Import groups from provisioning-enabled applications
You can import groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. from applications that have provisioning enabled. Set an import schedule for the appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. to ensure that newly added groups, as well as membership updates in existing groups, are imported. Or, if you only want to import groups, set up provisioning but do not configure any user options. You cannot edit the memberships of these imported groups.
Confirm your group imports
After you configure provisioning on an app that supports groups, Okta automatically imports groups from that app. Sign in to your AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console, and go to Directory > Groups to see newly imported groups. You can also select Reports > System Log, and then select the Application Imports (Summary) report to see new groups that have been imported.
After a successful import, Okta scans for new users, new groups, or changes to existing user profiles or group memberships. If any of these are detected, Okta automatically sends an email to designated administrators detailing the number of users and groups scanned, added, updated, or removed during the import.
Manage duplicate groups in Microsoft Office 365
If your application also imports groups from Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. (for example, Office 365 via DirSync), and provisioning is enabled in the app, you may have duplicate groups in Okta. This happens under the following conditions:
- You have two or more Active Directory forests. For example, forestA and forestZ.
- Microsoft DirSync is configured on forestA to synchronize all groups from the forest into an Office 365 (Azure AD) instance.
- Your Okta AD agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. is configured to import users and groups from both forestA and forestZ into an Okta orgThe Okta container that represents a real-world organization..
- Okta is configured for provisioning with users from forestZ to the same Office 365 tenant.
When you configure provisioning on the forestZ Office 365 app, it automatically imports groups from Office 365 into Okta. There are groups in Office 365 that are imported from forestA that already exist in Okta because of a sync from the forestA AD agent. The image below shows a mix of groups from Box, LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services., and Active Directory alongside native groups in Okta.
Delete groups imported from provisioning-enabled apps
Groups that were imported from an application cannot be deleted in Okta. However, you can use the Import feature to remove them. Open the Okta instance of the application and delete the group there. The deleted group will be removed from Okta during the next scheduled (or manual) import.
Note: Most applications do not permit you to specify which groups from an app should be imported into Okta. This means that when you import the newly deleted group, all other changes that have been made in the app are also imported. To learn how you can specify a single group removal from certain provisioning-enabled applications, see Enhanced Group Push.Top