Okta Group Push Fails to Update Inactive or Unassigned Users in Downstream Applications
Last Updated:
Overview
Okta Group Push fails to update inactive or unassigned users in downstream applications because the default behavior targets only active application user profiles. Resolve this issue by manually managing the user in the downstream application, updating the Okta group before deactivation, or temporarily reactivating the user. Group memberships remain unrevoked and unmanaged for users who are no longer assigned to the application in Okta or are deactivated in the downstream application.
Applies To
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Group Push
- Application User Management
Cause
The default behavior of Group Push targets only active application user profiles.
Solution
What are the manual workarounds for updating inactive or unassigned users?
Resolve the issue by manually managing the user in the downstream application, updating the Okta group before deactivation, or temporarily reactivating the user.
- Manually add or remove the user from the group directly within the downstream application.
- Add or remove the application user from the Okta group before deactivating the user.
- Temporarily reactivate the application user before performing the Group Push operation.
NOTE: If manual workarounds are not feasible, contact Okta Support to enable a feature flag that modifies the default behavior to allow group pushes to occur for application user profiles marked as inactive.
