Automatic provisioning of to app Active Directory failed: Matching user not found


We would like to test Okta with Delegated AD comibination. We have a on promise security system which inserts records in AD with password after self registration by user.
We would like to test a scenario to create the user in Okta after he is created in AD and some how link the user with the existing AD.
You might say why you do not let AD to sync the user to Okta. The reason is we have some groups that we need user to be assigned to based on the information in our on Premise system. We do not know when sync happens so we have 2 ways
scenario 1- let AD to sync to Okta and then use the event Hook to create the Groups ( We are testing that) but event hook has delay so we want to test the second scenario

Scenario 2- User is created through on Premise in AD , AD does not sync to Okta at the time of creation and JIT is not set. We create and call APIs from our on premise application to create user with groups in one shot in Okta and set the user’s provider to our AD.

My issue is on the second scenario : User is created successfully In Okta with Correct groups. Also created successfully in AD with correct user name and password.
But when I login with the new user with AD password it does not let me in.
When I login with one of the admin account I can see the user but there is an Error for that user
Error:Automatic provisioning of user X to app Active Directory failed: Matching user not found Please fix this on the

Below is my setting and the way I called my API. I suspect the way that I set the authenticationProvider might not be correct.

Please note the users will always provisioned from on premise system not Okta

  • First here is the setting In directory integration → Provisioning
    To Okta: Okta username format : User Principal Name (UPN)

To App: AD username format: Okta username prefix

Also my APi call is set like:

ICreateUserRequest oktaCreateUserRequest = new CreateUserRequest();
IUserProfile UserProfile = new UserProfile();
UserProfile.FirstName = userInformation.FIRST_NAME.ToString();
UserProfile.LastName = userInformation.LAST_NAME;
UserProfile.Login = userInformation.USER_ID + “DefaultDomainPart”;
UserProfile.Email = userInformation.EMAIL_ADDRESS;
UserProfile.DisplayName = userInformation.FIRST_NAME + " " +
UserProfile.EmployeeNumber = userInformation.EmployerNumber;
oktaCreateUserRequest.Profile = UserProfile;
oktaCreateUserRequest.GroupIds = oktaGroupIds;

IAuthenticationProvider authenticationProvider = new AuthenticationProvider();
authenticationProvider.Name = “My Domain Server Name”;
authenticationProvider.Type = AuthenticationProviderType.ActiveDirectory;

IUserCredentials userCredential = new UserCredentials();
userCredential.Provider = authenticationProvider;

await oktaClient.Users.CreateUserAsync(createUserRequest, isActive)