Getting AD attributes through the API

MichaelG · October 20, 2025, 2:19pm

Hi, I am unable to fetch AD attributes of synced users using thew API. How can that be done, please?

But these values are not present in the JSON data:

{
    "id": "00uw2sodowQc75SUm697",
    "status": "ACTIVE",
    "created": "2025-10-03T18:45:59.000Z",
    "activated": "2025-10-03T18:58:06.000Z",
    "statusChanged": "2025-10-03T18:58:06.000Z",
    "lastLogin": "2025-10-03T20:36:17.000Z",
    "lastUpdated": "2025-10-07T18:50:40.000Z",
    "passwordChanged": null,
    "type": {
        "id": "otyw0o8ih5gS6YdQn697"
    },
    "profile": {
        "lastName": "Doe",
        "zipCode": "10001",
        "city": "New York City",
        "displayName": "John Doe",
        "secondEmail": "",
        "title": "IT Manager",
        "login": "john@contoso.com",
        "firstName": "John",
        "primaryPhone": "123456789",
        "mobilePhone": "123Mobile",
        "streetAddress": "5th Avenue",
        "countryCode": "US",
        "state": "New York",
        "department": "IT",
        "email": "john.doe@contoso.com"
    },
    "credentials": {
        "provider": {
            "type": "ACTIVE_DIRECTORY",
            "name": "contoso.com"
        }
    },

Thank you

andrea · October 20, 2025, 4:11pm

I believe you would need to add attributes to the Okta user profile and map the values from AD over into Okta for them to show up in the /Users API response

MichaelG · October 21, 2025, 8:20am

Thx. I thought that if I saw the attributes in Okta GUI, I would be able to fetch them through the API. I am looking for a universal solution that would be able to identify which AD account is the Okta account mapped to (based on AD user SID or GUID or DN), regardless of customer environment settings. As I am building a multi-tenant app, I am looking for a universal solution. Maybe some special parameter for the /Users API?

MichaelG · October 21, 2025, 6:18pm

BTW, this works out-of-the-box for AD-synced groups with the Okta Groups API:

{
        "id": "00gw2sznk2ILgD6lH697",
        "created": "2025-10-03T18:43:55.000Z",
        "lastUpdated": "2025-10-03T18:43:55.000Z",
        "lastMembershipUpdated": "2025-10-03T18:43:55.000Z",
        "objectClass": [
            "okta:windows_security_principal"
        ],
        "type": "APP_GROUP",
        "profile": {
            "name": "BloodHound Admins",
            "description": null,
            "windowsDomainQualifiedName": "CONTOSO\\BloodHound Admins",
            "groupType": "Security",
            "groupScope": "Global",
            "samAccountName": "BloodHound Admins",
            "objectSid": "S-1-5-21-3288850392-3299536932-2614793081-1220",
            "externalId": "3s050vv4QUG0Tw+haRw44g==",
            "dn": "CN=BloodHound Admins,OU=Employees,DC=contoso,DC=com"
        },
        "source": {
            "id": "0oaw2s86uvbMgRqW6697"
        },

I am interested in the same type of data for synced users.

andrea · October 22, 2025, 4:51pm

I’m at least not aware of there being another way to get this information. Since this forum is more developer focused, particularly for custom OIDC, OAuth, and SCIM integrations, you could try asking in our main support community as well to see if there are any other ways to do this

MichaelG · November 18, 2025, 9:48am

Got an answer at the community forum. AD attributes are accessible using the https://{yourOktaDomain}/api/v1/apps/{appId}/users endpoint. Here is a sample JSON response containing a synchronized user with the undocumented AD attributes:

{
        "id": "00uw2sodns18iSErV697",
        "externalId": "17SlmDcZSUSo/wuw/L/RoA==",
        "created": "2025-10-03T18:43:55.000Z",
        "lastUpdated": "2025-10-29T10:59:01.000Z",
        "scope": "USER",
        "status": "ACTIVE",
        "statusChanged": "2025-10-03T18:45:58.000Z",
        "passwordChanged": null,
        "syncState": "SYNCHRONIZED",
        "lastSync": "2025-10-29T10:59:01.000Z",
        "credentials": {
            "userName": "caldwell@contoso.com"
        },
        "profile": {
            "lastName": "Caldwell",
            "preferredLanguage": null,
            "telephoneNumber": null,
            "city": null,
            "displayName": "Rhonda Caldwell",
            "postalCode": null,
            "samAccountName": "caldwell",
            "description": null,
            "dn": "CN=caldwell,OU=Employees,DC=contoso,DC=com",
            "employeeID": null,
            "title": null,
            "employeeNumber": null,
            "division": null,
            "managerDn": "CN=john,OU=Employees,DC=contoso,DC=com",
            "countryCode": null,
            "primaryGroupId": "513",
            "state": null,
            "department": null,
            "email": "rhonda.caldwell@contoso.com",
            "adCountryCode": 0,
            "cn": "caldwell",
            "facsimileTelephoneNumber": null,
            "co": null,
            "firstName": "Rhonda",
            "deliveryOffice": null,
            "mobilePhone": null,
            "streetAddress": null,
            "departmentNumber": null,
            "objectSid": "S-1-5-21-3288850392-3299536932-2614793081-1115",
            "middleName": null,
            "managerUpn": null
        },
...

system · November 19, 2025, 9:48am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Post		Replies	Views
Api /apps/v1/users/id does not return Additional Active Directory Attributes API	2	2209	February 12, 2024
Is there an API to get the the mappings of user from Active Directory to Okta? API	2	3139	February 8, 2022
Profile attributes Questions	2	4129	January 23, 2024
AD integrated with Okta-How to get the AD attributes as claims Questions	2	3246	February 24, 2022
Get User information including Custome attributes API	2	6259	August 23, 2017

Getting AD attributes through the API

Related topics