We are working on developing some API calls to improve automation of tasks but I cannot find how to modify the active directory provider for a user. For example, we have a user who is on old-domain.local, and new-domain.local. Both domains are in the same Okta instance with delegated AD auth, with old-domain.local having the higher profile source. 

We have imported and merged the user from both Active Directory sources so the object is associated with both AD instances.

However, if I do a GET on that User, the JSON only returns the provider for the higher priority domain, example:

 "profile": {

    "firstName": "Emily",

    "lastName": "Johnson",

    "mobilePhone": null,

    "displayName": "Emily Johnson",

    "secondEmail": null,

    "login": "emily.johnson@new-domain.com",

    "email": "emily.johnson@original-domain.com"

  },

  "credentials": {

    "provider": {

      "type": "ACTIVE_DIRECTORY",

      "name": "original-domain.local"

    }

 }

If I make an API call to pass JSON to try and change that to new-domain.local, it never updates even though the command doesn't fail. If I disconnect the user from AD in the GUI, it removes them from the first instance (original domain) but leaves them connected properly to the new-domain.local. 

However, I noticed that when removing it the log shows 

"Feb 12 10:04:42

Steven Yurgelevic (User)

Remove user's application membership

SUCCESS

Emily Johnson (AppUser)

Active Directory (AppInstance)

1 more targets"

So my questions are the following:

1. If I have a merged user who is tagged back to both AD instances, how can I do a GET via API call either in Postman or via Python to have it list ALL of the providers, not just the priortiy?

2. MORE IMPORTANT: How can I use the API calls to either remove the user from the original-domain.local AD instance like with the GUI trigger "Remove From Active Directory" or force it to use the new-domain.local? I think the former will solve the problem easier than the latter.

Thank You.