This article explains application assignment behavior for inactive Okta apps where provisioning was previously enabled and left enabled when the app is made inactive. The outcome of the app assignment differs depending on whether the User profile is deactivated or if an active User is removed from a group that grants access to the application.

• User Lifecycle Management

• Application Provisioning
• Inactive Applications
• Group App Assignments

Two different processes handle application unassignments. One is triggered with Okta User deactivation, and the other is triggered with a change in group membership. These different scenarios do not treat assignments for inactive applications in the same manner.

This is the expected behavior for each scenario:

• User Deactivation: When a user is deactivated, any application assignments for apps marked as inactive are left untouched. Assignments for active apps are removed, and deprovisioning occurs as configured.

• Group Membership Change: When a user is removed from an Okta group assigned to an inactive application, the user is unassigned from the app. If provisioning was enabled when the app was made inactive and the API connection to the service provider is still valid, a deprovisioning action will be pushed to the application if Deactivate Users is enabled in the provisioning settings.

• If deprovisioning tasks are not expected after the app is marked inactive:
  • If the app is expected to be reactivated at a later date
    1. First, disable the API integration in Okta by unchecking this option for the app under Provisioning > Integration and saving.
    2. Optional: revoke the API credentials from the service provider side.
  • If the app is not expected to be reactivated at a later date 
    1. Delete the app integration. If the app is currently inactive, navigate once again to the application's page in the Okta admin dashboard, click the Inactive dropdown menu, and choose Delete. Otherwise, the app must be deactivated first before it can be deleted.
    2. Recommended: revoke the API credentials from the service provider side if no longer used elsewhere.
       • NOTE: Deleting an app integration is permanent. After deleting an app integration, it is not possible to reactivate it or retrieve its memberships.
• If deprovisioning is expected after the app is marked inactive
  1. Ensure that Okta Users are removed from the group that assigns the app first before deactivating the User profile.
  2. Leave the app active so both scenarios can pick up on the assignment removal.
     1. Recommended: If SSO is also configured, adjust the sign-on policies accordingly to prevent Users from unexpectedly accessing the app.
     2. Optional: Hide from the Okta End User dashboard.

NOTE: There are a few reasons why an Okta User may not be unassigned from an app during deactivation including apps in the inactive status. See Deactivate and delete user accounts.