Convert a group from AD mastered to Okta mastered?
In an effort to streamline our administration, we would like to only edit group memberships in Okta. We currently have a mix of Okta and AD mastered groups. Is it possible to convert our AD mastered groups to be Okta mastered instead?
I’m not aware of a direct way to achieve this because AD-mastered group members can only be managed from AD. You could consider the following idea. It depends on factors like the number of groups involved, whether you need to sync Okta mastered group members back to AD and the long term plans. Create an Okta group for each AD synced group, using an identical group name (this is possible). Then for each group create a rule based on “if user is member of this AD group, make them a member of the same Okta group”. After the group rule is activated it populates the Okta group with the same members as the AD group. You can then assign the Okta group the same application as the AD group and remove the AD group (caution, I’ve not tested this part so you need to make sure application deprovisioning is not initiated). From that point, you’re able to manage the group members in Okta.
In the future, you can continue to add group members from AD using manual methods or dynamic rules that can be based on attibutes that you set on the users in AD or are calculated using attribute transformation during mapping. Afterwards you can deactivate the rules, and even delete them making sure not to tick checkbox that removes members added to the Okta group.