Active Directory Accounts

The Active Directory (AD) Accounts API provides operations for managing discovered AD accounts and account mappings.

List all Active Directory domains
Early Access
Admin roles:
  • end_user

Lists all Active Directory domains that you (as the request user) can access based on the security policies

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your team

Responses
200

OK

get/v1/teams/{team_name}/active_directory
Request samples 
Response samples 
application/json
{
  • "list": [
    • {
      }
    ]
}
Retrieve an Active Directory connection
Early Access
Admin roles: 
  • end_user
Retrieves an Active Directory connection that you (as the request user) can access


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
ad_connection_id
required
string <regex>  (UUID) ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The UUID of an Active Directory connection


 
 Example:  a747a818-a4c4-4446-8a87-704216495a08
Responses 
200
OK


get/v1/teams/{team_name}/active_directory/{ad_connection_id}
Request samples 
Response samples 
application/json
{
  • "id": "a747a818-a4c4-4446-8a87-704216495a08",
  • "name": "string"
}
List all Active Directory accounts within a connection
Early Access
Admin roles: 
  • end_user
Lists all Active Directory accounts within a connection that you (as the request user) can access


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
ad_connection_id
required
string <regex>  (UUID) ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The UUID of an Active Directory connection


 
 Example:  a747a818-a4c4-4446-8a87-704216495a08
Responses 
200
OK


get/v1/teams/{team_name}/active_directory/{ad_connection_id}/accounts
Request samples 
Response samples 
application/json
{
  • "list": [
    • {
      }
    ]
}
Retrieve an Active Directory account
Early Access
Admin roles: 
  • end_user
Retrieves an Active Directory account that you (as the request user) can access


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
ad_connection_id
required
string <regex>  (UUID) ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The UUID of an Active Directory connection


 
 Example:  a747a818-a4c4-4446-8a87-704216495a08
ad_account_id
required
string <regex>  (UUID) ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The UUID of an Active Directory account


 
 Example:  a747a818-a4c4-4446-8a87-704216495a08
Responses 
200
OK


get/v1/teams/{team_name}/active_directory/{ad_connection_id}/accounts/{ad_account_id}
Request samples 
Response samples 
application/json
{
  • "account": {
    • "id": "a747a818-a4c4-4446-8a87-704216495a08",
    • "username": "string",
    • "account_type": "INDIVIDUAL",
    • "availability_status": "AVAILABLE"
    },
  • "checkout_details": {
    • "checkout_required": true,
    • "current_user_checkout_expires_at": "2019-08-24T14:15:22Z"
    }
}
Reveal the password for Active Directory account
Early Access
Admin roles: 
  • end_user
Reveals the password belonging to an Active Directory account that you (as the request user) can access


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
ad_connection_id
required
string <regex>  (UUID) ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The UUID of an Active Directory connection


 
 Example:  a747a818-a4c4-4446-8a87-704216495a08
ad_account_id
required
string <regex>  (UUID) ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The UUID of an Active Directory account


 
 Example:  a747a818-a4c4-4446-8a87-704216495a08
Request Body schema: application/json
required
required
object (RawJSONWebKey) 
A JSON Web Key formatted in accordance with RFC 7517.


 
alg
string (alg) 
The algorithm of the key


 Value: "RSA-OAEP-256"  
crv
string (curve) 
The curve used by the key


 Enum: "P-256" "P-384" "P-521"  
d
string <byte> 
The exponent of the private key


 
dp
string <byte> 
The first factor CRT exponent of the private key


 
dq
string <byte> 
The second factor CRT exponent of the private key


 
e
string <byte> 
The exponent of the public key


 
k
string <byte> 
The key


 
kid
string <regex> ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The key ID


 
kty
string (kty) 
The key type


 Enum: "EC" "OKP" "RSA" "oct"  
n
string <byte> 
The modulus of the public key


 
p
string <byte> 
The first prime factor of the private key


 
q
string <byte> 
The second prime factor of the private key


 
qi
string <byte> 
The first CRT coefficient of the private key


 
use
string
The intended use of the key


 
x
string <byte> 
The x coordinate of the key


 
x5c
Array of strings
A list of X.509 certificates


 
x5t
string
The SHA-1 thumbprint of the X.509 certificate


 
x5t#S256
string
The SHA-256 thumbprint of the X.509 certificate


 
x5u
string
The URL of the X.509 certificates


 
y
string <byte> 
The y coordinate of the key


 
required
object (UserAccessMethod) 
 
access_credential
required
string
The user credential that's used to access the resource


