<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z0000AHWPxFCQXOkta Classic EngineAuthenticationAnswered2024-10-31T17:01:50.000Z2024-10-28T15:27:32.000Z2024-10-31T17:01:50.000Z

User17082594200423445032 (Customer) asked a question.

October 28, 2024 at 3:27 PM
Okta Not Updating User Group Claims from Microsoft Entra ID

I'm facing an issue with group claim synchronization between Microsoft Entra ID and Okta.

When a user's group memberships is removed in Entra ID, the changes are not reflected in the user's Okta profile, the updates are not propagating to the user's Okta account. The group claims in Okta remain the same as the initial provisioning, even though the source data in Entra ID has changed.

Any guidance or suggestions would be greatly appreciated. I want to make sure the users have the correct groups mappings across both Okta and Entra ID.

  • 3 answers
  • 483 views

  • paul.stiniguta1.508386743840768E12 (Okta, Inc.)

    Hello @User17082594200423445032 (Customer)​ Thank you for posting on our Community page!

     

    Group membership will not change in Okta, unless you have EntraID setup as an IDP in Okta. Also this change will take effect once the users logs in into Okta though EntraID.

    If you have setup Office365 in Okta, you can setup provisioning and group Push and dictate the groups from Okta to Entra, however provisioning does not also sync info from Entra to Okta.

     

    Thank you for reaching out to our Community and have a great day!

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Ask Us Anything about Workflows now thru 10/31

    Expand Post
    Selected as Best

  • paul.stiniguta1.508386743840768E12 (Okta, Inc.)

    Hello @User17082594200423445032 (Customer)​ Thank you for posting on our Community page!

     

    Group membership will not change in Okta, unless you have EntraID setup as an IDP in Okta. Also this change will take effect once the users logs in into Okta though EntraID.

    If you have setup Office365 in Okta, you can setup provisioning and group Push and dictate the groups from Okta to Entra, however provisioning does not also sync info from Entra to Okta.

     

    Thank you for reaching out to our Community and have a great day!

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Ask Us Anything about Workflows now thru 10/31

    Expand Post
    Selected as Best

    • User17082594200423445032 (Customer)

      The pattern I observed is related to all custom claims:

      If the attribute value changes to a new non-empty value in Entra ID, it properly updates in Okta upon next login through Entra ID

      However, if the attribute value is completely removed in Entra ID, the old value persists in Okta even after the user logs in again to Okta through Entra ID.

       

      For example:

      Initial login: Attribute X = "Value1" in Entra ID → properly sets in Okta

      Change to "Value2" in Entra ID → updates correctly in Okta on next login

      Remove value completely in Entra ID → Okta keeps showing "Value2" instead of clearing it

       

      Is this expected behavior? What are the recommended approaches to handle scenarios where we need to ensure attribute values are properly cleared in Okta when they're removed from Entra ID?

      Expand Post
This question is closed.
Loading
Okta Not Updating User Group Claims from Microsoft Entra ID