<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Retain Active Directory Groups in Okta Before Disconnecting the AD Instance
Apr 6, 2026
Okta Classic Engine
Directories
Okta Identity Engine
Overview

Active Directory (AD) app groups do not persist when an administrator deactivates or deletes the AD integration. When an administrator deactivates any profile source application, Okta removes the previously imported app groups. To retain existing groups before disconnecting an AD instance, administrators must create Okta groups and populate them using group rules that match AD group membership.

Applies To
  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • Active Directory (AD)
  • Directories
  • Groups
Cause

When an administrator deactivates or deletes any profile source application from Okta, Okta removes the previously imported app groups from that application. Okta treats AD integrations as applications, resulting in identical behavior. When an administrator deactivates the AD integration, Okta automatically deselects all connected Group Organizational Units (OUs) and removes all previously imported groups.

Solution

How does an administrator retain Active Directory groups in Okta when disconnecting the AD instance?

Okta cannot convert app groups directly into Okta groups. To retain identical group names and memberships in Okta before decommissioning or disconnecting an AD instance, an administrator must create a new Okta group. Additionally, administrators must manually recreate any application or policy assignments from the AD group on the new Okta group. Once Okta populates the group and administrators recreate the assignments, administrators can safely disconnect the AD instance without losing the group structure.

 

Follow these steps to create and populate an Okta group using AD group membership:

  1. Select Add Group to create an Okta group with a name identical to the outgoing AD group.

Add Group

 

  1. Select Add Rule to populate the group with a group rule that uses the AD group membership as the criteria.

Add Rule

  1. After the group rule activates and populates the new Okta group, deactivate it.

NOTE: Administrators must deactivate the group rule before disconnecting the AD instance. If the rule remains active when the instance is disconnected or the AD group is deleted, Okta applies the rule and removes the users from the new Okta group.

  1. Remove the AD group from Okta or safely disconnect the AD instance.

 

Related References

Recommended content

Still looking for help?
Loading
Retain Active Directory Groups in Okta Before Disconnecting the AD Instance