Okta Push Groups can be used to link an Okta group with an on-premises Active Directory (AD) group, synchronizing Okta group membership to the corresponding AD group. When Okta users are added to the Okta group, Okta syncs that membership to the linked AD group, provided the Okta user has an AD account. Below are best practices for configuring and managing Push Groups in AD.

• Okta Classic Engine
• Okta Identity Engine (OIE)
• Directories
• Active Directory (AD)
• Push Groups

What are the best practices for using Okta Push Groups in Active Directory?

Refer to Push groups from Okta to Active Directory for detailed instructions on setting up Push Groups for AD.

The following list outlines the expected behaviors and best practices when utilizing Okta Push Groups with Active Directory:

• When linking an Okta Push Group to an existing AD group, Okta updates the membership of the AD group immediately upon linking. Okta removes any members from the AD group that do not belong to the linked Okta group if the AD group is already present in Okta at the time of linking.
• The Okta group linked to the AD group must not also be configured as an assignment group to provision users to the AD instance. This configuration will lead to group membership mismatches.

• If the AD group has already been imported into Okta, it disappears from the Okta group list once it is linked to an Okta group.
• An Okta group can be linked to an AD group regardless of whether the AD group is within an organizational unit (OU) scoped for Okta imports.
• Administrators must manage membership of the AD group within Okta after linking an Okta group. If an AD user is added to the group directly in AD, Okta does not reflect that membership change in the linked Okta group, even after a full import.

Related References

• About Group Push
• Troubleshooting Group Push