When a user is added to an Okta group through a Group Rule and is later deactivated, they will not be automatically removed from the group. This can lead to unexpected group memberships and potential security risks.
- Group Rules
- Okta Groups
- Deactivated User
Okta Group Rules are designed to dynamically manage group memberships based on specific criteria. When a user meets the criteria of a Group Rule, they are added to the group. However, deactivation changes the user's state in Okta but does not automatically trigger a re-evaluation of the Group Rule criteria. As a result, the user remains in the group even though they are no longer active.
Manual Removal via Okta Groups API
To effectively remove a deactivated user from an Okta group, utilize the Okta Groups API. This API provides the necessary tools to manage group memberships programmatically.
Steps to Remove a Deactivated User
- Identify the Group ID. Locate the group's unique ID before removing the user. This ID can be found in the Okta Admin Console or retrieved through the Okta API.
- Identify the User ID. Obtain the deactivated user's unique identifier. User IDs can also be found in the Okta Admin Console or retrieved through the Okta API.
- Utilize the Okta Groups API.Use the API's endpoint to remove users from groups, providing the group ID and user ID as parameters. Refer to the Okta Groups API documentation (linked below) for specific instructions on using this endpoint.
