AndrewC.91861 (Ciena) asked a question.
Deactivating an active AD user
I have a workflow that runs daily, letting me know user last login dates. We have some partners that are in AD (required) but have not logged into Okta, or setup MFA. I want to deactivate these users to save licenses. I am not sure how I can deactivate them without AD re-activating automatically. I can't uncheck the 'reactivate' option, as we need this on for other normal users. I guess I could deactivate, disconnect from AD, and therefore cause an import conflict, but that gets messy if the user needs to login at some point. I could suspend the user, but that doesnt save any licenses.
Any suggestions?
Hi @AndrewC.91861 (Ciena),
Thank you for posting on the Okta community page!
Based on the information provided, my recommendation would be to deactivate the users in AD because this way, when an import will occur, they will be deactivated in Okta. Additionally, if the users are mastered by Active Directory, it’s best to make changes there and import the updates into Okta because that is the source of truth for the users and because this way you won’t create a conflict in your Okta flows.
If the AD users still need an active account in Active Directory, you could move these users to an OU that is not configured with Okta and this way they will not be re-activated after you deactivate them but this solution depends on how your environment is configured.
On another note, the Okta Community Catalysts Program is now live. Collect online badges when you participate in the Okta Help Center Questions community. Learn more here.