<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Remove User from App When Assigned to Group in Workflows
Oct 24, 2025
Okta Classic Engine
Okta Identity Engine
Workflows

Overview

This article teaches how to remove a user from an app when the user is assigned to a group in Okta Workflows.

 

Solution

This flow runs when a user is assigned to a group. The flow then removes a user from an app assignment.


Flow to remove a user from an app.

 

How the flow works

 

  1. The flow runs when a user is added to a group (the Okta-User Added to Group card event).
  2. This flow will run only for a particular group. The Branching-Continue If card checks the group name. The flow continues if the group is correct.
  3. The Okta-Remove from Application card removes the user from direct app assignment (since the application is assigned to the group).
    • The Okta-Remove from Application card is configured with a particular application in the card's Options. In this flow, the application is Salesforce.


Use an event hook

The Branching-Continue If card checks if a user has been added to the correct group, but the flow will still run whenever a user is added to any group.

 

Another solution is to use an event hook. An event hook (with a filter) allows you to check the group name before triggering a flow. This way, the flow will run only when the group matches.

 

To learn about event hook filtering, see: Okta Workflows Tutorial: Notify When a User is Added to a Group (with Event Hook filtering)

 


Flow to remove a user from an app via an event hook.

 

How the flow works

 

  1. The On Demand-API Endpoint card allows invoking this flow with an API endpoint.
  2. The Object-Get card extracts the user ID.
  3. The Okta-Remove from Application card removes the user from direct app assignment.

This event hook will run when a User is added to group event fires. It invokes the API set in the Endpoint URL field, which is the API to invoke the flow.

 


Event hook.

 

The event hook has a filter to match the group. This prevents the event hook (and flow) from running on any new user added to the group event.

 


Event hook filter.

 

Related References

 

 

Recommended content

Still looking for help?
Loading
Remove User from App When Assigned to Group in Workflows