MichaelN.53038 (Endicott College) asked a question.
Using Okta to disable accounts based on "Account Disabled Attribute" across other directory integrations
Currently our Okta environment is leveraging on demand provisioning through AD. We have connectors however to both our AD and LDAP directories but haven't configured any syncing. Pre-Okta we had internal scripts to disable AD accounts when the user's LDAP account disabled attribute was set to N, however those broke some time ago.
Now I'm looking to have Okta use the Ldap "Account Disabled Attribute" and use it to disable the Okta account and the AD account when it detects the change in value.
Hi @MichaelN.53038 (Endicott College) , Thank you for reaching out to the Okta Community!
This should be possible if you have an LDAP → Okta → AD type of implementation.
As a very high level description and based on the docs which mention that the "Account Disabled Attribute" can be used:
As long as you have Okta integrated as the source of truth for your AD, it should just pass that along.
That being said, there are several variables, so please consult the respective documentation to see prerequisites/known issues/limitations before committing to any major changes and test the integration in a preview environment wherever possible.
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--------------------------------
Okta Identity Engine (OIE) Ask Me Anything: Get answers from product experts by clicking here.