Group Push
Group Push lets you push Okta groups and their members to provisioning-enabled third-party apps. Okta sources the memberships of the downstream target apps.
Group Push doesn't create groups in Okta. Pushed groups are managed from Okta. Changes made to the group in the target app cause synchronization issues with Okta.
Okta only reconciles group membership when you configure Group Push. Okta removes any members of the AD group that aren't members of the linked Okta group. After you configure Group Push, no other group membership reconciliation occurs.
An Active Directory (AD) import doesn't delete non-empty groups in Okta when they've been deleted in AD. If the group is empty, the AD import deletes them. Always delete non-empty AD pushed groups in Okta when they've been deleted in AD.
Okta doesn't support using the same group for app assignment and Group Push.
To maintain consistent group membership between Okta and the downstream app, you must create a separate group that's configured to push to the target app. See App assignments and Group Push.
These are a few of the apps that support Group Push:
- Active Directory
- 
                                                            AWS Account Federation 
- Google Workspace
- Office 365
- JIRA
- Box
- Slack
- Dropbox
- Jive
To discover more apps that support Group Push, see the Okta Integration Network catalog. You can use Group Push with SCIM-enabled on-premises apps by using Okta Provisioning Agent in conjunction with a SCIM server. See Provision on-premises apps.
Groups are pushed to apps using one of the following two methods:
- By name: An Okta app admin selects individual groups in Okta to create and update in the target app.
- By rule: Push multiple groups by specifying a string to match in the group name, or specifying strings to match in the group name and group description. This method isn't available for AD integrations.
