Okta Not Updating User Group Claims from Microsoft Entra ID

User17082594200423445032 (Customer) asked a question.

October 28, 2024 at 3:27 PM

I'm facing an issue with group claim synchronization between Microsoft Entra ID and Okta.

When a user's group memberships is removed in Entra ID, the changes are not reflected in the user's Okta profile, the updates are not propagating to the user's Okta account. The group claims in Okta remain the same as the initial provisioning, even though the source data in Entra ID has changed.

Any guidance or suggestions would be greatly appreciated. I want to make sure the users have the correct groups mappings across both Okta and Entra ID.

Authentication

Top Rated Answers

Paul S. (Okta, Inc.)
2 years ago
Hello @User17082594200423445032 (Customer) Thank you for posting on our Community page!

Group membership will not change in Okta, unless you have EntraID setup as an IDP in Okta. Also this change will take effect once the users logs in into Okta though EntraID.
If you have setup Office365 in Okta, you can setup provisioning and group Push and dictate the groups from Okta to Entra, however provisioning does not also sync info from Entra to Okta.

Thank you for reaching out to our Community and have a great day!
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Ask Us Anything about Workflows now thru 10/31
Expand Post
Selected as Best

All Answers

Paul S. (Okta, Inc.)
2 years ago
Hello @User17082594200423445032 (Customer) Thank you for posting on our Community page!

Group membership will not change in Okta, unless you have EntraID setup as an IDP in Okta. Also this change will take effect once the users logs in into Okta though EntraID.
If you have setup Office365 in Okta, you can setup provisioning and group Push and dictate the groups from Okta to Entra, however provisioning does not also sync info from Entra to Okta.

Thank you for reaching out to our Community and have a great day!
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Ask Us Anything about Workflows now thru 10/31
Expand Post
Selected as Best
- User17082594200423445032 (Customer)
  Edited October 30, 2024 at 9:03 AM
  The pattern I observed is related to all custom claims:
  If the attribute value changes to a new non-empty value in Entra ID, it properly updates in Okta upon next login through Entra ID
  However, if the attribute value is completely removed in Entra ID, the old value persists in Okta even after the user logs in again to Okta through Entra ID.
  
  For example:
  Initial login: Attribute X = "Value1" in Entra ID → properly sets in Okta
  Change to "Value2" in Entra ID → updates correctly in Okta on next login
  Remove value completely in Entra ID → Okta keeps showing "Value2" instead of clearing it
  
  Is this expected behavior? What are the recommended approaches to handle scenarios where we need to ensure attribute values are properly cleared in Okta when they're removed from Entra ID?
  Expand Post
  - Paul S. (Okta, Inc.)
    2 years ago
    Hello @User17082594200423445032 (Customer) That is expected behaviour, when the value of an attribute is changed to null after it had a value, in Okta that last value updated will still persist.
    Expand Post

This question is closed.

Your Privacy

Your Privacy

Strictly Necessary Cookies

Strictly Necessary Cookies

Functional Cookies

Functional Cookies

Performance Cookies

Performance Cookies

Share or Sell of Personal Data

Share or Sell of Personal Data

Advertising Cookies

Your Privacy

Your Privacy

Strictly Necessary Cookies

Strictly Necessary Cookies

Functional Cookies

Functional Cookies

Performance Cookies

Performance Cookies

Share or Sell of Personal Data

Share or Sell of Personal Data

Advertising Cookies