<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Group Rule Exceptions
Jun 26, 2025
Lifecycle Management
Okta Classic Engine
Okta Identity Engine
Overview

In certain cases, exceptions can be generated and added to the "exception list" by group rules.

Applies To
  • Group Rules
  • Universal Directory
  • Group Rule Exceptions
Solution

The addition of exceptions to group rules can occur in the following situations:

  • When a user is manually removed from the group

Should a user be manually removed from the group, an exception will be automatically recorded for that user under the relevant group rule.

 

  • When a user is manually added to the group

If a user is added to a group but does not meet the standard criteria for triggering the group rule, an exception can be added to ensure that the user is not subsequently removed from the group as a result of the rule.

 

  • When a user is manually added to the exception list

If a user needs to bypass a specific group rule for a valid reason, they can be added to the exception list by modifying the group rule and including the user via the edit rule interface.

 

NOTE: During inbound SAML synchronization from an external IdP, if the Okta IdP configuration has Group Assignments set to Full sync of groups, any modifications to groups that are either conditions or targets within an Okta group rule will lead to the associated users being added to the exception list.

Recommended content

Still looking for help?
Loading
Group Rule Exceptions