What happens if an AD user's profile does not have permission to access the Okta application?

If an Active Directory (AD) user's profile does not have permission to access an Okta application, the outcome is that the user cannot sign in. In a typical integration scenario between Active Directory and Okta, access permissions are granted based on the user's attributes and the policies defined in Okta. If a user lacks the necessary permissions assigned to their profile for a specific application, the authentication request will be denied.

This maintains security by ensuring that only authorized users can access sensitive applications and data. If users could attempt to log in without the correct permissions, it would create unnecessary security risks and potentially expose the application to unauthorized access attempts.

The other options describe scenarios that wouldn’t occur in this case. For instance, if the user could be provisioned but lacks access, they would still potentially be able to sign in but would not have the ability to use the application, which is not reflective of the scenario outlined in the question. Similarly, being prompted for additional verification or redirected to a login page does not align with the access control mechanism at play when permissions are the primary factor in access denial.