Bidirectional Group Management with Active Directory

Bidirectional Group Management for Active Directory (AD) allows you to manage Active Directory groups from within Okta. You can add or remove users from groups based on their identity and access requirements. This ensures that changes made to user access in Okta are reflected in Active Directory. When you use Okta Access Certifications to revoke a user's membership to an AD group, the removal is reflected in AD.

Okta can only manage group memberships for users and groups imported into Okta using the AD integration. It isn't possible to manage users and groups that weren't imported through AD integration or are outside the organizational unit's scope for the integration using this feature.

Okta Identity Governance with Bidirectional Group Management

You can govern access to AD-sourced groups using Access Certifications. For a campaign with AD-sourced groups as a resource, when reviewers submit a decision for an AD-sourced group member, the remediation happens immediately in Okta and Active Directory.

Also, you can add or remove users using the API and configure an event trigger with Workflows Connectors to automate the API calls.

Workflows for Bidirectional Group Management

You can use the new Update an AD Group membership API to create custom Okta Workflows designed for Bidirectional Group Management. You can use the API to add or remove users and configure an event trigger with Workflows Connectors to automate the API calls. This enables you to customize on-premises group management actions based on events available within Workflows.

Next steps

Use Okta Access Certifications to manage AD group membership