 Enum: "managed" "password" "ssh-certificate" "ssh-certificate-admin" "ssh-certificate-sudo" "rdp-broker-certificate" "rdp-broker-certificate-admin" "encrypted-ssh-password" "encrypted-rdp-password"  
availability_details_text
string
This text displays in the user interface (CLI) to show resource availability status with checkout requirements and checkout expiry time. The availability status displays only for the CLI user who previously checked out the resource.


 
brokered
required
boolean
If true, the connection is brokered by the server agent


 
object (CheckoutRequirements) 
Checkout requirements


 
max_checkout_duration_in_seconds
integer
The maximum duration (in seconds) that a resource can be checked out. If the security policy checkout duration configuration is overridden, the maximum duration is based on the project's checkout settings.


 
required
boolean
Indicates if checkout is required


 
Array of objects (UserAccessConditional) 
A list of required conditions to use the user access method


 
 Array 
access_request_type_id
string
Used by access_request conditionals to define the ID of a specific request type


 
access_request_type_name
string
Used by access_request conditionals to define the name of a specific request type


 
acr_values
string (ConditionsMFAACRValues) 
Defines the authentication context class reference (ACR) for this policy. See Step-up authentication using ACR values.


 Enum: Description
urn:okta:loa:2fa:any
Any two factors. Allows two factor authentication with no requirements on which factors.


phr
OIE orgs only: Phishing-Resistant. Requires users to provide possession factors that cryptographically verify the sign-in server (the origin). Currently, only FIDO2/WebAuthn satisfies this requirement. Because phishing resistance implies device binding, that constraint is selected automatically when phr is specified.


 
condition_is_met
boolean
If true, the condition is currently met


 
description
string
A description of the condition


 
expires_after_seconds
integer <int64> 
Used by access_request conditionals to define the number of seconds the approval remains valid


 
type
string (UserAccessConditionalType) 
The type of condition


 Enum: "access_request" "gateway" "gateway_with_session_recording" "mfa"  
current_user_checkout_expires_at
string <date-time> 
The checkout expiry time for the current user


 
object
User access method details


 
Array of objects (SecretPath) 
List of secrets


 
object (SecurityPolicySecretPrivilege) 
A list of privileges granted to the user


 
secret_id
string
The ID of the secret used to access the resource


 
secret_name
string
The name of the secret used to access the resource


 
identity
required
string
The user account that's used to access the resource


 
resource_status
required
string
Resource availability status that's displayed to end users


 Enum: "available" "checked_out" "checked_out_by_other_user" "unavailable"  
rule_ids
Array of strings
A list of rule IDs that result in identical user access methods


 
server_host_name
required
string
Server host name


 
server_id
required
string
The ID of the resource


 
short_text
string
A short description that's used to identify the access method to the users interface


 
Array of objects (SudoCommandBundleForConnectionInfo) 
Collection of all the sudo-related commands a user can access in a single string format


 
 Array 
ent_type
required
string
Entitlement type


 
sudo_add_env
Array of strings
Additional environmental variables


 
sudo_commands
Array of strings
List of sudo commands


 
sudo_group_name
required
string
Sudo group name


 
sudo_id
required
string
Sudo ID


 
sudo_login_username
required
string
Sudo login username


 
sudo_name
required
string
Sudo name


 
sudo_noexec
required
boolean
If sudo has noexec configuration set


 
sudo_nopasswd
required
boolean
If sudo can be used without password


 
sudo_runas
required
string
Sudo run as


 
sudo_setenv
required
boolean
If setenv is allowed


 
sudo_sub_env
Array of strings
A list of environment variables to be used to substitute your current environment


