u7zfc (u7zfc) asked a question.
Okta Accounts our not being deactivated when AD account is disabled
We have found that accounts in Okta are not being deactivated when hourly sync import occurs.
The accounts are only becoming deactivated when someone attempts to use the account, or when an admin opens a user account from Okta Directory.
We do use JIT for provisioning accounts in Okta.
Is this the expected behavior? Is there a way to make sure that user Okta user accounts become deactivated when they are disabled in Active Directory? (Note we don't expire the accounts in AD)
Hi @u7zfc (u7zfc) , Thank you for reaching out to the Okta Community!
The scheduled imports are of the Incremental variety. They look for changes in the AD uSNChanged attribute. If that does not change since the last import, then it will not affect the users in Okta.
That being said, I've seen similar things happen due to an "incorrect" off-boarding process where users were moved to AD OUs (i.e. an OU specially designated for user that were marked for deactivation) that were not synced with Okta, then deactivated in AD before the import has a chance to happen. Hence the incremental import would not pick up any changes to the uSNChanged attribute. Later, the JIT flow would try to look up the user, would not find it, therefore marking it as deactivated.
Hope it helps!