Naga KishoreI.14293 (Customer) asked a question.
Hi Everyone,
I am facing issue in OKTA workflow where we are trying add/remove AD group membership using "/api/v1/directories/{source_id}/groups/modify" (https://developer.okta.com/docs/api/openapi/okta-management/management/tag/DirectoriesIntegration/) OKTA API. We have ensured that the following are configured,
OKTA Workflows OAuth app has "okta.directories.groups.manage" scope granted.
The scope is also added OKTA connection in workflow.
The URL and payload are as expected.
AD agent has delegated permissions to OU to perform operations.
However, we are facing 403 forbidden error when we tried to access the API
"body": { "errorCode": "E0000006", "errorSummary": "You do not have permission to perform the requested action", "errorLink": "E0000006", "errorId": "oaemPBbu9gpS3qoeaZZHCMS9g", "errorCauses": [] }, "message": "403 Forbidden", "code": 403, "description": "HTTP Request Error",
We thought that the connection is not picking the new scope and tried to replicate the same in lower env by running the flow without scope assigned. We observed that error is 403 forbidden but it is different than the above,
error=\"insufficient_scope\", error_description=\"The access token provided does not contain the required scopes.\"
So, I believe it is clearly not scopes issue.
Can you please help me understand if I am missing something here?
Thanks
@Naga KishoreI.14293 (Customer) -- My last comment was incorrect as I spaced new functionality that is part of the Okta Identity Governance offering which is required for that endpoint to be available.
https://help.okta.com/en-us/content/topics/directory/ad-bidirectional-group-management.htm
https://iamse.blog/2024/08/07/active-directory-bidirectional-group-management/
So, it would be expected that any API client would fail to access that endpoint unless you have the premium IGA product (Okta Identity Governance) as part of your purchased offerings.