 
user_access_type
required
string
The type of access method


 
Responses 
200
Success


401
Unauthorized


404
Not found


post/v1/teams/{team_name}/active_directory/{ad_connection_id}/accounts/{ad_account_id}/reveal_credentials
Request samples 
application/json
{
  • "public_key": {
    • "alg": "RSA-OAEP-256",
    • "crv": "P-256",
    • "d": "string",
    • "dp": "string",
    • "dq": "string",
    • "e": "string",
    • "k": "string",
    • "kid": "/regex/",
    • "kty": "EC",
    • "n": "string",
    • "p": "string",
    • "q": "string",
    • "qi": "string",
    • "use": "string",
    • "x": "string",
    • "x5c": [
      ],
    • "x5t": "string",
    • "x5t#S256": "string",
    • "x5u": "string",
    • "y": "string"
    },
  • "user_access_method": {
    • "access_credential": "managed",
    • "availability_details_text": "string",
    • "brokered": true,
    • "checkout_requirements": {
      },
    • "conditionals": [
      ],
    • "current_user_checkout_expires_at": "2019-08-24T14:15:22Z",
    • "details": {
      },
    • "identity": "string",
    • "resource_status": "available",
    • "rule_ids": [
      ],
    • "server_host_name": "string",
    • "server_id": "string",
    • "short_text": "string",
    • "sudo_command_bundles": [
      ],
    • "user_access_type": "string"
    }
}
Response samples 
application/json
{
  • "password_jwe": "string"
}
List all user access methods for an Active Directory account
Early Access
Admin roles: 
  • end_user
Lists all user access methods for an Active Directory (AD) account based on the security policies


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
ad_connection_id
required
string <regex>  (UUID) ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The UUID of an Active Directory connection


 
 Example:  a747a818-a4c4-4446-8a87-704216495a08
ad_account_id
required
string <regex>  (UUID) ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The UUID of an Active Directory account


 
 Example:  a747a818-a4c4-4446-8a87-704216495a08
Responses 
200
OK


get/v1/teams/{team_name}/active_directory/{ad_connection_id}/accounts/{ad_account_id}/user_access_methods
Request samples 
Response samples 
application/json
{
  • "list": [
    • {
      }
    ]
}
List all Active Directory accounts
Early Access
Admin roles: 
  • security_admin
Lists all Active Directory accounts


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
query Parameters
contains
string
Only return results that include the specified value


 
ad_account_type
string
The type of Active Directory account


 Enum: "SHARED" "INDIVIDUAL"  
ad_connection_id
Array of strings <regex>  (UUID) 
The UUIDs of Active Directory connections


 
 Example:  ad_connection_id=a747a818-a4c4-4446-8a87-704216495a08
Responses 
200
OK


401
Unauthorized


404
Not found


get/v1/teams/{team_name}/all_active_directory_accounts
Request samples 
Response samples 
application/json
{
  • "list": [
    • {
      }
    ]
}
List all discovered Active Directory accounts
Early Access
Admin roles: 
  • resource_admin
Lists all discovered Active Directory accounts


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
ad_connection_id
required
string <regex>  (UUID) ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The UUID of an Active Directory connection


 
 Example:  a747a818-a4c4-4446-8a87-704216495a08
Responses 
200
Success


401
Unauthorized


404
Not found


get/v1/teams/{team_name}/resource_assignment/active_directory/{ad_connection_id}/accounts
Request samples 
Response samples 
application/json
{
  • "list": [
    • {
      }
    ]
}
Retrieve a discovered Active Directory account
Early Access
Admin roles: 
  • resource_admin
Retrieves a particular discovered Active Directory account by ID


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
ad_connection_id
required
string <regex>  (UUID) ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The UUID of an Active Directory connection


 
 Example:  a747a818-a4c4-4446-8a87-704216495a08
ad_account_id
required
string <regex>  (UUID) ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The UUID of an Active Directory account


