<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008G7UuASAVOkta Classic EngineAdministrationAnswered2025-06-14T10:29:51.000Z2016-07-07T22:42:41.000Z2016-07-07T22:42:41.000Z

65rbr (65rbr) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
Can I create one Okta group out of multiple AD and multiple Okta groups?
Hello,

 

We have a need to create one Okta group out of the members of multiple Active Directory groups and multiple Okta groups.

 

For example, populate Okta group TEST_All with all members from AD_Group1, AD_Group2, Okta_Group1, and Okta_Group2. 

We also want the following to occur automatically:

- Adding a new user to AD_Group1 should add to TEST_All

- Adding a new user to Okta_Group2 should add to TEST_All

- Removing a user from AD_Group2 should remove from TEST_All

- Removing a user from Okta_Group2 should remove from TEST_All

Currently, we are accomplishing this via Powershell scripts.

 

Can all the above be managed via Group Membership rules? Is there a limit to the number of groups used?

 

Thanks,

Katie
  • 3 answers
  • 1.65K views

  • JP Manansala (Okta, Inc.)

    Hi Katie,

     

    Thanks for posting your inquiries in Okta Community.

     

    We have a different approach on this scenario:

     

    1. Use the default "Everyone" Okta Group

     

    2. Managing Group Membership from your AD

       *Okta currently does not support nested groups

       *Okta will extract all users in nested groups within a group membership

     

    3. Create multiple "Group Membership Rule" defining your User Attributes thru the Expression Builder or Expression Editor and Assign them in a particular Group that you have created

     

    Please refer to the link below for more detailed information.

     

    https://support.okta.com/help/articles/Knowledge_Article/92113353-Importing-and-Using-Groups-in-Okta

     

    Please let me know if you need any additional information. Thank you.

     

    Best,

     

    JP
    Expand Post

  • 65rbr (65rbr)

    Hello JP,

     

    We have over 40 Active Directories managed by our distributors and over 40 other distributors managed directly in Okta. We control permissions in multiple applications based on AD or Okta group assignments.

     

    Powershell scripts are being used to populate one Okta group based on over 80 of these group assignments (both AD and Okta). For example, Distributor_Sales should be populated with anyone in groups XX_Sales, YY_Sales, and ZZ_Sales, regardless of AD or Okta groups. 

     

    Thanks,

    Katie
    Expand Post

  • miqxq (miqxq)

    Our environment is nowhere near the size of what Katie is talking about but do something similar albeit exclusively with AD groups. 

     

    We use nested AD groups like so: App is assigned a single AD group. Groups nested in that group show up on the Okta side as being direct members of this group and that's fine.  This give us some flexibility in that we can assign - we can add entire departmental groups (i.e. Sales) to the App Group then for one-offs -- we add people directly to the App Group.  Aside from the one-offs - which we need a ticket for SOX compliance anyhow, the assigments are mostly done via PowerShell. We are WDaaM so we use a lot of Workay attributes pushed to Okta->AD (location, cost center, title, etc.) to add users to appopriate groups. I am currently working on pushing location based groups to Google Apps so that gets automated as well.
    Expand Post
This question is closed.
Loading
Can I create one Okta group out of multiple AD and multiple Okta groups?