top of page
Post: Beyond the Selfie
Search

Migrating Okta Users from AD-sourced to HR-sourced


Introduction

 

Many organizations start their Okta integration using the Active Directory (AD) agent to import their user base into Okta. This is know as Active Directory as a Source (ADaaS). With delegated authentication enabled, this allows the users to keep using their AD password in Okta. This allows for a smooth Okta transition much smoother. The resulting Okta users are AD-sourced and individually assigned to the AD application.  

When an organization shifts to an HR as a Source (HRaaS) model, the recommended approach is for the HR system import to provision the Okta users and then Okta provisions the user to AD - usually via a group assignment. The resulting Okta users are HR-sourced and assigned to the AD application by group. With AD user deactivation enabled, if the user is removed from the group, the user is disabled in AD. 




The Issue


For existing Okta users who were originally AD-sourced, even if they are added to the AD assignment group they remain individually assigned to the AD application. If they are subsequently removed from the AD assignment group, the user is not disabled in AD. 

 

The solution is to change these users from individual assignment to group assignment. But how can we achieve that? 

 

You may have noticed other Okta applications have an option to convert individual assignments to group assignments. You can convert selected users or convert all users in one go. Unfortunately, the Okta AD application does not have this functionality in the Okta Admin portal.  

 

Manual workaround 

 

The manual way to resolve this is to remove the individual assignment from the AD application. This will potentially disable the AD user which is undesirable. The user can then be added to the group which assigns them to AD. This will then enable the AD user. This manual approach is cumbersome, tedious and error-prone - especially if there is a large user base. 

 

Unofficial workaround 

 

Be warned this next section describes an unsupported workaround. Use this at your own risk. Test this out in a non-production environment before proceeding in your production environment. 

 

If you go to any application with the Convert assignments option available, you can use Developer Tools (e.g. Ctrl-Shift-I in Chrome) to see the API call being invoked. 

Click on Convert assignments > Convert all assignments > Convert all 

 

In the Developer Console Network tab look for the convert All request. 

 


You can observe a POST call is being made to the following API endpoint: 

  

If you update the appId to the application ID of your AD application, you can invoke the same endpoint. It successfully converts all the individually assigned users to group assigned. 

 

The API call can be easily invoked with Postman, Okta Workflows, curl, or your API tool of choice. 

 

E.g. Postman 


E.g. Okta Workflows 


Be aware this API endpoint is not officially documented by Okta. Thus it could change without notice. Use at your own risk. 

 

Next Steps 

Should you require any assistance with the steps detailed above or have questions, please don't hesitate to book a meeting with the TechJutsu team.


 
 
 

Comments

bottom of page