This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, please contact Okta Support.
Enable Okta-mastered user OU changes
This applies to Okta-mastered and HR-mastered users in groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. associated with Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. (AD) instances. AD should not be the Profile MasterA profile master is an application (usually a directory service such as Active Directory, or human capital management system such as Workday) that acts as a source of truth for user profile attributes. A user can only be mastered by a single application or directory at any one time. For more details, see the Profile Master page. When users are mastered by attribute, we call this attribute-level mastery (ALM). ALM delivers finer grain control over how profiles are mastered by allowing admins to specify different profile masters for individual attributes. Profile mastering only applies to Okta user profiles, not app user profiles. For more details, see Attribute Level Mastering..
If you have existing Okta-mastered or HR-mastered users who have changed groups, their OUs in AD have not been updated. Enabling this feature will change their OUAn acronym of Organizational Unit. Organizational units are Active Directory containers into which you can place users, groups, computers, and other organizational units. It is the smallest scope or unit to which you can assign Group Policy settings or delegate administrative authority. in AD.
Note: Because the provisioning flow is from Okta to AD, if the OU is changed in AD, the change is not reflected in Okta. The next time Okta pushes updates to AD, the AD changes will be overwritten by the Okta-master information.
The Assignments tab in the AD instance displays all users and groups associated with that AD instance.
- Applies only to Active Directory provisioned users or groups
To enable OU updates:
Go to Directory > Directory instance > Settings
Scroll to Update Users
Select Enable OU to update a user's OU in AD when the group that provisions a user to AD changes.
Move users from one group in Okta to another
At times, you might decide to move an Okta-mastered or HR-mastered user from one group to another. For example, if a user is in a group for employees in one department or location and must be moved to a group associated with a different department or location. If these groups are associated with different OU groups, the OU associated with the user will be updated in Okta and that change will be pushed to AD.
Remove a group from AD provisioning
You may need to remove a group from AD provisioning, which is done in Groups> Manage Directories, where you then remove that group from the provisioning flow. Okta then locates the next priority group which has AD assigned to it. If the group has a different OU assigned to it than the group just removed from AD provisioning, Okta updates the users to the new OU.