Use Okta Access Certifications to manage AD group membership

To use Bidirectional Group Management with Active Directory (AD), set up an Access Certifications campaign with an AD group for review. Reviewers can assess the group membership and select users for revocation. You can then check the campaign summary to view the list of users removed from the specified AD group.

Before you begin

These are the requirements for using this feature:

  • An Access Certifications campaign that has an AD-sourced group as a resource. See Create campaigns.

  • Active Directory integration with the following setup:

    • Deployed and operational Okta Active Directory agents

    • Active Directory set as the profile source

    • Just-In-Time (JIT) provisioning enabled

  • You must run an incremental or full import before performing subsequent operations on a user, such as adding or removing them from an AD group.
  • You can remove users from a group only if they're a direct member of that group. If a user inherits an AD group due to a nested group membership structure, removing them may not be possible.

Start the task

  1. Set up an Access Certifications campaign with an AD group for review. Users in the specified AD group are included in the Access Certifications campaign.
  2. Reviewers see pending actions to review group membership for users in the group. If the reviewer marks a user for revocation, the user is removed from that on-premises AD group. Okta refreshes the users’ profile and updates their group membership.
  3. Check the Access Certifications campaign summary for users removed from the specified AD group. This can also be verified through the group memberships on the Admin Console under Directory Group People.

Reviewers may still need to remediate access manually in the following situations:

  • When the user’s group membership was granted through a nested group. In this case, the reviewer must revoke the user’s access from the specific nested group.
  • When there are no agents connected to Okta.
  • When the connection to AD times out.
  • When the agent doesn’t have the required permissions to revoke access in AD.

Related topics

Bidirectional Group Management with Active Directory