Import groups from Active Directory using the Okta AD agent

You can import security groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. from any forest or domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). that you connect to Okta. For details about AD group import scenarios, see FAQ: Okta and AD groups. The AD agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. detects all groups in the domain or the Organizational Units (OUs) that you have selected. If you register an AD agent for more than one domain and you have the root OUAn acronym of Organizational Unit. Organizational units are Active Directory containers into which you can place users, groups, computers, and other organizational units. It is the smallest scope or unit to which you can assign Group Policy settings or delegate administrative authority. selected for all domains, it imports all groups.

To limit the groups that are synchronized, sign in to your AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console, and go to Directory > Directory Integrations > Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management.. Click the Settings tab, and in the section Import and Account Settings, select only the OUs that you want to import. For details about using the separate OU selectors to set up more granular imports from specific OUs, see Installing and Configuring the Active Directory Agent.

Universal security groups

In Active Directory, a universal security group (USG) allows for membership across all trusted forests in an AD environment. By default, USGs only exist in Okta if there is an AD agent in a domain importing users and groups. Enabling the Universal Security Group (USG) option ignores domain boundaries when importing group memberships for your users. This assumes that the relevant domains are connected in Okta.

User-added image

You must also deploy an AD agent for every domain in your forest that contains the USG object that you want to sync with Okta. Each connected domain then imports its groups. When a user's group memberships match any groups that were imported (from any connected domain in the forest), Okta syncs the memberships for the user to each group. This option provides greater control of group imports from on-premises apps to Okta. Only groups from connected domains are imported.

For details about USG import scenarios, see FAQ: Okta and AD Groups​​.

Note: The AD agent imports groups differently depending on how your orgThe Okta container that represents a real-world organization. is configured. After you install your first AD agent, you can specify the OUs that you want to connect Okta, and then run either an incremental or full import. For details about common group import scenarios, see FAQ: Okta and AD Groups​.

Nested groups

Many directory systems and applications support the concept of nested groups (or groups in groups). Okta does not currently support nested groups. Okta imports all nested directories for group members and adds the user to each group in Okta. In the example below, the group in AD (left) has two groups as child members. The resultant group in Okta (right) lists members without nested groups.