The following are the prerequisites for using Group Push:
- You must have provisioning enabled in the target app. If it is not enabled, you will be prompted to do so.
Any group members that you want to push to the target app MUST be previously provisioned and assigned to the target app. As an Okta-mastered group, changes should never be made from the target app.
This process is always Okta-mastered, therefore you cannot push a group name that already exists within the target app unless the app supports Group Linking. For example, G Suite, Box, Jive, and Active Directory allow you to link their existing groups to Okta. See Group Linking for details.
- API access must be enabled in the target app.
- Confirm that the relevant group members are already imported into Okta and provisioned for the target app.
- To push groups to Active Directory, you must have permission to create groups in Active Directory. See About Okta service account permissions.
Users who show as inactive in Okta are not pushed to the downstream app. Inactive users must be reactivated and then the group repushed. If the inactive user is part of more than one group, they must be repushed to all groups in which they are members.