BoxA.14415 (Customer) asked a question.
We have found in the past 1-2 years that we have to manually do a full sync to keep our users up to date as far as being disabled or having applications removed. Our scheduled sync is set to run each hour and works for some users, but when we run a full sync each day we have 10-20 users that get disabled. If we wait for a few months we see over 2,000 users get removed after a full import. We see no errors or logs showing that the partial sync is not working (as it does create new users and has disabled some users).
I'm hoping that the feature request to trigger a full import via API (which has been accepted and is apparently on the roadmap) comes out soon, but nonetheless it seems like the AD agents or the partial import doesn't work anymore.
Any suggestions from anyone? Its more of an annoyance right now having to login and trigger a full import, but it is just one more thing that we manually have to do to get our one application up to date in Okta.
Hello @BoxA.14415 (Customer) , thank you for contacting Okta Community.
If a user is moved to an OU in Active Directory that is not selected in Okta, an Incremental Import will not see this change. You can read more about this below:
How AD Incremental Imports Work
User Disabled in Active Directory is Not Deactivated in Okta after Scheduled Import
Regards.
--
Help others in the community by liking or hitting Select as Best if this response helped you.
This month's AMA topic: Okta Device Access. Ask away today.