Okta tombstones its users and does not delete them automatically when they are deactivated in AD. I use the below script to run on schedule with an okta API token to delete users:
You'll need the okta powershell module install and be a super user on okta :
https://github.com/okta/oktasdk-csharp/tree/master/Okta.Core.Automation/
You'll need the okta powershell module install and be a super user on okta :
https://github.com/okta/oktasdk-csharp/tree/master/Okta.Core.Automation/
#Import module okta Import-Module Okta.Core.Automation #COnnect to okta using token and domain Connect-Okta -Token alphanumerictoken -FullDomain "https://domain.okta.com" ###################Logging function $Logfile = "$env:ProgramData\InstallLogs\DeleteOktaUsers_$(get-date -format `"yyyyMMdd_hhmmsstt`").log" Function LogWrite($string, $color) { if ($Color -eq $null) {$color = "white"} write-host $string -foregroundcolor $color $string | out-file -Filepath $Logfile -append } if ((Test-Path -path C:\ProgramData\InstallLogs\) -ne $True) { New-Item C:\ProgramData\InstallLogs\ -type directory } ######################################## #get a list of all DEPROVISIONED users $AllUsers = Get-OktaUser -Filter 'status eq "DEPROVISIONED"' #list neatly in a csv file located in C:\programdata\InstallLogs $AllUsers | Select @{L="FirstName";E={$_.profile.firstName}},` @{L="LastName";E={$_.profile.lastName}},` @{L="UserName";E={$_.profile.login}},` @{L="ID";E={$_.id}},@{L="UserStatus";E={$_.Status}} | FT | Out-File "$env:ProgramData\InstallLogs\deprovisionedusers_$(get-date -format `"yyyyMMdd_hhmmsstt`").csv" #loop through the list of deprovisioned users and delete log deletions to the logfile foreach($user in $AllUsers){ Delete-OktaUser $user.Profile.Login If($? -eq "True") { LogWrite "Successfully deleted user $user" green } }
