Group Push lets you push Okta groups and their members to provisioning-enabled third-party applications. Okta sources the memberships of the downstream apps.
Group Push doesn't create groups in Okta. Pushed groups are managed from Okta. Changes made to the group in the target app cause synchronization issues with Okta.
An Active Directory (AD) import doesn't delete non-empty groups when they've been deleted in AD. If the group is empty, the AD import deletes them. Always delete an AD group from Group Push.
These are a few of the applications that support Group Push:
- Active Directory
AWS Account Federation
- Google Workspace
- Office 365
To discover more applications that support group push, see the Okta Integration Network catalog.
Groups are pushed to applications using one of the following two methods:
- By name: An Okta application admin selects individual groups in Okta to create and update in the target app.
- By rule: Push multiple groups by specifying a string to match in the group name, or specifying strings to match in the group name and group description. This method isn't available for AD integrations.
The following are the known Group Push limitations:
- Okta doesn't support using the same group for app assignment and Group Push. To maintain consistent group membership between Okta and the downstream app, you must create a separate group that's configured to push to the target app. See App assignments and Group Push.