Hi @8vv6s (8vv6s)​ , Thank you for reaching out to the Okta Community!

The lockout is not considered a profile attribute in Okta, but rather a "state". As such they cannot be mapped to one another for the purposes of automated state reflection(at least not currently as far as I know). 

That being said, Okta does have the capability of unlocking AD sourced accounts. 

For this you will need to configure the dedicated Active Directory Policies in Okta to mirror those in AD. In particular the one pertaining to number of failed attempts before the account is locked. 

The caveats here are that this applies to lockouts caused by the user trying to sign in to Okta and does not account for users locking their accounts due failing to login to the domain joined device AND

it applies to wrong password related lockouts - MFA lockouts are currently hard-coded at 5 failed attempts. 

Reference articles: 

https://support.okta.com/help/s/article/AD-mastered-user-gets-locked-out-after-writing-a-lower-lockout-threshold-in-GPO-password-policy-vs-an-AD-password-policy-in-Okta?language=en_US

https://support.okta.com/help/s/article/Why-do-active-Active-Directory-mastered-users-show-as-locked-out-in-Okta?language=en_US

https://help.okta.com/en-us/Content/Topics/Security/policies/about-password-policies.htm

If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

Hope my answer helps! 

--------------------------------

Community members help others by clicking Like or Select as Best on responses. Try it today.

Hi @Mihai N. (Okta, Inc.)​, thank you for your reply.

I was wondering about the lockout to be a state yes. But I thought maybe it was possible to influence this state via automation. For exemple, I know I can add the lockoutTime time attribute to my AD profile. So if I can check this attribute in Okta and modify the state of the Okta account in consequence, it would be great.

I know I can mirror the password policy in Okta to reflect the one I use on my local Active Directory but the thing is my users can either login directly via my Active Directory or via Okta depending of what app they use.

The fact that I use Delegated Authentication means that even if the user attempt to login on an app using Okta, if its account is locked on Active Directory it will not be able to continue. But I would like the Okta user to be shown as locked in my administration console so it can be consistent through Okta and AD.

We have the same setup and issue. An AD account is locked out but on the Okta side it does not show as locked out. The Unlock Account feature in Okta only appears to work if the Okta account is locked out. This is useless for self-service unlock and password reset, if you are configured for Delegated Authentication. There has to be a fix for this as this was one of the selling points to go with Okta (Self-Service password rest and account unlock).