During Okta AD Agent installation, what type of permissions must the service account have?

For the successful installation and operation of the Okta Active Directory (AD) Agent, the service account requires domain user permissions. This level of access is sufficient for the agent to read user and group information from Active Directory, which is crucial for provisioning and authentication processes.

Domain user permissions enable the service account to interact with the AD without granting excessive privileges that could pose security risks. Using a service account with domain user permissions strikes a balance between necessary access and security, ensuring that the agent can function correctly without being able to make changes to the directory beyond its operational needs.

Permissions such as super user or admin are excessive for this scenario, as they grant broader access than necessary, potentially increasing security vulnerabilities. Read-only permissions would not provide enough access for the operations that the AD agent needs to perform, such as reading user attributes or querying groups. Thus, domain user permissions are the appropriate level for the Okta AD Agent service account.