I have to be honest here - the AD import process is one of the most frustrating issues I have with our Okta environment. I haven't encountered this exact scenario myself, but I often have both delta and full imports fail to pull in newly-created user accounts and groups, and it can be very frustrating at times (the amount of time it takes seems to be directly inverse to how quickly I need it to be imported). I really wish I had the ability to perform an on-demand import of a specific object AND point that task at a specific domain controller.

Imports from Active Directory can be impacted by the complexity of your environment. Consider how many domain controllers you have, how many sites (AD sites), which domain controller you were connected to when you created the new object versus which one the Okta AD agent is connected to during an import, and the AD replication delays between all of those things. By default, Active Directory replication within an AD site boundary is 5 minutes, and site-to-site is 15 minutes.

Sometimes it also seems like Okta enforces a minimum window between imports. I often retry an import when one fails to pull in an object I'm waiting for, and often I get the hated "0 Users. 0 Groups" response WAY too quickly. After several years, I've learned to expect these things and try my best to be patient. The back-end processes have greatly improved in the last four years, so I'm hopeful that they'll keep improving.

Mike, thats exactly what i experienced as well. As soon as I need a user really fast it just doesn't synchronize.

In this setup we talk about one site with 6 DCs so not that big thing. Hopefully they're going a "force update" button or something similar.

regards

Bernd

Regarding updating the OU's, try refreshing the app data. Okta caches a lot of information to know how to work with your unique integrations. For AD, that includes the OU structure. Navigate to Applications > More > Refresh Application Data.

Regarding replication, and I know this might be challenging for a large environment, but you may wish to try making the changes directly on the DC that the AD Agent is connected to. Especially if it's urgent and you don't wish to wait for replication.

Scheduled imports are incremental imports and not full imports. When you manually run an import and have the option to select a full or incremental, it will provide help text to explain the difference. The incremental import is looking for changes in data. It does not look for missing data. So if a user is moved to an OU not connected to Okta, the user will remain unchanged in Okta until a full import is run.

I commonly see individual users failing to import due to missing attributes. By default, Okta requires the username, email, first name, and last name. So if you skip providing a last name for a user in AD, they won't import into. You can also make additional attributes required.

If you don't want to wait for imports and assuming replication isn't an issue in the AD environment, you can also enable Just In Time (JIT) provisioning. If you create a user in AD that has not yet been imported into Okta, then JIT will automatically create the user account in Okta when they first login to Okta. Okta basically sees there's no existing user account, so checks AD for one. If it finds one, it creates the user account in Okta, any downstream provisioning will get triggered, and the user immediately has all their apps.