FAQ: Okta and AD Groups
For more about Universal Security GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups., click here.
- Whether usersIn Okta literature, we generally refer to "users" as the people who serve as Okta administrators. When we refer to "end users" we are generally referring to the people who the administrators serve. That is, those who use Okta chiclets to access their apps, but have no administrative control. and USGs reside in the same or different AD domains.
- If different domains, whether both domains exist in Okta and are connected by a trust relationship.
- Whether users come in to Okta via sign-in (JIT) or import.
- JIT Provisioning and USG Support options are selected in Import and Account Settings.
- If the option Schedule import is selected, the option Do not import new Users is not selected.
Note: Okta does not support Domain Local Groups containing members from multiple domains. We do support Universal Security Groups with cross-domain membership, provided that there is a two-way trust established between the domains. Universal Security Groups do not support cross-forest membership.
What happens when a user who is a member of a USG that does not already exist in Okta signs-in to Okta?
- If the user and the USG belong to the same domain but the USG does not already exist in Okta, Okta creates or updates the user's profile in Okta, brings in the USG, and syncs the user's membership to the USG.
- If the user and the USG belong to different domains and both domains exist in Okta but the USG does not already exist in Okta, Okta creates or updates the user's profile in Okta but does not bring the USG in to Okta.
What happens when a user who is a member of a USG that already exists in Okta signs-in to Okta?
- If the user and the USG belong to the same domain and the USG exists in Okta, Okta creates or updates the user's profile in Okta and syncs the user's membership to the USG.
- If the user and the USG belong to different domains and the USG exists in Okta, Okta syncs the user's membership to the USG at sign-in only if the two domains are connected by a trust relationship. If the domains have no trust relationship, Okta does not recognize the user's membership in the USG.
What happens during an import of groups and users?
- If the users and the USG are members of the same domain, Okta creates or updates the users' profile in Okta, creates the USG if it doesn't already exist in Okta, and syncs memberships to the USG only for users in the domain being imported. Nothing is imported from other domains. During import, Okta does not recognize memberships to USGs in other domains.
- If the users in the domain being imported are members of a USG that resides in a different domain, Okta only imports the users and ignores their membership in the USG. If the domain containing the USG is imported later, Okta syncs memberships the next time group members sign-in to Okta.
Given a USG that resides in Domain B and contains users from Domains A and B:
If Domain A is imported in to Okta, which members of the USG are imported in to Okta?
Only users from Domain A are imported in to Okta and their membership in the USG is ignored until Domain B is later imported.
If Domain A already exists in Okta, will importing Domain B bring the USG in to Okta and sync Group 2 memberships to the USG?
Given a USG in a 3-domain forest that resides in Domain A and contains users from Domains A, B, and C.
When Domain A users and groups are imported into Okta, the USG is imported and Domain A USG user memberships are synced.
If Domains B and C users and groups are imported into Okta, the USG memberships from those domains are not synced until users from those domains sign-in to Okta for the first time (as indicated by the dotted line in the diagram).
Only during incremental and full imports, not when users sign-in (JIT).
Note: When users sign-in (JIT), Okta imports security group membership, but not distribution group membership.
For more about Distribution Groups, click here.
Only during incremental and full imports, and only if the users and groups being imported belong to the same domain.
Okta treats DGs and USGs the same in this respect:
During imports, Okta does not sync group memberships to DGs or USGs that reside in a different domain than the domain being imported.
Okta treats DGs and USGs differently in this respect:
- If a user and a USG of which it is a member belong to the same domain, Okta syncs the user to the USG during JIT and imports
- If a user and a DG of which it is a member belong to the same domain, Okta syncs the user to the DG only during imports, not during JIT.
Note: If only JIT is enabled, Okta will retrieve security group membership during JIT sign-in, but will not retrieve distribution group membership.
Note: The term out-of-scopeA scope is an indication by the client that it wants to access some resource. Organizational Unit (OUAn acronym of Organizational Unit. Organizational units are Active Directory containers into which you can place users, groups, computers, and other organizational units. It is the smallest scope or unit to which you can assign Group Policy settings or delegate administrative authority.) refers to an OU that does not appear in or is not selected in the relevant OU selector. (Examples of the later type of out-of-scope OU are highlighted in yellow in the figure below.)
Some organizations administer an employee off-boarding process that involves moving users or groups to an out-of-scope OU. As detailed below, Okta never imports users and groups in out-of-scope OUs, and denies sign-in to all such users.
Okta denies sign-in to all users in out-of-scope OUs, regardless of their enablement status in Active Directory.
- When a user in an out-of-scope OU who is enabled in AD tries to sign-in to Okta, Okta detects the user's AD status, preserves them as active in Okta, but denies their sign-in attempt.
- When a user in an out-of-scope OU who is disabled in AD tries to sign-in Okta, Okta detects their AD status, deactivates them in Okta, and denies their sign-in attempt.
Okta performs incremental and full imports.
- During an incremental import, Okta doesn't detect users and groups in out-of-scope OUs, so none of these users or groups are imported.
Accounts imported from an in-scope OU during a full or incremental import and then later relocated to an out-of-scope OU are not deactivated during a subsequent incremental import.
- During a full import, Okta detects users in out-of-scope OUs as missing, deactivates them (regardless of their enablement status in AD), and denies their next sign-in attempt.
There are membership inconsistencies that can occur between “regular” imports and JIT provisioning. These membership anomalies may occur when using nested groups.
During regular imports, a child group that is outside the scope of an AD OU or LDAP object filter cannot be detected. If a parent group is within an OU/object filter scope but its child groups are not, the parent group membership is incorrectly resolved during import.
JIT provisioning would correctly resolve these memberships to the parent group because its function only detects "flat" memberships.