 
 Example:  a747a818-a4c4-4446-8a87-704216495a08
Responses 
200
Success


401
Unauthorized


404
Not found


get/v1/teams/{team_name}/resource_assignment/active_directory/{ad_connection_id}/accounts/{ad_account_id}
Request samples 
Response samples 
application/json
{
  • "checkout_expiry_at": "2019-08-24T14:15:22Z",
  • "checkout_status": "checked_out",
  • "last_checkout_user": "string",
  • "next_scheduled_password_rotation_reason": "string",
  • "next_scheduled_password_rotation_timestamp": "2019-08-24T14:15:22Z",
  • "account_name": "string",
  • "account_type": "SHARED",
  • "brought_under_management_at": "2019-08-24T14:15:22Z",
  • "display_name": "string",
  • "distinguished_name": "string",
  • "domain": {
    • "id": "string",
    • "missing": true,
    • "name": "string",
    • "type": "active_directory_connection"
    },
  • "email": "string",
  • "first_name": "string",
  • "last_name": "string",
  • "last_rotation_at": "2019-08-24T14:15:22Z",
  • "match_status": "MATCH",
  • "matched_user": {
    • "id": "string",
    • "missing": true,
    • "name": "string",
    • "type": "active_directory_connection"
    },
  • "project": {
    • "id": "string",
    • "missing": true,
    • "name": "string",
    • "type": "active_directory_connection"
    },
  • "resource_group": {
    • "id": "string",
    • "missing": true,
    • "name": "string",
    • "type": "active_directory_connection"
    },
  • "sam_account_name": "string",
  • "sid": "string",
  • "upn": "string",
  • "last_password_change_error_metadata": "string",
  • "last_password_change_error_report_timestamp": "2019-08-24T14:15:22Z",
  • "last_password_change_error_system_timestamp": "2019-08-24T14:15:22Z",
  • "last_password_change_error_type": "string",
  • "last_password_change_success_report_timestamp": "2019-08-24T14:15:22Z",
  • "last_password_change_system_timestamp": "2019-08-24T14:15:22Z",
  • "password_change_error_count": 0,
  • "password_change_error_count_since_last_success": 0,
  • "password_change_success_count": 0
}
Retrieve an Active Directory account match
Early Access
Admin roles: 
  • resource_admin
Retrieves information about an Active Directory (AD) account that's matched with an Okta Privileged Access (OPA) user.
This request is only valid for individual AD accounts, not shared accounts.
AD account rules for this connection control the match between AD accounts and OPA users.


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
ad_connection_id
required
string <regex>  (UUID) ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The UUID of an Active Directory connection


 
 Example:  a747a818-a4c4-4446-8a87-704216495a08
ad_account_id
required
string <regex>  (UUID) ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The UUID of an Active Directory account


 
 Example:  a747a818-a4c4-4446-8a87-704216495a08
Responses 
200
Success


401
Unauthorized


404
Not found


get/v1/teams/{team_name}/resource_assignment/active_directory/{ad_connection_id}/accounts/{ad_account_id}/match
Request samples 
Response samples 
application/json
{
  • "ad_account_id": "a747a818-a4c4-4446-8a87-704216495a08",
  • "force_no_match": true,
  • "match_override_user_id": "string",
  • "rule_match_user_id": "string"
}
Update an Active Directory account match
Early Access
Admin roles: 
  • resource_admin
Updates the Okta Privileged Access (OPA) user to match an Active Directory (AD) account
and overrides any match configured from an AD account rule. This match override persists across any updates
to the connection account rules.


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
ad_connection_id
required
string <regex>  (UUID) ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The UUID of an Active Directory connection


 
 Example:  a747a818-a4c4-4446-8a87-704216495a08
ad_account_id
required
string <regex>  (UUID) ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The UUID of an Active Directory account


 
 Example:  a747a818-a4c4-4446-8a87-704216495a08
Request Body schema: application/json
force_no_match
boolean
If true, don't match an OPA user to this Active Directory account. If
match_override_user_id is set, this property must be unset or false.


 
match_override_user_id
string
The resource admin OPA user ID that you want to match to the specified AD account.
If this property is null, empty, or unset, any existing override on the AD account is removed. You can only set one of
match_override_user_id or force_no_match.


 
Responses 
200
Success


401
Unauthorized


404
Not found


put/v1/teams/{team_name}/resource_assignment/active_directory/{ad_connection_id}/accounts/{ad_account_id}/match
Request samples 
application/json
{
  • "force_no_match": true,
  • "match_override_user_id": "string"
}
Response samples 
application/json
{
  • "ad_account_id": "a747a818-a4c4-4446-8a87-704216495a08",
  • "force_no_match": true,
  • "match_override_user_id": "string",
  • "rule_match_user_id": "string"
}
Retrieve the Active Directory account rule settings
Early Access
Admin roles: 
  • resource_admin
Retrieves the Active Directory account rule settings


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
ad_connection_id
required
string <regex>  (UUID) ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The UUID of an Active Directory connection


