Enable universal security group support
In Active Directory (AD), universal security groups (USGs) are most often used to assign permissions to related resources in multiple domains. Members from any domain can be added and you can assign permissions for access to resources in any domain. An Okta AD Agent must be installed in every domain in your forest that contains the USG object that you want to synchronize with Okta. When you enable USG support, domain boundaries are ignored when you import group memberships for your users.
When a user's group memberships match any imported groups from connected domains in a forest, Okta synchronizes the memberships for the user to each group. USGs provide greater control of group imports from on-premises apps to Okta. Only groups from connected domains are imported.
- In the Admin Console, go to Directory > Directory Integrations.
- Click Active Directory and then click the Provisioning tab.
- Click To Okta in the SETTINGS list.
- Click Edit in the General area.
- Scroll down and select the Universal security group support check box.