This article contains troubleshooting steps to help determine why the group membership of an Okta user sourced from Active Directory does not match Active Directory.
- Active Directory
- Directory Integrations
-
Check if Just-in-time (JIT) provisioning is enabled.
a. JIT provisioning will sync an Okta profile with Active Directory during each login. JIT relies on an Active Directory attribute called tokenGroups to determine a user's group membership. If a user's group membership was updated via JIT, a regular import may not be able to remove it, as an import uses a different mechanism to update group membership. Try initiating JIT provisioning by having the user log in to Okta with their username and password.
b. Check the user's Active Directory tokenGroup attribute using the PowerShell command below. If the results do not match the user's group membership in Active Directory, there may be an issue with the Active Directory object. Replace any value wrapped in < > with the correct information.Get-ADUser -SearchScope Base -SearchBase '<DN of affected user>' -Filter * -Properties tokenGroups -Credential '<Okta service account>' -Server '<DC Hostname>' | %{ $_.tokenGroups } | %{ $_.Value } | foreach {Get-ADGroup $_ } -
If the user is a member of more groups in Okta than they are in Active Directory, check the Active Directory groups membership for other groups. Okta will flatten group membership once imported into Okta, so if other groups are nested inside an existing group, those groups will be added directly to the user's group membership list.
-
To verify if the Okta service account has permission to see both the Active Directory User and Group membership, try running these PowerShell commands on a Domain Controller. Replace any value wrapped in < > with the correct information.
To see a user's group membership:Get-ADPrincipalGroupMembership -Credential <service account> <AD user> | select name
To see a group's user membership:Get-ADGroup -Credential '<Okta service account>' -SearchBase '<DN of group>' -LDAPFilter '(|(&(objectCategory=group)(cn=<Group CN>)))' | foreach {Get-ADGroupMember $_ |Select name,SamAccountName, distinguishedName} -
Use one of the links below to enable verbose logging on the Okta AD agent. Run a Full Import, gather the logs, and submit them to Okta Support to open a new Support Case.
