We have multiple domains and since integrating with Workday multiple Okta Rules and associated groups for creating new users in the right OUs.

The rules are based on address. So for instance a rule is IF user.city="Raleigh" AND user.zip="27612" AND user.employeeType="Employee" then AssignTo "Raleigh-Employees". The group Raleigh-Employees is in rdu.company.net>Employees>RDU. This works great for when a new user is created with a Raleigh address. Creates them right into that group and then associated OU.

Well we have multiple domains associated with the multiple cities we're in. So we have another rule for example: IF user.city="Seattle" AND user.zip="98101" AND user.employeeType="Employee" then AssignTo "Seattle-Employees" which predictably is assigned to sea.company.net>Employees>SEA. This successfully creates users with a Seattle address in that OU.

The issue is that if HR kicks off an address change for a user that already exists, the rules run against that change. So if John Smith lives in Raleigh and is transferring to Seattle and HR goes ahead and changes his address to a Seattle address, the SEA rule runs against those changes, sees he has a nice new Seattle address, sees that he's not in the Seattle-Employees group, which then sees he's not in the sea.company.net>Employees>SEA OU. This then creates, not moves, him a new account in AD.

Is there a better way to do this? Is there a way for Okta to move a user instead of create a new user. I realize that ADMT is typically used to transfer users between subdomains, so maybe there's an option for Okta to just do NOTHING but add them to the group when they already exist in AD? IT can then make the actual AD move later with ADMT.