FAQ: Okta and AD Groups
How does Okta handle Universal Security Groups (USGs)?
For more about Universal Security Groups, click here.
Note: Okta does not support Domain Local Groups containing members from multiple domains. We do support Universal Security Groups with cross-domain membership, provided that there is a two-way trust established between the domains. Universal Security Groups do not support cross-forest membership.
Sign-in (JIT) scenarios
What happens when a user who is a member of a USG that does not already exist in Okta signs-in to Okta?
What happens when a user who is a member of a USG that already exists in Okta signs-in to Okta?
What happens during an import of groups and users?
Example: USG across 2-Domains
Given a USG that resides in Domain B and contains users from Domains A and B:
If Domain A is imported in to Okta, which members of the USG are imported in to Okta?
Only users from Domain A are imported in to Okta and their membership in the USG is ignored until Domain B is later imported.
If Domain A already exists in Okta, will importing Domain B bring the USG in to Okta and sync Group 2 memberships to the USG?
Example: USG across 3-Domains
Given a USG in a 3-domain forest that resides in Domain A and contains users from Domains A, B, and C.
When Domain A users and groups are imported into Okta, the USG is imported and Domain A USG user memberships are synced.
If Domains B and C users and groups are imported into Okta, the USG memberships from those domains are not synced until users from those domains sign-in to Okta for the first time (as indicated by the dotted line in the diagram).
When are Distribution Groups brought in to Okta?
Only during incremental and full imports, not when users sign-in (JIT).
For more about Distribution Groups, click here.
Only during incremental and full imports, and only if the users and groups being imported belong to the same domain.
Does Okta treat Distribution Groups (DGs) and Universal Security Groups (USGs) the same or differently?
Okta treats DGs and USGs the same in this respect:
During imports, Okta does not sync group memberships to DGs or USGs that reside in a different domain than the domain being imported.
Okta treats DGs and USGs differently in this respect:
Note: If only JIT is enabled, Okta will retrieve security group membership during JIT sign-in, but will not retrieve distribution group membership.
How does Okta handle users and groups that are moved to an out-of-scope OU?
Note: The term out-of-scope Organizational Unit (OU) refers to an OU that does not appear in or is not selected in the relevant OU selector. (Examples of the later type of out-of-scope OU are highlighted in yellow in the figure below.)
Some organizations administer an employee off-boarding process that involves moving users or groups to an out-of-scope OU. As detailed below, Okta never imports users and groups in out-of-scope OUs, and denies sign-in to all such users.
Sign-in (JIT) scenarios
Okta denies sign-in to all users in out-of-scope OUs, regardless of their enablement status in Active Directory.
Okta performs incremental and full imports.
How does JIT provisioning treat nested groups outside of OU and object filter scopes?
There are membership inconsistencies that can occur between “regular” imports and JIT provisioning. These membership anomalies may occur when using nested groups.
During regular imports, a child group that is outside the scope of an AD OU or LDAP object filter cannot be detected. If a parent group is within an OU/object filter scope but its child groups are not, the parent group membership is incorrectly resolved during import.
JIT provisioning would correctly resolve these memberships to the parent group because its function only detects "flat" memberships.