When multiple users are suddenly deprovisioned from an application, the issue often stems from changes in the source directory or group assignments. Administrators must verify source directory changes, check application group assignments, and validate group membership rules to resolve the deprovisioning issue.
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Application Assignments
- Deprovisioning
Sudden deprovisioning occurs when a user loses their application assignment due to changes in the source directory, removal from an assigned group, or a failure to meet group rule criteria.
How are sudden user deprovisioning issues resolved?
To determine why users are deprovisioned from an application, verify changes in the source directory, validate group assignments, and check group membership rules.
- Review the source directory, such as Active Directory (AD), to identify any recent changes if Okta imports the user from AD.
- Check the groups assigned to the application and verify that all expected groups are present.
- Navigate to Directory, and then select Groups in the Okta Admin Console.
- Select the group or groups assigned to the application and verify whether the users remain listed as members.
- If the users are missing from the group, verify whether they still belong to the corresponding group in the source directory.
- Select the group or groups assigned to the application and verify whether the users remain listed as members.
NOTE: If the user appears as a member of the group in AD but not as a member of the group in Okta, contact Okta Support.
-
- If the group assigned to the application is an Okta-sourced group and lacks expected users, select the Rules tab to check for an active rule that assigns users to the group based on specific criteria.
- Ensure that the criteria used by the rule still apply to the affected users.
