Can I create one Okta group out of multiple AD and multiple Okta groups? Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Katie EvansKatie Evans 

Can I create one Okta group out of multiple AD and multiple Okta groups?


We have a need to create one Okta group out of the members of multiple Active Directory groups and multiple Okta groups.

For example, populate Okta group TEST_All with all members from AD_Group1, AD_Group2, Okta_Group1, and Okta_Group2. 
We also want the following to occur automatically:
- Adding a new user to AD_Group1 should add to TEST_All
- Adding a new user to Okta_Group2 should add to TEST_All
- Removing a user from AD_Group2 should remove from TEST_All
- Removing a user from Okta_Group2 should remove from TEST_All
Currently, we are accomplishing this via Powershell scripts.

Can all the above be managed via Group Membership rules? Is there a limit to the number of groups used?

Jaypee ManansalaJaypee Manansala (Okta)
Hi Katie,

Thanks for posting your inquiries in Okta Community.

We have a different approach on this scenario:

1. Use the default "Everyone" Okta Group

2. Managing Group Membership from your AD
   *Okta currently does not support nested groups
   *Okta will extract all users in nested groups within a group membership

3. Create multiple "Group Membership Rule" defining your User Attributes thru the Expression Builder or Expression Editor and Assign them in a particular Group that you have created

Please refer to the link below for more detailed information.

Please let me know if you need any additional information. Thank you.


Katie EvansKatie Evans
Hello JP,

We have over 40 Active Directories managed by our distributors and over 40 other distributors managed directly in Okta. We control permissions in multiple applications based on AD or Okta group assignments.

Powershell scripts are being used to populate one Okta group based on over 80 of these group assignments (both AD and Okta). For example, Distributor_Sales should be populated with anyone in groups XX_Sales, YY_Sales, and ZZ_Sales, regardless of AD or Okta groups. 

Eric TiptonEric Tipton
Our environment is nowhere near the size of what Katie is talking about but do something similar albeit exclusively with AD groups. 

We use nested AD groups like so: App is assigned a single AD group. Groups nested in that group show up on the Okta side as being direct members of this group and that's fine.  This give us some flexibility in that we can assign - we can add entire departmental groups (i.e. Sales) to the App Group then for one-offs -- we add people directly to the App Group.  Aside from the one-offs - which we need a ticket for SOX compliance anyhow, the assigments are mostly done via PowerShell. We are WDaaM so we use a lot of Workay attributes pushed to Okta->AD (location, cost center, title, etc.) to add users to appopriate groups. I am currently working on pushing location based groups to Google Apps so that gets automated as well.