Last updated: Jun 02, 2022

Active Directory

Integrate Okta with your on-premise Active Directory


The Okta Active Directory (AD) agent enables you to integrate Okta with your on-premise Active Directory (AD). AD integration provides delegated authentication support, user provisioning and de-provisioning. To enable AD integration, you must install the Okta AD agent, and import AD users and groups into Okta.

Many enterprises today are looking to implement a single-sign on (SSO) solution that enables their users to easily access all of their cloud and web applications. A key requirement of these solutions is Active Directory integration, which makes it possible to connect cloud applications back to a single source of truth, Active Directory.

Microsoft recommends Active Directory Federation Services (AD FS) to integrate Active Directory for cloud applications.  While AD FS is “free,” there are a number of hidden costs associated with it, including hardware purchase, setup, and ongoing maintenance.

“The cloud provisioning model that Okta is built on is very attractive because our business is becoming ecosystem-based, not just enterprise-based.”

– Mike Towers, CISO, Allergan

It’s time to rethink AD FS

If one were to think about what comprises a complete identity and mobility management solution, it would include automated provisioning, lifecycle management, mobile app management, and reporting from a single management interface. It would also be vendor-neutral, easy to set up, and support any cloud application.

AD FS doesn't fit the bill. It meets none of the above requirements. In its most basic configuration, AD FS  requires manual integration with Active Directory, using three types of servers: the Federation Service, the Federation Service Proxy, and the Web Server Agent. That becomes six servers when configured for high availability. Add more domains and the scalability problem becomes evident. AD FS has seen its day.

Okta believes in reducing on-premises server management as much as possible. Its 100% cloud-based platform can eliminate dependence AD FS servers. Okta can also help customers avoid using Azure AD Connect (DirSync) to synchronize Active Directory to Azure AD. And they don’t have to use Microsoft Identity Manager (MIM) for provisioning. Using Okta for AD integration can save a business $50K – $100K or more, and shave 14–20 months off of deployment time.

Okta simplifies and accelerates Microsoft deployments

Simplify and accelerate Microsoft deployments

Organizations can achieve simple and fast Microsoft deployments using Okta’s turnkey, vendor-neutral identity solution.  Here are some of the ways Okta can solve business challenges around AD integration.

Easy and powerful identity federation from Active Directory

Okta integrates with Active Directory using lightweight agents that run on any Windows machine with read access to the domain controller, and require no changes to firewall settings.  Okta supports delegated authentication, provisioning and deprovisioning, directory sync, and AD password management. Whenever a change occurs in either direction between Active Directory or Okta, those changes are synchronized incrementally.  An administrator can deactivate a user in Okta Universal Directory, and the user’s record in Active Directory will also be deactivated instantly.

Efficient domain consolidation

When mergers and acquisitions bring different companies and their resources together, consolidating domains, tools, and approaches to security can be a challenge. A modern, cloud-based approach can speed up and simplify this process. Existing users and groups from AD and LDAP can be imported into Okta, where the attributes can be transformed, manipulated, and logic applied to ensure data is clean and reconciled during the process.

Organizations can use Okta to connect an unlimited number of directories, consolidate users and groups from untrusted forests, and synchronize them all to a central Active Directory. Okta will manage these directories from a central admin console. Then once the user is authenticated to the AD domain, Okta will authenticate them into the cloud and to the applications they need.

Okta efficient domain consolidation

No credentials stored in the cloud, no out-of-sync passwords

When Okta is configured for delegated authentication to Active Directory, no AD credentials are stored in the cloud, and passwords never get out of sync. Unlike Windows Azure Active Directory and on-premises Azure AD Connect (DirSync), Okta maintains continuous connectivity with AD with its on-premises agents. When an AD user logs in, Okta agents check the password stored in AD in real-time.

Easy password reset

It doesn’t matter whether the user’s account is mastered in Active Directory or in the Okta Universal Directory. If a user changes their password via their Windows PC or an on-premises password management tool, Okta instantly uses that new password. Users can also change or reset their password through the Okta portal.

Start with Active Directory, go everywhere

Okta enables Active Directory identities to reach more than 6,000 pre-integrated applications, infrastructure and devices through the Okta Integration Network.

Okta's cloud-based identity and access management service acts as a single integration point that provides a highly available solution for all cloud and web-based applications.


Add this integration to enable authentication and provisioning capabilities.


Okta Verified
Okta Verified
The integration was either created by Okta or by Okta community users and then tested and verified by Okta.

Languages Supported