How to Move an Okta-Sourced User to Another Active Directory OU

Objective

To demonstrate the complete process of moving an Okta-sourced user from one Active Directory (AD) Organizational Unit (OU) to another.

Details

This guide walks through the step-by-step process of moving an Okta-sourced user from one AD OU to another. The key challenge with Okta-sourced users is that their profile is mastered in Okta, not in Active Directory. This means the OU move must be orchestrated through Okta’s provisioning groups and the Okta API, rather than directly in AD. By using Okta API (via Postman), the user’s assignment can be transitioned from an individual type to a group-based assignment, and then change the target OU accordingly.

Prerequisites

Before following this guide, ensure you have the following in place:

An Active Directory environment with at least two Organizational Units (e.g., User-Contractor OU and Users OU)
An Okta org with the Active Directory agent installed, configured, and running
Postman installed with the Okta Admin Management API collection imported
An Okta API token configured as an environment variable in Postman (base URL and API key headers set)
Admin access to Okta
Read-Write permissions on Active Directory Service Account
For this usecase, a user is created in Okta that has an account existing in AD

Configure Provisioning To Okta

Ensure that Profile and Lifecycle sourcing is NOT enabled so that the user’s profile source is Okta.

Configure Provisioning to App

Provisioning to App should be configured in order to support OU changes. Let’s look at the steps.

Navigate to To App settings in Directory Integration
Click Edit to enable the necessary provisioning options (such as Create /Update/Deactivate Users/Sync Password)
Configure the attribute mappings

Leave other options to default

Directory Import

Login to Okta and go to Directory>Directory Integrations
Select your Active Directory instance

Go to Import

Go to import tab and select import now option

Select full import to allow any new OUs to be imported

Import Status shows how many users and groups will be created/updated/deleted

Next search for the user to be used for OU movement

Okta finds an exact match

Click to confirm this user and confirm the assignment

Go to Directory>Directory Integrations
Click the Active Directory Instance
Observe the Assignment type of the user to be an Individual type

Click the user and observe the distinguishedName attribute value

Set Up Group-Based Provisioning to manage user movement via groups

Add a group in Okta

Go to Directory>Groups
Create groups and add AD OU to make them provisioning groups so that when a user is assigned to these groups the user is placed into the OU specified in the group (placement depends on the priority of the group as well)

Demo Group 1: TestADprovGroup

Under Directory Integrations, Select the AD Instance and then OU

Demo Group 2: TestADGroupUsers

Under Directory Integrations, Select the AD Instance and then OU

Assign the User to the Initial Provisioning Group

As a first step, assign the user to a provisioning group based on the user’s distinguished name attribute value which specifies the OU for the user (Ex: A user with OU as user-contractors will have to be in a provisioning group configured for the same OU)

Convert Individual Assignment to Group Assignment via Postman

To fully enable group-based routing, the user’s application assignment must be converted from an individual assignment to a group assignment using the Okta API.

Open Postman and configure your environment with the correct Okta base URL, API keys, and headers. Okta Admin Management API must have been imported.

Let’s look at the steps: