I think that support articles in general (not just Okta) overlook certain issues because they are written by experienced admins who usually have a reasonably experienced audience. My question is probably a "no-brainer" for experienced Okta Admins. But, for a lesser experienced Okta admin (like me) I want FULL ASSURANCE before I try to pull the trigger on this. Because if\when I ever do, I believe there will be no turning back. The article below seems like the most accurate article that covers it. It covers it reasonably well. But, it doesn't clearly clarify something that I think it should. Please consider updating this article if you agree.

I am referring to the "Full Import" option that is described in the following help center article:

• https://help.okta.com/en/prod/Content/Topics/Directory/ad-agent-import-users-on-demand.htm

I understand the difference between an "incremental import" and a "full import". And I understand the purpose (and safety) of doing an incremental import regularly. My question is about the "Full Import".

Short Question(s):

Basically:

• Is a "full import" "SAFE" to run when you already have Okta populated with users from your AD?
• Is there "benefit" in doing this "full import" from time to time?

Please see my suggested 3 (not 2) options for this function below. What I am asking about here is what I define below as a "Full Realignment Import (from this AD)" Is this safe to do? I think it is. Is there benefit in "realigning" like this? I think there is.

But - Is it safe? Is it beneficial?

Detailed Version of same Question(s):

Let's look at the article referenced above.

From the article and the import page:

Select an import type:

• Incremental import  — Only imports AD users that were created or updated since your last import. Matching rules are only evaluated on these users. This is the type of import performed by scheduled imports.
• Full import  — Imports all new and existing AD users. Matching rules are evaluated on all unconfirmed users. This is the type of import that occurs the first time you integrate Okta with AD. Deleted users, and users moved out of the Organizational Unit (OU), are deactivated in Okta only during Full Imports.

This doesn't clearly address two different scenarios for a "Full Import". And it's description convolutes the two. Please consider clearly addressing both of these scenarios for a "Full Import" in the article referenced above (not just for me, but other Admins also) I have a suggestion for clearer understanding below. Break "Full Import" into two different types of "Full Import" based on the data already in place...

I might suggest offering three different Import options below (instead of the two). I know it might seem silly at first. But, I think this helps clarify the difference between what I will call a "Empty Target Full Import" and a "Pre-Populated Full Target" and the 3 different scenarios. It allows you to define each separation as a different option, based on the scenario already present in the data. And it gives reassurance of doing what I call below a "Full Realignment Import (from this AD) " which is what I am looking for confirmation on that it is safe to do.

Full import (First Time from this AD)  — This option will be greyed out if you already have users in Okta from your source AD. This imports all existing AD users. Matching rules are evaluated on all users. This is the type of import that occurs the first time you integrate Okta with AD.

Incremental import  — This option will be greyed out if you do not already have users in Okta from your source AD. Only imports AD users that were created or updated since your last import. Matching rules are only evaluated on these users. This is the type of import performed by scheduled imports.

Full Realignment Import (from this AD)  — This option will be greyed out if you do not already have users in Okta from your source AD. From time to time an Admin may want to perform a Realignment import after Okta has already been populated from the AD. This can help realign Okta user accounts with the AD user accounts. It imports all existing AD user accounts. Note - This will take much longer than an incremental. Different activity happens in this import, depending on the status of each account already within Okta. Below are the 4 different possible status of the target Okta account:

• 1) Account doesn't already exist in Okta - This will be added from AD as an "Unconfirmed Account in Okta" - It then is the same as *2 below.
• 2) Account already exists in Okta as an "Unconfirmed Account in Okta" - This account will need to be confirmed within Okta after import.
• 3) Account already exists in Okta as a "Confirmed Account in Okta". No changes will be made to this account.
• 4) Account exists in Okta but was not in the import from the AD. These accounts are automatically deactivated in Okta.

If nothing else, please just give me confirmation that performing a "Full Import" is "safe" to do even when you have many of the same AD accounts already in Okta. I am looking to do it as a "Realignment". But, it makes me nervous to consider doing this without at least confirmation that it is safe.

Please also consider my suggestion for creating 3 different import options defined above. I think it would help give assurance on occassional "Realignments". ----- AS LONG AS THEY ARE SAFE! ARE THEY?