<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D5KZ00000ufCVr0AMOkta Classic EngineAdministrationAnswered2025-06-04T14:51:24.000Z2025-06-03T14:27:58.000Z2025-06-04T14:51:24.000Z

yvgenyc.79398 (Customer) asked a question.

June 3, 2025 at 2:27 PM
Remove user from the last group doesn't work via SCIM

Does anybody familiar with this issue:

I add user to group in Okta -> user is correctly provisioned to my application.

Next step - I remove the user from that group in Okta. Important notice that this is the only one group user was a member of.

As a result I get PUT request on /Users, disabling user and PUT request on /Groups, where the user is still included in Members

  • 3 answers
  • 157 views

  • paul.stiniguta1.508386743840768E12 (Okta, Inc.)

    Hello @yvgenyc.79398 (Customer)​ Thank you for posting on our Community page!

     

    If a user is deactivated in Okta, the user is not removed from the group. User deactivation will retain the groups her has been assigned to.

    You can see this also here https://support.okta.com/help/s/article/Deactivated-Users-not-Removed-From-Okta-Groups-Automatically?language=en_US

     

    Thank you for reaching out to our Community and have a great day!

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Collect them all. Learn a new skill and earn a new Okta Learning badge

    Expand Post

  • yvgenyc.79398 (Customer)

    Hi @paul.stiniguta1.508386743840768E12 (Okta, Inc.)​. Thank you for your response.

    Please let me share the full scenario I tested. The user wasn't actually deactivated in Okta. I understand that removal from the last group removes user from the application and this is the reason for deactivation, but I still expect user to be removed from the group.

    1. Create group ycgr7 in Okta
    2. Assign group to application
    3. Push group in Okta.
    4. Create user ycu4 in Okta
    5. Assign ycu4 to yvgr7 in Okta.
    6. As a result I see on my end user ycu4 under group ycgr7
    7. Remove user from the group in Okta:
      1. 2025/06/03 18:05:08 method=GET path=/scim/v2/Users/16337 remoteAddr=54.71.214.179:5236 statusCode=200 responseBody=[{"active":true,"emails":[{"primary":true,"type":"work","value":"ycu4@gmail.com"}],"externalId":"00up0p36rjWXwsa0j5d7","id":"16337","meta":{"resourceType":"User"},"name":{"familyName":"ycu4","givenName":"ycu4"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],"userName":"ycu4@gmail.com"}]
      2. 2025/06/03 18:05:08 method=GET path=/scim/v2/Groups/1349 remoteAddr=54.189.184.116:30850 statusCode=200 responseBody=[{"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],"meta":{"resourceType":"Group"},"displayName":"ycgr7","id":"1349","externalId":"","members":[{"value":"16337","display":"ycu4@gmail.com"}]}]
      3. 2025/06/03 18:05:08 method=GET path=/scim/v2/Groups/1349 remoteAddr=54.189.184.116:30850 statusCode=200 responseBody=[{"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],"meta":{"resourceType":"Group"},"displayName":"ycgr7","id":"1349","externalId":"","members":[{"value":"16337","display":"ycu4@gmail.com"}]}]
      4. 2025/06/03 18:05:09 method=PUT path=/scim/v2/Groups/1349 remoteAddr=54.189.184.116:30850 statusCode=200 requestBody=[{"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],"id":"1349","displayName":"ycgr7","members":[{"value":"16337","display":"ycu4@gmail.com"}]}] responseBody=[{"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],"meta":{"resourceType":"Group"},"displayName":"ycgr7","id":"1349","externalId":"","members":[{"value":"16337","display":"ycu4@gmail.com"}]}]
      5. 2025/06/03 18:05:09 method=PUT path=/scim/v2/Users/16337 remoteAddr=54.71.214.179:5236 statusCode=200 requestBody=[{"active":false,"emails":[{"primary":true,"type":"work","value":"ycu4@gmail.com"}],"externalId":"00up0p36rjWXwsa0j5d7","id":"16337","meta":{"resourceType":"User"},"name":{"familyName":"ycu4","givenName":"ycu4"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],"userName":"ycu4@gmail.com"}] responseBody=[{"active":false,"emails":[{"primary":true,"type":"work","value":"ycu4@gmail.com"}],"externalId":"00up0p36rjWXwsa0j5d7","id":"16337","meta":{"resourceType":"User"},"name":{"familyName":"ycu4","givenName":"ycu4"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],"userName":"ycu4@gmail.com"}]
      6. 2025/06/03 18:05:09 method=GET path=/scim/v2/Groups/1349 remoteAddr=54.189.184.116:7100 statusCode=200 responseBody=[{"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],"meta":{"resourceType":"Group"},"displayName":"ycgr7","id":"1349","externalId":"","members":[{"value":"16337","display":"ycu4@gmail.com"}]}]
      7. 2025/06/03 18:05:10 method=PUT path=/scim/v2/Groups/1349 remoteAddr=54.189.184.116:7100 statusCode=200 requestBody=[{"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],"id":"1349","displayName":"ycgr7","members":[{"value":"16337","display":"ycu4@gmail.com"}]}] responseBody=[{"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],"meta":{"resourceType":"Group"},"displayName":"ycgr7","id":"1349","externalId":"","members":[{"value":"16337","display":"ycu4@gmail.com"}]}]

    As you can see the last request (7.7) preserves group membership for the user ycu4

     

    Expand Post
This question is closed.
Loading
Remove user from the last group doesn't work via SCIM