<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
How to Use the Optional JIT Setting Group Assignments with Entra ID IdP
Sep 24, 2025
Single Sign-On
Okta Classic Engine
Okta Identity Engine
Overview

This article shows how to use the optional Just-In-Time (JIT) setting for the Microsoft Entra ID Identity Provider(IdP) called "Group Assignments" to set up a full sync of groups from Entra ID to Okta. When properly configured, this allows for automatic group assignment of Okta users to groups imported from Entra ID to Okta. Using this feature requires that JIT is configured for the Entra IdP.

Applies To
  • Microsoft Entra ID (formerly Azure Active Directory)
  • Identity Provider(IdP)
Solution

Configuring the full group sync requires some setup from within the Okta Admin Dashboard and Microsoft Entra ID.

NOTE: The Full Sync of Groups removes users from groups in Okta that are not in the inbound SAML. Another technique to achieve a similar result is to use the "Add User to Missing Groups" option (not covered in this article).

 

Configuring Full Group Sync for Entra ID IdP in Okta

  1. Log in to the Okta Admin Dashboard and navigate to Security > Identity Providers.

  2. Click on the Configure dropdown menu for the Entra IdP entry and select Configure Identity Provider.

Identity Providers

  1. Scroll down to the JIT Settings heading and find the Group Assignments dropdown menu.

  2. Select Full sync of groups, and two new fields will appear below the Group Assignments field: SAML Attribute Name and Group Filter.

    NOTE: Groups entered in the Group Filter field must already exist in Okta, or the sync will not function properly.

new fields  

  1. Enter the group claim for the SAML Attribute Name. To get the group claim, follow the instructions below for How to find the SAML Attribute Name.

  2. Create Okta groups named after the Entra ID Group ID of the groups that need to be synchronized to Okta. To find the Entra ID Group ID, follow the instructions mentioned in the How to find the Group ID of the Groups in Entra ID chapter below.

Groups  

  1. Enter the Group Filter values based on the Group ID of the groups that are being synced from Entra ID. The most common claim name for Entra ID groups is http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

    NOTE: Groups entered in this field must already exist in Okta, or the sync will not function properly.

Group Filter  

  1. Click the Update Identity Provider button to start the full sync.

 

Testing the Full Group Sync

  1. To test the full sync of the group configuration that was just completed, sign in to Office 365 with a user who belongs to one of the groups included in the Group Filter field.

Microsoft Sign In Screen

  1. Once on the Office 365 Dashboard, navigate to Apps > All Apps and click on the Okta app.

  2. Look in Okta for the user. Their profile will show that it is sourced from the IdP, and the user will already be assigned to the synchronized groups.

User profile

NOTE: The group names must be named with the Group ID, which can create some confusion because Group IDs are not meant to be human-readable.
One method to resolve this would be to create a Group Rule that populates more human-readable Group names based on membership to the Group ID groups. Since Full Sync of Groups removes users from groups in Okta that are not in the inbound SAML so another technique such as "Add User to Missing Groups" option would be required. To find out more about Group Rules, read Create Group Rule.

 

How to Find the SAML Attribute Name

Configuring the full sync of groups requires that the SAML Attribute Name be defined; these steps will demonstrate how to find that value within the Microsoft Entra ID.

  1. Log in to the Entra ID Admin console and click on Applications > Enterprise Applications.

  2. Find the Okta application and click on it. This guide assumes that Okta has already been configured as an app on the Entra ID side. To find out how to configure the Okta app in Entra ID, follow these instructions: Create the Okta enterprise app in Microsoft Entra ID.

    Find the Okta App  

  3. Click on the Single sign-on link.

SSO link

  1. Click on the Edit button by the Attributes and Claims setting.

Attributes and Claims setting

  1. In the Attributes & Claims screen, click the + Add a group claim button.

  2. Select the Security groups radio button and the "Group ID" Source attribute (this is the default selection).

Group Claims 

  1. Click the Save button to save the changes.

  2. Copy the Claim name value of the new group claim that was just created.

Attributes and Claims

 

 

How to find the group ID of the Groups in Entra ID

Configuring the full sync of groups requires that the Entra ID Group ID be identified and entered in the Group Filter field. These steps will outline how to find the Group ID.

  1. To find the Entra ID Group ID, go to the Entra ID admin console and navigate to Entra ID > Groups > All groups.

  2. The Entra ID Group ID is the value listed in the Object ID column of the All groups page.

Object ID column of the All groups page

 

Related References

 

Recommended content

Still looking for help?
Loading
How to Use the Optional JIT Setting Group Assignments with Entra ID IdP