<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D51Y00006qaqZOSAYOkta Classic EngineLifecycle ManagementAnswered2024-04-15T11:47:37.000Z2019-10-25T12:20:06.000Z2019-11-09T02:54:39.000Z

i0i4e (i0i4e) asked a question.

October 25, 2019 at 12:20 PM
Any way to automate removal from a group?

Okta has great rules for adding users to groups, but there's no rules to REMOVE a user from a group. Ex. if a user's Department ISN'T Sales or DOES NOT CONTAIN Marketing, remove them from the group.

 

My organization is organizing users by Groups, and when users are moving between departments, we need to automate group moves. It is easy enough to add the user to their new group via automation, but impossible to remove them from their old group, from what I see. I'd automate this through Google, but even with Enhanced Push, Google's group membership doesn't sync back to Okta Groups.

  • 3 answers
  • 3.74K views

  • OktaU.83617 (Florida Cancer Specialists)

    Hi Bobby,

    As far as I'm aware not even Okta LCM can handle that. It can only remove from groups Okta had already added the user to. For full deprovisioning I'm 90% you'll need to rely on Event Hooks and possibly PowerShell, AD Manager or some other AD scripting. I say 90% because I sure don't know everything and I asked this question to the Okta Sales Engineer prior to our purchase and this is what was suggested.

    Expand Post
    Selected as Best

  • OktaU.83617 (Florida Cancer Specialists)

    Daniel, with Okta group rules, if the user no longer meets the rule criteria you've configured then they are automatically removed from the group. You do not need a second rule to remove them when another rule has already added them. Think of it as "while true - user is in this group. Else not in this group".

  • BobbyK.00672 (Lucidworks)

    @Matt - I have the same question as Daniel. I want to remove users from all the Okta groups when their account has been deactivated. The rule does not account for that. Basically a rule that said IF Status is Deactivated THEN Remove from All Groups

  • OktaU.83617 (Florida Cancer Specialists)

    Hi Bobby,

    As far as I'm aware not even Okta LCM can handle that. It can only remove from groups Okta had already added the user to. For full deprovisioning I'm 90% you'll need to rely on Event Hooks and possibly PowerShell, AD Manager or some other AD scripting. I say 90% because I sure don't know everything and I asked this question to the Okta Sales Engineer prior to our purchase and this is what was suggested.

    Expand Post
    Selected as Best
This question is closed.
Loading
Any way to automate removal from a group?