We have a group named Box_Users in our Active Directory that syncs up to OKTA. We have to add each individual to this group in order for them to have access to Box.
There is a built-in group within AD named "Domain Users". Instead of adding each individual to Box_Users, we would like to just add "Domain Users" to the Box_Users group. Does Okta support this type of nesting?
Unfortunatly, we can't use the built-in Okta group "Everyone" because we don't want our Okta Mastered users to see the Box icon.
There is an Early Access Feature called Group Membership Rules, which will allow you to create a dynamic group membership rule based on specific criteria, like "is a member of Domain Users." You would need to contact Support to enable this feature.
You could create an Okta Mastered Group, set the rule for the Group "is a member of Domain Users," and then push that group to Box. That would solve your problem and allow you more robust management.
Is there a reason why you can't assign the "Domain Users" AD group to Box? That way you can get a direct assignment without the nesting you're talking about. Another approach to this might be to use our Group Membership Rules: https://support.okta.com/help/articles/Knowledge_Article/Using-Group-Membership-Rules
In answer to the question about 'why can't I assign the Domain Users AD group to Box', that is because it does not appear in an OU that gets imported from Okta. It is in the "Built In" OU of AD. That is not listed in the Directory Integrations. Were you able to import Domain Users?
Group membership rules sounds like a possible option.
Based on both responses, you got me thinking... I see that you can attach a directory to a group. So I am thinking of creating an Okta Mastered group and then attaching the domain directory to that group. Does that sound like it would work?