Okta account remains intact (including Okta Verify, secret questions and answers...). If they aren't working for us any longer, we've effectively cut off their access and then we can follow up with the managers and complete the paperwork needed then complete the AD account disable and Okta cleanup.

     

    What I'd like to see though is potentially the reverse for the account expiration ownership. Setting an expiration in Okta which suspends the Okta account and disables the AD account or other connected directory services. But giving the ability to renew or extend.

     

    -David

     

     

     

    Expand Post
This question is closed.
Loading
Expired Active Directory accounts are still active in Okta