Bidirectional Group Management with Active Directory
Bidirectional Group Management with Active Directory (AD) allows you to manage Active Directory groups from within Okta. You can add or remove users from groups based on their identity and access requirements. This ensures that changes made to user access in Okta are reflected in Active Directory. When you use Okta Access Certifications to revoke a user's membership to an AD group, the removal is reflected in AD.
Okta can only manage group memberships for users and groups imported into Okta using the AD integration. It isn't possible to manage users and groups that weren't imported through AD integration or are outside the organizational unit's scope for the integration using this feature.
Access governance for AD groups
You can request access to AD-sourced groups using Access Requests and verify access to these groups using Access Certifications.
- Access Requests
- Use AD groups in access request conditions to define requester scopes and access levels. This means that AD-sourced group members can request access to resources, including access to AD-sourced groups, from their End-User Dashboard. When a request to access an AD-sourced group is approved in Okta, the requester gets access to that group in AD.
- Access Certifications
- You can govern access to AD-sourced groups using Access Certifications. For a campaign with AD-sourced groups as a resource, when reviewers submit a decision for an AD-sourced group member, the remediation happens immediately in Okta and Active Directory.
Workflows for Bidirectional Group Management
You can use the new Update an external directory group membership API to create custom Okta Workflows designed for Bidirectional Group Management. Use the API to add or remove users and configure an event trigger with Workflows Connectors to automate the API calls. This enables you to customize on-premises group management actions based on events available within Workflows.