 
 Example:  a747a818-a4c4-4446-8a87-704216495a08
Responses 
200
Success


401
Unauthorized


404
Not found


get/v1/teams/{team_name}/resource_assignment/active_directory/{ad_connection_id}/rule_settings
Request samples 
Response samples 
application/json
{
  • "allow_partial_matches": true,
  • "is_configured": true,
  • "matching_criteria": {
    • "display_name": true,
    • "email": true,
    • "first_and_last_name": true,
    • "username": true
    },
  • "partial_matching_criteria": [
    • {
      }
    ]
}
Configure the Active Directory account rule settings
Early Access
Admin roles: 
  • resource_admin
Configures the Active Directory account rule settings that apply to the entire list of required account rules


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
ad_connection_id
required
string <regex>  (UUID) ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The UUID of an Active Directory connection


 
 Example:  a747a818-a4c4-4446-8a87-704216495a08
Request Body schema: application/json
required
allow_partial_matches
boolean
Allow partial matches for the defined criteria


 
object
This matching criteria only applies to individual account rules.
Imported users are recognized as an exact match if they match all of the following attributes.


 
display_name
boolean
If set, display name attribute must match


 
email
boolean
If set, email attribute must match


 
first_and_last_name
boolean
If set, first and last name attributes must match


 
username
boolean
If set, username attribute must match


 
Array of objects (ActiveDirectoryPartialMatchingCondition) 
Conditions for partial matching on Active Directory account and Okta user names


 
 Array 
match_value
string
String value for the partial matching condition


 
operator
string (ActiveDirectoryPartialMatchingOperator) 
Partial matching operator for Active Directory account and Okta user names


 Enum: "ENDS WITH" "STARTS WITH"  
Responses 
204
No Content


401
Unauthorized


404
Not found


post/v1/teams/{team_name}/resource_assignment/active_directory/{ad_connection_id}/rule_settings
Request samples 
application/json
{
  • "allow_partial_matches": true,
  • "matching_criteria": {
    • "display_name": true,
    • "email": true,
    • "first_and_last_name": true,
    • "username": true
    },
  • "partial_matching_criteria": [
    • {
      }
    ]
}
Response samples 
application/json
{
  • "code": 401,
  • "message": "Missing capability: role",
  • "nottype": "authorization_error"
}
List all Active Directory account rules
Early Access
Admin roles: 
  • resource_admin
Lists all Active Directory account rules


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
ad_connection_id
required
string <regex>  (UUID) ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The UUID of an Active Directory connection


 
 Example:  a747a818-a4c4-4446-8a87-704216495a08
Responses 
200
Success


401
Unauthorized


404
Not found


get/v1/teams/{team_name}/resource_assignment/active_directory/{ad_connection_id}/rules
Request samples 
Response samples 
application/json
{
  • "list": [
    • {
      }
    ]
}
Create an Active Directory account rule
Early Access
Admin roles: 
  • resource_admin
Creates an Active Directory account rule


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
ad_connection_id
required
string <regex>  (UUID) ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The UUID of an Active Directory connection


 
 Example:  a747a818-a4c4-4446-8a87-704216495a08
Request Body schema: application/json
required
name
string
The name of the Active Directory account rule


 
organizational_units
Array of strings
The list of organizational units to discover individual accounts from


 
object (NamedObject) 
 
id
string
The UUID of the object


 
missing
boolean
Boolean value determining if the named object with the given ID is valid


 
object (NamedObject) 
 
id
string
The UUID of the object


 
missing
boolean
Boolean value determining if the named object with the given ID is valid


 
rule_type
string
The type of the Active Directory account rule


 Enum: "SHARED" "INDIVIDUAL"  
Responses 
200
No Content


401
Unauthorized


404
Not found


post/v1/teams/{team_name}/resource_assignment/active_directory/{ad_connection_id}/rules
Request samples 
application/json
{
  • "name": "string",
  • "organizational_units": [
    • "string"
    ],
  • "project": {
    • "id": "string",
    • "missing": true
    },
  • "resource_group": {
    • "id": "string",
    • "missing": true
    },
  • "rule_type": "SHARED"
}
Response samples 
application/json
{
  • "id": "a747a818-a4c4-4446-8a87-704216495a08",
  • "name": "string",
  • "organizational_units": [
    • "string"
    ],
  • "priority": 0,
  • "project": {
    • "id": "string",
    • "missing": true,
    • "name": "string",
    • "type": "active_directory_connection"
    },
  • "resource_group": {
    • "id": "string",
    • "missing": true,
    • "name": "string",
    • "type": "active_directory_connection"
    },
  • "rule_type": "SHARED"
}
Set the priority of Active Directory account rules
Early Access
Admin roles: 
  • resource_admin
Sets the priority of Active Directory account rules


