Okta is unable to create or update a Push Group in Active Directory (AD) when the Okta AD Agent service account lacks sufficient permissions, which is resolved by granting specific object and attribute rights. The following error messages occur during the provisioning or update process:

Error provisioning AD group: Access is denied.

Error updating AD group: Access is denied.

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Active Directory (AD)
• Group Push

By default, the Okta AD Agent service account does not have the permissions required to create and delete group objects or write group attributes. Group Push to AD fails unless the service account has permissions to manage these objects and their associated metadata within the target environment.

How is the AD group push access denied error resolved?

The following steps define the permission requirements for the Okta AD Agent service account in the target Organizational Unit (OU) or Container (CN).

1. Ensure the Okta AD Agent service account has "Create" and "Delete" permissions for group objects.
2. Verify the account has "Write" permissions for the following group attributes:
   • sAMAccountName
   • description
   • groupType
   • member
   • cn
   • name

NOTE: For details on configuring granular permissions on the service account, refer to Okta service account permissions. Alternatively, promote the Okta AD Agent service account to a Domain Admin to ensure the necessary permissions are assigned.

Related References

• Okta service account permissions