<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
How to Remove Deactivated Users from All Groups Using Okta Workflows
Apr 27, 2026
Okta Classic Engine
Okta Identity Engine
Workflows

Overview

This article teaches how to remove deactivated users from all groups using Okta Workflows.

 

Solution

The automation has three flows:

 

  1. List users: flow lists all deactivated users and passes them to a helper flow.
  2. Remove user: flow removes the user from each group.
  3. List user groups: flow lists all groups for each deactivated user and passes them to a helper flow.

 

List users flow

The List users flow lists all deactivated users and passes them to a helper flow.

 


List deactivated users.

 

How the flow works

  1. The flow runs on a schedule.
  2. The Okta-List Users with Search card lists all users with a status of DEPROVISIONED. It uses the streaming option, passing each user to the List user groups helper flow.

 

List user groups flow

The List user groups flow lists all groups for each deactivated user and passes them to a helper flow.

 


List user groups.

 

How the flow works

  1. Since the main flow uses streaming, the Helper Flow card sets up the Record and State fields. Learn how to stream records to a helper flow.
    • The Record object holds each user object passed from the main flow. The Record extracts the ID property from the user JSON object.
  2. The Okta-Get Users Groups card lists all the users’ groups. It uses the streaming option, passing each group to the Remove user helper flow. The card also passes the User ID to the helper flow using the State field.

 

Remove user flow

The Remove user flow removes the user from each group.

 


List user groups.

 

How the flow works

  1. Since the List user groups flow uses streaming, the Helper Flow card sets up the Record and State fields.
    • The Record object holds each group object passed from the helper flow. The Record extracts two properties from the group JSON object: ID and Profile.Name.
    • The State object holds the User ID passed from the List user groups flow.
  2. The Branching-Continue If card checks that the group name is not equal to Everyone. The Everyone group is managed by Okta and cannot be modified. If the group is Everyone, the flow stops with the message: “Can’t remove from the Everyone group.”
  3. The Okta-Remove User from Group card removes the user from the group using the Group ID and User ID.

 

Related References

Recommended content

Still looking for help?
Loading
How to Remove Deactivated Users from All Groups Using Okta Workflows