gb8vf (gb8vf) asked a question.
Delete/Disable Okta User when I delete the user account in Active Directory
Hello,
I want to automatically sync Active Directory User Deletion in Okta. How do I do that?
Currently,
- I'm using the latest Agent versions. Okta Active Directory agent 3.4.13 and AD Password Sync Agents 1.3.6
- Active Directory is the Profile Master in Okta.
- Password changes in both Okta and AD sync automatically in realtime without any issues.
- I have enabled both JIT Provisioning and Schedule import (every hour) under Import and Provisioning.
When I delete a user in active directory, it does not delete the user in Okta. I checked after few hours to make sure it is getting deleted by a schedule import event. But no success.
When I do a FULL IMPORT, active directory deleted users will be disabled in Okta. How do I make this realtime without doing a manual full import?
Look forward to hearing from you. Thanks!
Navigate to Directory > Directory Integrations > Active Directory > Import > Import Now, then review the descriptions of incremental and full imports.
Note that it states for incremental imports that "Users not present in the data will not be changed. (This is the type of import performed by automatic scheduled imports.)" So if you delete the user, then the data is no longer present and the user will not be disabled in Okta. Now see the description for full imports that states, "Users not present in the data will be deactivated." So this is why running a full import will deactivate the user.
Instead of deleting the user entirely, just try disabling the user, so the data is still present and will get picked up by an incremental import the next time it's scheduled.
Hello Gabriel, Really appreciate your reply 🙂
We need to completely delete the active directory user instead of disabling it due to a business need. So we can not use disable user option at the moment.
For now I'll use Okta API to delete a user from Okta when we delete a user from AD as we need to automate the process.
Better we have this feature in future releases 🙂
hi, are there any news on this topic? We don't want deactivated User in OKTA as we like to have okta and azure AD synced (same user count in groups). The Lifecycle settings only allow "disable" or "suspend"!
Hello Georg,
We are currently using the following shell function to remove Okta users.
deleteOktaUser()
{
# Get Okta UserID
OKTA_USER_ID=$(curl -k -s -X GET -H "Accept: application/json" -H "Content-Type: application/json" -H "Authorization: SSWS ${OKTA_API_TOKEN}" "${OKTA_BASE_URL}/api/v1/users/${USER_NAME}@example.com" | jq -r '.id')
#
# Disable Okta User
curl -k -s -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${OKTA_API_TOKEN}" \
"${OKTA_BASE_URL}/api/v1/users/${OKTA_USER_ID}/lifecycle/deactivate?sendEmail=true"
#
# Delete Okta User
curl -k -s -X DELETE \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${OKTA_API_TOKEN}" \
"${OKTA_BASE_URL}/api/v1/users/${OKTA_USER_ID}?sendEmail=true"
}
Hi Yasitha,
Many people are asking the same requirement. Please checkout my Git project to DELETE the Okta users in BULK based on its status (DEPROVISIONED). It's simple but powerful python code to delete Okta user using Okta API.
refer:- https://github.com/vipulkaneriya/Okta