In this guide:
Okta Workflows guides
Okta Workflows guides offer questions and answers from the Okta Workflows community office hours. They also come from the #okta-workflows channel on the Mac Admins Slack and other places. Read all the other guides.
How do you remove deactivated users from all groups using Okta Workflows?
This guide will teach you how to remove deactivated users from all groups using Okta Workflows.
Remove deactivated users from groups
The automation has three flows:
- List users: flow lists all deactivated users and passes them to a helper flow.
- Remove user: flow removes the user from each group.
- List user groups: flow lists all groups for each deactivated user and passes them to a helper flow.
List users flow
The List users flow lists all deactivated users and passes them to a helper flow.
How the flow works
- The flow runs on a schedule.
- The Okta-List Users with Search card lists all users with a status of
DEPROVISIONED. It uses the streaming option, passing each user to the List user groups helper flow.
List user groups flow
The List user groups flow lists all groups for each deactivated user and passes them to a helper flow.
How the flow works
- Since the main flow uses streaming, the Helper Flow card sets up the Record and State fields. Learn how to stream records to a helper flow.
- The Record object holds each user object passed from the main flow. The Record extracts the ID property from the user JSON object.
- The Okta-Get Users Groups card lists all the users’ groups. It uses the streaming option, passing each group to the Remove user helper flow. The card also passes the User ID to the helper flow using the State field.
Remove user flow
The Remove user flow removes the user from each group.
How the flow works
- Since the List user groups flow uses streaming, the Helper Flow card sets up the Record and State fields.
- The Record object holds each group object passed from the helper flow. The Record extracts two properties from the group JSON object: ID and Profile.Name.
- The State object holds the User ID passed from the List user groups flow.
- The Branching-Continue If card checks that the group name is not equal to
Everyone. The Everyone group is managed by Okta and cannot be modified. If the group is Everyone, the flow stops with the message: “Can’t remove from the Everyone group.” - The Okta-Remove User from Group card removes the user from the group using the Group ID and User ID.
Related Okta Workflows guides
- How to Remove a User from Google Groups When the User Is Deactivated in Okta Workflows.
- How to Export Group Membership to a CSV File and Email the File in Okta Workflows.
- How to Remove a User From Groups When the User Is Deactivated.
- How to Check if a User Is a Member of a Specific Group in Workflows.
Okta Workflows resources
- 🚀 New to Okta Workflows? The Getting Started with Okta Workflows page has all the resources to help you get started.
- 📺 Like learning from videos? Watch Okta Workflows videos.
- ❓Have a question? Ask during community office hours or post on the community forum.
- 🙋♀️ Want to learn from the community? Join the #okta-workflows channel on the Mac Admins Slack.
- 📖 Want to learn more about identity automation? Take the Okta Workflows training on Okta Learning.
Leave a Reply