Skip to main content

Okta-AD Integration guide

This guide walks through configuring an Okta-mastered integration of on-premises Active Directory (AD) with Okta according to MSP best practices.

WARNING

If the customer environment includes both on-premises AD and Microsoft 365, on-premises AD must be integrated with Okta before M365. Completing the M365 integration first will cause problems that are difficult to resolve.

If M365 is already integrated, contact ZeroTek Support (support@zerotek.com) before proceeding and we can assist.

BEFORE YOU BEGIN

This guide assumes the target Okta org has been configured according to MSP best practices by completing the New Org Setup guide. If you have not completed the New Org Setup, do that first.

ZeroTek strongly recommends practicing these procedures in a sandbox environment before performing the integration for a customer Okta org.

About this guide

This guide is organized into six phases. Because each phase builds on the previous one, you should complete them in the order listed.

1️⃣ Design considerations

Before starting any procedures, make sure you understand the key design decisions that will shape the integration — particularly your mastery strategy and how Delegated Authentication should be configured.

2️⃣ Preparing AD for Okta

This phase covers how to prepare on-premises AD for a successful integration, including organizational unit (OU) structure and password policy alignment.

  1. Prepare an OU for AD users you will import to Okta

  2. Compare the governing password policies in Okta and Active Directory

3️⃣ Integration mechanics and service accounts

This phase covers the two service accounts required for the integration and how to prepare for installation of the Okta AD Agent.

  1. Create the Okta service account for the Okta AD Agent

  2. Enroll Google Authenticator TOTP for an Okta service account or shared admin account

4️⃣ Installing the Okta AD Agent

This phase covers testing connectivity and installing and configuring the Okta AD Agent.

  1. Test connectivity before installing the Okta AD Agent

  2. Install the Okta AD Agent

  3. Configure the Okta AD Agent settings

  4. Install an additional Okta AD Agent (optional)

5️⃣ Pre-synchronization configurations

This phase covers completing the Okta-AD integration and configuring Okta mastery before importing users.

  1. Configure basic settings and the user profile

  2. Disable Delegated Authentication

  3. Configure Okta-mastered provisioning for the AD integration

  4. Configure Okta to push new users to on-premises AD

6️⃣ Working with identity flows

This phase covers importing users and managing identity flows between Okta and on-premises AD in an Okta-mastered deployment.

  1. Import on-premises Active Directory users to Okta

  2. Mass activate Okta users

  3. Create and push a new Okta user to on-premises AD

  4. Update an AD user from ZeroTek

  5. Deactivate an AD user from ZeroTek

Troubleshooting

If you encounter issues during the integration, see Okta-AD integration – Troubleshooting.

Need help? ZeroTek Partners can email support@zerotek.com and our team will be happy to assist.

Related Articles
How ZeroTek works with Okta – key concepts
Managing Okta orgs in ZeroTek
User mastery – MSP best practices
New Org Setup guide
Okta-M365 Integration guide
Did this answer your question?