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
ad_connection_id
required
string <regex>  (UUID) ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The UUID of an Active Directory connection


 
 Example:  a747a818-a4c4-4446-8a87-704216495a08
Request Body schema: application/json
 Array 
priority
integer  [ 1 .. 100 ] 
Specify the new priority of the Active Directory account rule. Lower numbers have higher priority.


 
rule_id
string <regex> ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The UUID of the Active Directory account rule


 
Responses 
200
Success


400
Bad request


401
Unauthorized


404
Not found


409
Conflict


post/v1/teams/{team_name}/resource_assignment/active_directory/{ad_connection_id}/rules/reorder
Request samples 
application/json
[
  • {
    • "priority": 1,
    • "rule_id": "a747a818-a4c4-4446-8a87-704216495a08"
    }
]
Response samples 
application/json
{
  • "list": [
    • {
      }
    ]
}
Retrieve an Active Directory account rule
Early Access
Admin roles: 
  • resource_admin
Retrieves an Active Directory account rule


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
ad_connection_id
required
string <regex>  (UUID) ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The UUID of an Active Directory connection


 
 Example:  a747a818-a4c4-4446-8a87-704216495a08
ad_account_rule_id
required
string <regex>  (UUID) ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The UUID of an Active Directory account rule


 
 Example:  a747a818-a4c4-4446-8a87-704216495a08
Responses 
200
OK


get/v1/teams/{team_name}/resource_assignment/active_directory/{ad_connection_id}/rules/{ad_account_rule_id}
Request samples 
Response samples 
application/json
{
  • "id": "a747a818-a4c4-4446-8a87-704216495a08",
  • "name": "string",
  • "organizational_units": [
    • "string"
    ],
  • "priority": 0,
  • "project": {
    • "id": "string",
    • "missing": true,
    • "name": "string",
    • "type": "active_directory_connection"
    },
  • "resource_group": {
    • "id": "string",
    • "missing": true,
    • "name": "string",
    • "type": "active_directory_connection"
    },
  • "rule_type": "SHARED"
}
Update an Active Directory account rule
Early Access
Admin roles: 
  • resource_admin
Updates an Active Directory account rule


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
ad_connection_id
required
string <regex>  (UUID) ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The UUID of an Active Directory connection


 
 Example:  a747a818-a4c4-4446-8a87-704216495a08
ad_account_rule_id
required
string <regex>  (UUID) ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The UUID of an Active Directory account rule


 
 Example:  a747a818-a4c4-4446-8a87-704216495a08
Request Body schema: application/json
name
string
The name of the Active Directory account rule


 
organizational_units
Array of strings
The list of organizational units to discover individual accounts from


 
object (NamedObject) 
 
id
string
The UUID of the object


 
missing
boolean
Boolean value determining if the named object with the given ID is valid


 
object (NamedObject) 
 
id
string
The UUID of the object


 
missing
boolean
Boolean value determining if the named object with the given ID is valid


 
rule_type
string
The type of the Active Directory account rule


 Enum: "SHARED" "INDIVIDUAL"  
Responses 
204
No Content


put/v1/teams/{team_name}/resource_assignment/active_directory/{ad_connection_id}/rules/{ad_account_rule_id}
Request samples 
application/json
{
  • "name": "string",
  • "organizational_units": [
    • "string"
    ],
  • "project": {
    • "id": "string",
    • "missing": true
    },
  • "resource_group": {
    • "id": "string",
    • "missing": true
    },
  • "rule_type": "SHARED"
}
Delete an Active Directory account rule
Early Access
Admin roles: 
  • resource_admin
Deletes an Active Directory account rule


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
ad_connection_id
required
string <regex>  (UUID) ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The UUID of an Active Directory connection


 
 Example:  a747a818-a4c4-4446-8a87-704216495a08
ad_account_rule_id
required
string <regex>  (UUID) ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The UUID of an Active Directory account rule


