App users are frequently unassigned during an import, but you may not realize the amount until the entire import is complete. Import safeguards let you specify the maximum percentage of app users in an org that can be unassigned while still allowing the import to continue. If the maximum percentage of unassigned users is reached, the import stops.
Import safeguards are activated only when your designated percentage occurs. They aren't triggered if an import job changes a property that is used in a group rule: for example, to assign a user to a group.
You can apply safeguards at the app level and the org level.
App-level import safeguards
App-level import safeguards apply to apps in your org with more than 100 users. The safeguards are enabled by default and set at 20 percent. If you change the import safeguard setting in one app to 15 percent, the new setting applies to all apps.
Deactivated users are included in the calculation, regardless of the lifecycle state that you set when importing.
App-level safeguards check applications assigned by groups only if the groups are imported from Active Directory (AD). If an app is assigned to an Okta-managed group with users imported from AD, then AD user deactivation doesn’t count in app-level safeguard calculations.
Org-level import safeguards
An org-level import safeguard applies to all users assigned to all apps in your org. A minimum of 100 app assignments are required to activate an org level import safeguard. Org-level safeguards are enabled by default and set at 20 percent. Deactivated users are included in the calculation, regardless of the lifecycle state that you set when importing.
Priority of import safeguards
When both the app-level and org-level import safeguards are set, the user import stops whenever the first limit is reached. If the limits are the same, the app-level safeguard takes priority.