ww1vh (ww1vh) asked a question.
Hi all,
Apologies for the rookie question, but when I create a user, they seem to be automatically pulled to an Office 365 group, and I can't figure out why. It is an "assigned" access group, so there are no dynamic rules at play, and the audit logs point to the okta-integration address making those changes. Any place I should look to see what's going on?
Thanks.
We use cookies to provide the best website experience and to help understand marketing efforts. We may also share data with ad partners to reach potential customers across the web. To learn more, visit our Privacy Policy. Click here for Your Privacy Choices. You may also opt out of this sharing by signaling your preference via GPC, applicable only to the browser signaling the opt-out.
More information
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Select All
We use cookies to provide the best website experience and to help understand marketing efforts. We may also share data with ad partners to reach potential customers across the web. To learn more, visit our Privacy Policy. Click here for Your Privacy Choices. You may also opt out of this sharing by signaling your preference via GPC, applicable only to the browser signaling the opt-out.
More information
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Select All
@ww1vh (ww1vh) -- Is it an APP group or an Okta group? If it is an APP group it is likely just part of your provisioning mirroring the members of the group that was pulled in from O365.
If it was performed by a group rule the following query in your system log should help you identify it:
eventType eq "group.user_membership.rule.trigger" and target.id eq "00gfbuneiyuz3bfSK5d7"
(Replace the bold "id" above with the "id" of the Group in your question)
To get the ID just navigate to the group in the UI. Then in your browser the URL portion bolded below is the ID:
https://YourSubDomain.okta.com/admin/group/00gfbuneiyuz3bfSK5d7
@TimL.58332 (Workflows) Honestly, I have no idea - I've tried looking at every related group I can, and have no found any sort of connection to O365. And that group ID comes from the one in O365, right?
@ww1vh (ww1vh) -- In Okta Admin UI - Directory > Groups you should be able to toggle between Okta / App groups. If the group in question is an app group the Provisioning settings may apply and be doing the "user add to group". If it is an "Okta" group then it is likely a group rule and the query I provided previously will allow you to identify if a Group Rule is involved.
The only group that 100% all users are added to is the Okta built-in group Everyone. Everything else requires some actions for assignment to the resource.
Just to add to this. It is also possible you have some other automation setup that is adding users to a group. For example if you had an Event Hook delivery occurring as part of the user creation process that is sent to an automation platform (Such as Okta Workflows) and it was configured to add users to other resources (such as a group), it could also be the root of the change. These types of mysteries definitely occur if you are newly taking over management of resources and were not part of the initial build-out.
@TimL.58332 (Workflows) Would that be something inside of the Workflow Console? Taking a quick glance at the "Workflow > Automations" page, it seems there is nothing but a test one built out, and that one is not active.
@ww1vh (ww1vh) -- This would be Workflow > Workflows console if you environment has the product. If you don't then this definitely wouldn't be the automation tool that potentially "could" cause group adds.