MarxW.15267 (Customer) asked a question.
Hi, we have a policy that restricts users from accessing downstream applications until their first day of work. Normally, we activate a user account a few days in advance so the user can set up their password and MFA. On the user’s first day, they are added to the group with application assignments via a workflow. This works well for new users.
However, for rehire users, the downstream applications are automatically reassigned when their previously deactivated accounts are reactivated. When termination, we always remove the user from the groups but it will still reassign as individual assignment after reactivated. As a result, I have to manually remove the application assignments after reactivation.
Could you please let me know whether this is expected behavior in Okta, or if it can be configured through any policies? Thank you for your help.
Hi @MarxW.15267 (Customer) , Thank you for reaching out to the Okta Community!
The described behavior is not expected. The removal from the Group should trigger app unassignment and unless there is a different configuration like Group Rules in place, the reactivated user should not be re-assigned.
We can provide general guidance and documentation, but in-depth troubleshooting is outside of the Okta Community forum scope.
If you have an account with us and are a SuperAdmin/Case Admin, please open a case to work with my colleagues from the Support Team to investigate this further. They'll be able to access additional tools and resources to help you get to the bottom of it.
Regards.
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Collect them all. Learn a new skill and earn a new Okta Learning badge.
Just released: More Okta Community badges just added
Join the discussion for our Ask Me Anything on January 20, 2026: Adoption of Stronger Authentication MFA. Ask our expert questions.