Enable universal security group support

In Active Directory (AD), universal security groups (USGs) are most often used to assign permissions to related resources in multiple domains. Members from any domain can be added and you can assign permissions for access to resources in any domain. An Okta AD agent must be installed in every domain in your forest that contains the USG object that you want to synchronize with Okta. When you enable USG support, domain boundaries are ignored when you import group memberships for your users.

When a user's group memberships match any imported groups from connected domains in a forest, Okta synchronizes the memberships for the user to each group. USGs provide greater control of group imports from on-premises apps to Okta. Only groups from connected domains are imported.

  1. On the Okta Admin Console, click Directory > Directory Integrations.
  2. Select an Active Directory instance and click the Settings tab.
  3. Scroll down and select the Universal Security Group Support check box.
  4. Scroll down and click Save Settings.