 
 Example:  a747a818-a4c4-4446-8a87-704216495a08
Responses 
204
No Content


401
Unauthorized


404
Not found


delete/v1/teams/{team_name}/resource_assignment/active_directory/{ad_connection_id}/rules/{ad_account_rule_id}
Request samples 
Response samples 
application/json
{
  • "code": 401,
  • "message": "Missing capability: role",
  • "nottype": "authorization_error"
}
Retrieve the Active Directory account sync status
Early Access
Admin roles: 
  • resource_admin
Retrieves the Active Directory account sync status


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
ad_connection_id
required
string <regex>  (UUID) ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The UUID of an Active Directory connection


 
 Example:  a747a818-a4c4-4446-8a87-704216495a08
Responses 
200
Success


401
Unauthorized


404
Not found


get/v1/teams/{team_name}/resource_assignment/active_directory/{ad_connection_id}/sync_status
Request samples 
Response samples 
application/json
"NOT_SYNCED"
List all Active Directory accounts in a resource group
Early Access
Admin roles: 
  • security_admin
  • delegated_security_admin
Lists all Active Directory accounts in a resource group


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
resource_group_id
required
string
The UUID of a resource group


 
query Parameters
contains
string
Only return results that include the specified value


 
ad_account_type
string
The type of Active Directory account


 Enum: "SHARED" "INDIVIDUAL"  
ad_connection_id
Array of strings <regex>  (UUID) 
The UUIDs of Active Directory connections


 
 Example:  ad_connection_id=a747a818-a4c4-4446-8a87-704216495a08
Responses 
200
OK


401
Unauthorized


404
Not found


get/v1/teams/{team_name}/resource_groups/{resource_group_id}/all_active_directory_accounts
Request samples 
Response samples 
application/json
{
  • "list": [
    • {
      }
    ]
}
Retrieve an Active Directory account
Early Access
Admin roles: 
  • resource_admin
  • security_admin
  • delegated_resource_admin
  • delegated_security_admin
Retrieves an Active Directory account in a resource group project


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
resource_group_id
required
string
The UUID of a resource group


 
project_id
required
string
The UUID of a project


 
ad_account_id
required
string <regex>  (UUID) ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The UUID of an Active Directory account


 
 Example:  a747a818-a4c4-4446-8a87-704216495a08
Responses 
200
OK


401
Unauthorized


404
Not found


get/v1/teams/{team_name}/resource_groups/{resource_group_id}/projects/{project_id}/active_directory_accounts/{ad_account_id}
Request samples 
Response samples 
application/json
{
  • "checkout_expiry_at": "2019-08-24T14:15:22Z",
  • "checkout_status": "checked_out",
  • "last_checkout_user": "string",
  • "next_scheduled_password_rotation_reason": "string",
  • "next_scheduled_password_rotation_timestamp": "2019-08-24T14:15:22Z",
  • "account_name": "string",
  • "account_type": "SHARED",
  • "brought_under_management_at": "2019-08-24T14:15:22Z",
  • "display_name": "string",
  • "distinguished_name": "string",
  • "domain": {
    • "id": "string",
    • "missing": true,
    • "name": "string",
    • "type": "active_directory_connection"
    },
  • "email": "string",
  • "first_name": "string",
  • "last_name": "string",
  • "last_rotation_at": "2019-08-24T14:15:22Z",
  • "match_status": "MATCH",
  • "matched_user": {
    • "id": "string",
    • "missing": true,
    • "name": "string",
    • "type": "active_directory_connection"
    },
  • "project": {
    • "id": "string",
    • "missing": true,
    • "name": "string",
    • "type": "active_directory_connection"
    },
  • "resource_group": {
    • "id": "string",
    • "missing": true,
    • "name": "string",
    • "type": "active_directory_connection"
    },
  • "sam_account_name": "string",
  • "sid": "string",
  • "upn": "string",
  • "last_password_change_error_metadata": "string",
  • "last_password_change_error_report_timestamp": "2019-08-24T14:15:22Z",
  • "last_password_change_error_system_timestamp": "2019-08-24T14:15:22Z",
  • "last_password_change_error_type": "string",
  • "last_password_change_success_report_timestamp": "2019-08-24T14:15:22Z",
  • "last_password_change_system_timestamp": "2019-08-24T14:15:22Z",
  • "password_change_error_count": 0,
  • "password_change_error_count_since_last_success": 0,
  • "password_change_success_count": 0
}