Import groups from Active Directory
You can import groups from any forest or domain connected to Okta. The Okta Active Directory (AD) agent detects all groups in the domain or the Organizational Units (OUs) that you select. If you register an Okta AD agent for more than one domain and you have the root OU selected for all domains, it imports all groups.
Okta limits the total number of bytes that can be sent from an AD or LDAP agent to Okta server in a single request. To avoid exceeding Okta size limitations during data import, result sets containing multiple group objects are split into separately sized units and each unit is sent in a separate request.
A single group that exceeds the defined size limitation is still sent to Okta, but a standard HTTP 413 (Payload Too Large) error might be returned. The length of the group distinguishedName (dn), the length of the user dn within the group, and the group membership size all contribute to the total bytes sent to Okta.
If you receive a HTTP 413 (Payload Too Large) error, Okta recommends splitting direct group membership into nested group membership or sub-groups to avoid the size limit limitation and allow the data to be sent in a single request.
Okta does not support nested groups. Okta imports all nested directories for group members and adds the user to each group in Okta.
- In the Admin Console, go to .
- Click Active Directory and then click the Provisioning tab.
- Click Integration in the Settings list.
- In the Group OUs connected to Okta area, select the OUs that you want to import.
- Click Save.