Import groups

The following sections describe the methods you can use to import groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. into Okta.

Import groups from Active Directory using the Okta AD agent

You can import security groups from any forest or domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). that you connect to Okta. For details about AD group import scenarios, see FAQ: Okta and AD groups. The AD agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. detects all groups in the domain or the Organizational Units (OUs) that you have selected. If you register an AD agent for more than one domain and you have the root OUAn acronym of Organizational Unit. Organizational units are Active Directory containers into which you can place users, groups, computers, and other organizational units. It is the smallest scope or unit to which you can assign Group Policy settings or delegate administrative authority. selected for all domains, it imports all groups.

To limit the groups that are synchronized, sign into your Administrator Dashboard, select Directory > Directory Integrations > Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management., click the Settings tab, and in the section Import and Account Settings, select only the OUs that you want to import. For details about using the separate OU selectors to set up more granular imports from specific OUs, see Installing and Configuring the Active Directory Agent.

Universal security groups

In Active Directory, a universal security group (USG) allows for membership across all trusted forests in an AD environment. By default, USGs only exist in Okta if there is an AD agent in a domain importing users and groups. Enabling the Universal Security Group (USG) option ignores domain boundaries when importing group memberships for your users. This assumes that the relevant domains are connected in Okta.

User-added image

You must also deploy an AD agent for every domain in your forest that contains the USG object that you want to sync with Okta. Each connected domain then imports its groups. When a user's group memberships match any groups that were imported (from any connected domain in the forest), Okta syncs the memberships for the user to each group. This option provides greater control of group imports from on-premises apps to Okta. Only groups from connected domains are imported.

For details about USG import scenarios, see FAQ: Okta and AD Groups​​.

Note: The AD agent imports groups differently depending on how your orgThe Okta container that represents a real-world organization. is configured. After you install your first AD agent, you can specify the OUs that you want to connect Okta, and then run either an incremental or full import. For details about common group import scenarios, see FAQ: Okta and AD Groups​.

Nested groups

Many directory systems and applications support the concept of nested groups (or groups in groups). Okta does not currently support nested groups. Okta imports all nested directories for group members and adds the user to each group in Okta. See the example below in which the group in AD on the left has two groups as child members, and the resultant group in Okta on the right.

Group04.png

Import groups from provisioning-enabled apps

You can import groups from applications that have provisioning enabled. If you set up an import schedule for the appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in., it also imports new groups that you add and makes membership changes to existing ones. If you only want to import groups, set up provisioning but do not configure any user options. You cannot edit the memberships of these imported groups.

Confirm your group imports

After you configure provisioning on an app that supports groups, Okta automatically imports groups from that app. Sign into your Administrator Dashboard and select Directory > Groups to see newly imported groups. You can also select Reports > System Log, and then select the Application Imports (Summary) report to see new groups that have been imported.

Following a successful import, under specific conditions Okta automatically sends an email to designated administrators. The email details the number of users and groups scanned, added, updated, or removed during the import. Okta only sends the email if the scan detects any new users or groups, or changes to any existing user profile or group membership.

Manage duplicate groups in Microsoft Office 365

If your application also imports groups from Active Directory (for example, Office 365 via DirSync), you might have duplicate groups in Okta if you have enabled provisioning on the app. This happens under the following conditions:

  • You have two or more Active Directory forests. For example, forestA and forestZ.
  • Microsoft DirSync is configured on forestA to synchronize all groups from the forest into an Office 365 (Azure AD) instance.
  • Your Okta AD agent is configured to import users and groups from both forestA and forestZ into an Okta org.
  • Okta is configured for provisioning with users from forestZ to the same Office 365 tenant.

When you configure provisioning on the forestZ Office 365 app, it automatically imports groups from Office 365 into Okta. There are groups in Office 365 that are imported from forestA that already exist in Okta because of a sync from the forestA AD agent. The image below shows a mix of groups from Box, LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services., and Active Directory alongside native groups in Okta.

Group07.png

Delete groups imported from provisioning-enabled apps

Groups that were imported from an application cannot be deleted in Okta. However, you can use the Import feature to remove them. Open the Okta instance of the application and delete the group there. The deleted group will be removed from Okta during the next scheduled (or manual) import.

Note: Most applications do not permit you to specify which groups from an app should be imported into Okta. This means that when you import the newly deleted group, all other changes that have been made in the app will also import. To learn how you can specify a single group removal from certain provisioning-enabled applications, see Enhanced Group Push.

Top