<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z0000A29qo9CQAOkta Identity EngineIdentity GovernanceAnswered2026-03-16T09:00:23.000Z2024-03-05T19:24:39.000Z2024-03-06T18:26:09.000Z

7jv04 (7jv04) asked a question.

March 5, 2024 at 7:24 PM
How to send the Active Directory GUID (externalId) to Okta when Okta is mastering AD

Context:

 

My environment imports users from our HR app into Okta, and then Okta pushes those users out to be created in AD. I do want the GUID that is created in AD to flow back to Okta, but aside from correctly setting up the mapping, I'm not finding how to let AD populate that attribute back in Okta. I don't want any other attributes or changes to flow backward to Okta besides the AD GUID.

 

I thought maybe I need to specify Active Directory as the profile source for that attribute in Okta, however since Active Directory is a directory, not an application, it does not look like you can pick it to be the source for that attribute.

 

I can test the mapping is correct by previewing a user, and the desired GUID is in fact returned, but I'm not seeing that GUID populate in a user Okta profile even if that user is imported new (newly created). Has anyone out there tried this?

 

  • 3 answers
  • 484 views

  • 7jv04 (7jv04)

    • UPDATE! Pardon me as I'm still fairly new to the Okta platform, but it is absolutely possible to set Active Directory as a profile source.

     

    • Enable Profile Sourcing:In the Okta Admin Console, go to Directory > Directory Integrations.
      • Click on Active Directory.
      • Navigate to the Provisioning tab and select To Okta in the Settings list.
      • Scroll down to Profile & Lifecycle Sourcing and click Edit.
      • Check the Allow Active Directory to source Okta users box.

    I was mentally tripping over the official "Profile Sources" definition "A profile source is an APPLICATION that acts as a source of truth for user profile attributes. A user can only be sourced by a single application or directory at a time." ...That and the fact that most of the documentation out there assumes AD is sourcing users to Okta. I hope this is helpful to others!

     

    Expand Post
    Selected as Best

  • TimL.58332 (Workflows)

    @7jv04 (7jv04)​ 

     

    Take a look at: https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-define-attribute-profile-source.htm

     

    Once you over-ride the source and set it to you want. Navigate into Directory > Profile Editor > Directories > Mappings - For your AD and set the mapping.

     

    Edit: Figured I would add some more.

     

    Then you can go back to Directory > Directory integrations. Choose your AD instance then click on Provisioning. Set it to "To Okta" and you can scroll down and will see the attribute is now mapped and can make additional configuration changes (like when to update it)

    Expand Post

  • 7jv04 (7jv04)

    Appreciated Tim! The problem is I can not set Active Directory as a profile source. The mapping of the attribute from AD (GUID, which is a custom attribute) to Okta (externalId) is complete and correct, and it works when previewing a user. However, since I can not set Active Directory as a profile source, it does not appear as a choice in Source priority when "override profile source" is selected. I actually may need to open a support cast with Okta for this.

    Expand Post

  • 7jv04 (7jv04)

    • UPDATE! Pardon me as I'm still fairly new to the Okta platform, but it is absolutely possible to set Active Directory as a profile source.

     

    • Enable Profile Sourcing:In the Okta Admin Console, go to Directory > Directory Integrations.
      • Click on Active Directory.
      • Navigate to the Provisioning tab and select To Okta in the Settings list.
      • Scroll down to Profile & Lifecycle Sourcing and click Edit.
      • Check the Allow Active Directory to source Okta users box.

    I was mentally tripping over the official "Profile Sources" definition "A profile source is an APPLICATION that acts as a source of truth for user profile attributes. A user can only be sourced by a single application or directory at a time." ...That and the fact that most of the documentation out there assumes AD is sourcing users to Okta. I hope this is helpful to others!

     

    Expand Post
    Selected as Best
This question is closed.
Loading
How to send the Active Directory GUID (externalId) to Okta when Okta is mastering AD