CommunityI.88681 (Customer) asked a question.
We're using on-prem AD and Okta as the identity provider. Recently, we found that the ImmutableID for one account does not match across systems.
On-prem AD: [aaaaaaa]
Entra ID: [bbbbbbb]
Okta: [bbbbbbb]
It's not possible to change this in on-prem AD and it is possible to change it in Microsoft 365 but if we change it there, it doesn't match in Okta. I'm not sure how this broke but it is causing problems.
- When the ImmutableID doesn't match between on-prem AD and Entra ID, there is an error in the sync tool. This is not causing any problems for the end-user, just showing an annoying error there but all is fine for the end-user.
- When the ImmutableID doesn't match between Okta and Entra ID, it is because on-prem AD reset the Entra ImmutableID. Microsoft then shows an error to the end-user saying that the resoureces are not available.
There are some scenarios when the on-prem AD will overwrite the Entra ImmutableID. We can fix this temporarily by manually changing the ImmutableID in Entra but it reverts in a few weeks or a few months. The solution will require changing this in Okta. How can I do this?
Also, we don't know how this broke. Is it possible that it broke because someone unassigned the application for her and then reassigned it. Would this break it?
Hello @CommunityI.88681 (Customer) Thank you for posting on our Community page!
If users are mastered by AD, the recommendation in this case is to have the Immutable ID from AD.
In this case the recommended mapping for this would be hasDirectoryUser()?findDirectoryUser().externalId:null
For more details on this, please see article below:
https://support.okta.com/help/s/article/handling-immutable-id-issues-in-okta-for-microsoft-365-assignments?language=en_US
Thank you for reaching out to our Community and have a great day!
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Collect them all. Learn a new skill and earn a new Okta Learning badge.