<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
How to Create Group Rule Using Additional Active Directory Attributes
Aug 28, 2025
Lifecycle Management
Okta Classic Engine
Okta Identity Engine
Overview

This article provides instructions on how to use an Active Directory (AD) attribute within an Okta Group Rule by using the Okta Expression Language.

Applies To
  • User Lifecycle Management (LCM)
  • Okta Identity Engine (OIE)
  • Okta Classic Engine
Solution

Follow the instructions below to configure a Group Rule's If condition to use an AD attribute. For more details on setting up Group Rules, see Create group rules.

  1. In the Group Rule If condition, select Use Okta Expression Language (advanced).
  2. Enter the expression in the following format, replacing <AttributeName> and <AttributeValue> with the appropriate values:
findDirectoryUser().<AttributeName> == "<AttributeValue>"

 

  • NOTE: This expression only functions correctly if a user has exactly one Active Directory assignment. The findDirectoryUser() function returns null if the user has more than one or zero AD assignments.

For more information, refer to the Okta Expression Language Directory and Workday functions documentation.

Recommended content

Still looking for help?
Loading
How to Create Group Rule Using Additional Active Directory Attributes