Design + Working of AD Agent


I am very keen to understand the design and working of the AD agent, specifically around:

  1. How does the incremental sync works?
  2. Working of delegated authentication against on-prem AD using the AD agent.

Not sure if this is the right forum for the same. I have tried to search across but didn’t find answer’s to my above questions. Please help me answer these.


  1. The incremental import is checking the relevant AD objects (based on user and group filter and ou selection) for changes to syncronize to okta universal directory
  • Incremental import — Only imports Active Directory users that were created or updated since your last import. Matching rules are only evaluated on these users. This is the type of import performed by scheduled imports.
  • Full import — Imports all new and existing Active Directory users. Matching rules are evaluated on all unconfirmed users. This is the type of import that occurs the first time you integrate Okta with Active Directory. Deleted users, and users moved out of the are deactivated in Okta only during Full Imports.
  1. Delegated authentication is performed securely via SSL egress sessions established by the AD agent connecting to Okta cloud Org on a cyclical basis, no ingress connections are requested