<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
"HTTP 403 Forbidden" Error for OAuth 2.0-based Group Push Provisioning
Feb 12, 2026
API Access Management
Okta Classic Engine
Okta Identity Engine
Overview

This article clarifies how to resolve an error encountered when performing a group push between organizations. The following error message appears during the provisioning process:

 

Failed on 03-24-2025 05:48:01AM UTC: Unable to update Group Push mapping target App group a new group: Error while creating user group a new group: HTTP 403 Forbidden

 

Group push 403 error

Applies To
  • OAuth 2.0
  • Okta Org2Org
  • Hub and Spoke Orgs
  • Group Push
Cause

The service application used for provisioning lacks the required administrative permissions to create groups in the target organization. Only Super Administrators or Organization (Org) Administrators possess the necessary permissions to perform this action. 

Solution

To resolve the forbidden error, configure an API Service application in the target organization and assign the required administrative roles and scopes.

 

Step 1: Create an API Service App in the Target Organization

  1. In the target organization, go to Applications > Applications.
  2. Select Create App Integration.
  3. Select API Services and click Next.
  4. Enter an application name and click Save.

 

Step 2: Assign Administrative Roles

  1. In the new API Service app, navigate to the Admin roles tab.
  2. Click Edit assignments.
  3. Select Super Admin or Org Admin from the Role dropdown menu.
  4. Click Save Changes.

 

Step 3: Grant API Scopes

  1. Navigate to the Okta API Scopes tab of the API Service app.
  2. Locate and click Grant for the following scopes:
    • okta.groups.manage
    • okta.users.manage (required if provisioning users)

 

Step 4: Configure Provisioning in the Source Organization

  1. In the source organization, navigate to the Okta Org2Org application.
  2. Select the Provisioning tab and click Integration.
  3. Click Configure API Integration and select Enable API integration.
  4. Set the Authentication Scheme to OAUTH Auto-Rotation.
  5. Provide the Client ID, Client Secret, and Token Endpoint from the API Service app created in the target organization.
  6. Click Save.


Related Articles

 

Recommended content

Still looking for help?
Loading
"HTTP 403 Forbidden" Error for OAuth 2.0-based Group Push Provisioning