<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00008KB0ulCADOkta Classic EngineDirectoriesAnswered2024-04-03T16:09:08.000Z2022-11-02T05:52:00.000Z2022-11-22T21:45:56.000Z

RichardC.41425 (Customer) asked a question.

November 2, 2022 at 5:52 AM
OKTA end date to AD account expiry date

What I want to achieve, ultimately is to have OKTA Mastered Accounts to

  1. Have an end date against them
  2. Have that end date pushed to populate the Active Directory Account Expiry Date

 

There are a lot of other things associated with this which I have good ideas on how to do – e.g. creating custom attributes in OKTA user profile to have an end date attribute etc, getting scheduled tasks running or workflows to scan all active users for that attribute, then interrogate the attribute and if end date = today then disable account in OKTA etc

 

And yes I know that if the account is disabled in OKTA it should also then master over AD and disable it in AD

 

 I am just aware that right now we have some potential needs to also have that expiry date populated in the AD object of the accounts – so I am just wondering if there is a way to do that.

 

i.e. push okta attribute for end date to populate the Active Directory Account Expiry Date?

 

 

  • 6 answers
  • 1.61K views

  • MatthewH.10249 (State of Iowa)

    I would go with you idea of "e.g. creating custom attributes in OKTA user profile to have an end date attribute etc". If you are wanting the date to be set in in Okta sometimes and in AD other times and don't want the AD value to be overwritten by Okta mapping then use an expression to see if the value already exists in AD leave it alone.

  • RichardC.41425 (Customer)

    Thanks for the response.

    I am wanting to explicitly be able to push a custom attribute in OKTA called "End Date" to populate the AD attribute of Account Expiry Date - and want to know how I can achieve this

     

    • MatthewH.10249 (State of Iowa)

      1. First from the left nav in Okta Admin console select "Directory -> Profile Editor" and then select "Directories" from the "Users" list in the main screen and select the AD you want to map to.
      2. Next click the "Add Attribute" button and set the exact name of the AD account expiry date.
      3. Next click the "Mappings" button then select the "Okta User to <your AD>" tab.
      4. Next scroll down until you find the new attribute you created in step 2 and in the box to the left enter "user.endDate" or whatever the name of your custom Okta attribure is.
      5. Next click the dropdown arrow found between the two attributes (Okta & AD) and change that to the green arrow so it will set this attribute in AD when an account is created and updated in Okta.
      6. Next scroll to the bottom and use the preview box to make sure this will work as you expect.
      7. Last press the "Save Mappings" button.

       

      Hope this helps! Upvote and mark as best answer if it does.

      Expand Post

  • Paul S. (Okta, Inc.)

    Hello @RichardC.41425 (Customer)​ Thank you for reacting out to our Community!

     

    Please see this article that might provide some assistance on the matter at hand:

    https://support.okta.com/help/s/article/How-to-convert-Active-Directory-accountExpires-into-date-format?language=en_US

     

    The Okta Community Catalysts Program is now live. Collect online badges when you participate in the Okta Help Center Questions community. Learn more here.

    The October issue of the Okta Community is here and packed with tips on certification, how to earn badges, and new releases. Let us help you stay connected.

    Expand Post

    • JohnV.10228 (Customer)

      This looks like the opposite of what Richard is looking for.

       

      He is looking for Okta to Active Directory mapping. The link provided is for AD to Okta mappings.

  • RichardC.41425 (Customer)

    Thanks John - Yes Paul , sorry what you have answered is not what I am looking for.

This question is closed.
Loading
OKTA end date to AD account expiry date