Can I have users in one group mastered by AD, and users in another group okta mastered? Skip to main content
https://support.okta.com/help/answers?id=9062a000000xaimqa0&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Michael SmithMichael Smith 

Can I have users in one group mastered by AD, and users in another group okta mastered?

Is it possible to use groups to define which users are AD mastered and which users are okta mastered?

If not is there another way to programatically define which users are AD mastered and which users are okta mastered?
James GarvinJames Garvin (Okta)
It is possible to use groups to define AD vs Okta mastered.  The easiest way is using Group Membership Rules in Okta (Okta Admin -> Directory -> Groups and then click on Rules just above the Add Groups button).

You can use the Rules to assign users to groups in Okta based on criteria like a specified attribute or current group membership.  For instance, you could assign all users in the Domain Users group, synced from AD, to an Okta Mastered group called AD Users.  You could also create a specific attribute for Okta Mastered Users, let's call it MasteredInOkta, and if it is set to true, then the user will be assigned to a group called Okta Users based on a group membership rule. 
Michael SmithMichael Smith
Hi James; thank you for reply.

What I hear you saying is that Okta allows the automated grouping users based of user attributes or group membership.

In addition to that, can Okta automatically/programatically change a user from AD mastered to Okta mastered (I was hoping via group membership; but open to other methods such as API etc).

Basically I want an attribute or group membership change to trigger a change to the mastering source for a user.

Many thanks,
Michael

 
Mihai BurceaMihai Burcea (Okta, Inc.)
Hi Michael,

At the moment, if the users are created and imported into Okta from the master, we do not have any automated method to "Disconnect user from master". That has to be done manually.
The only way you can disconnect users from Master, but that will put the affected users in Password reset mode, will be to move those users in the Master from the OU's selected to be synced with Okta.
 
Michael SmithMichael Smith
Thanks for your message Mihai.

When you said "The only way you can disconnect users from Master, but that will put the affected users in Password reset mode, will be to move those users in the Master from the OU's selected to be synced with Okta," are you saying that you must disconnect users manually, but to be aware this will put the affected users into password reset mode?

Many thanks,
Michael