Skip to main content
Applies to BloodHound Enterprise and CE

Overview

Groups in Okta are collections of users that can be used to manage access to applications and resources. Groups can be created manually or synchronized from external directories such as Active Directory. The built-in Everyone group always contains all users in the Okta organization. Only users can be members of groups and groups cannot be nested. In OktaHound, groups are represented as Okta_Group nodes.

Edges

The tables below list edges defined by the OktaHound extension only. Additional edges to or from this node may be created by other extensions.

Inbound Edges

Edge TypeSource Node TypesTraversable
Okta_AddMemberOkta_User, Okta_Group, Okta_Application
Okta_ContainsOkta_Organization
Okta_GroupAdminOkta_User, Okta_Group, Okta_Application
Okta_GroupMembershipAdminOkta_User, Okta_Group, Okta_Application
Okta_GroupPullOkta_Application
Okta_IdpGroupAssignmentOkta_IdentityProvider
Okta_MemberOfOkta_User
Okta_MembershipSyncOkta_Group, Group, AZGroup
Okta_OrgAdminOkta_User, Okta_Group, Okta_Application
Okta_ResourceSetContainsOkta_ResourceSet
Okta_ScopedToOkta_RoleAssignment

Outbound Edges

Edge TypeDestination Node TypesTraversable
Okta_AddMemberOkta_Group
Okta_AppAdminOkta_Application, Okta_ApiServiceIntegration
Okta_AppAssignmentOkta_Application
Okta_GroupAdminOkta_User, Okta_Group
Okta_GroupMembershipAdminOkta_Group
Okta_GroupPushOkta_Application
Okta_HasRoleOkta_Role, Okta_CustomRole
Okta_HasRoleAssignmentOkta_RoleAssignment
Okta_HelpDeskAdminOkta_User
Okta_ManageAppOkta_Application
Okta_MembershipSyncOkta_Group, Group, AZGroup
Okta_MobileAdminOkta_Device
Okta_OrgAdminOkta_User, Okta_Group, Okta_Device
Okta_ReadClientSecretOkta_ClientSecret
Okta_ResetFactorsOkta_User
Okta_ResetPasswordOkta_User
Okta_SuperAdminOkta_Organization

Properties

Standard Okta group properties:
NameSourceTypeDescription
idgroup.idstringUnique group identifier.
namegroup.profile.namestringGroup name in Okta (or synchronized source).
displayNamegroup.profile.namestringDisplay label used in BloodHound.
descriptiongroup.profile.descriptionstringGroup description text.
oktaDomainCollector context (non-API)stringOkta organization domain where the group exists.
hasRoleAssignmentsCalculatedboolIndicates whether the group is assigned any administrative roles.
oktaGroupTypegroup.typestringGroup type (for example OKTA_GROUP, APP_GROUP, BUILT_IN).
objectClassgroup.objectClass[0]stringSource object class (for example AD security principal).
createdgroup.createddatetimeGroup creation timestamp.
lastUpdatedgroup.lastUpdateddatetimeLast update timestamp.
lastMembershipUpdatedgroup.lastMembershipUpdateddatetimeLast membership change timestamp.
Additional properties of groups synchronized from Active Directory:
NameSourceTypeDescription
objectSidgroup.profile.objectSidstringSecurity Identifier (SID) for the AD group.
distinguishedNamegroup.profile.dnstringActive Directory distinguished name.
samAccountNamegroup.profile.samAccountNamestringSecurity Account Manager (SAM) account name.
domainQualifiedNamegroup.profile.windowsDomainQualifiedNamestringDomain-qualified name of the AD group.
groupScopegroup.profile.groupScopestringAD group scope (for example global, domainLocal, universal).
groupTypegroup.profile.groupTypestringAD group type, i.e., security or distribution.
objectGuidBase64ToGuid(group.profile.externalId)stringAD object GUID.

Sample Property Values

Example of a group created directly in Okta: 
id: 00gxg12p4kFOkyXLb697
name: Engineering
displayName: Engineering
description: Engineering department group
oktaDomain: contoso.okta.com
hasRoleAssignments: false
oktaGroupType: OKTA_GROUP
objectClass: okta:user_group
created: 2025-11-14T08:00:25+00:00
lastUpdated: 2025-11-14T08:00:25+00:00
lastMembershipUpdated: 2025-11-14T08:00:25+00:00
Example of a group synchronized from Active Directory: 
id: 00gxga7s3yDJ71OzW697
name: Sales
displayName: Sales
description: Sales department group
oktaDomain: contoso.okta.com
hasRoleAssignments: false
oktaGroupType: APP_GROUP
objectClass: okta:windows_security_principal
objectSid: S-1-5-21-71365889-924527929-2677699343-2536
distinguishedName: CN=Sales,CN=Groups,DC=contoso,DC=local
samAccountName: Sales
domainQualifiedName: CONTOSO\Sales
groupScope: Global
groupType: Security
objectGuid: 4ab65ef0-ab82-4017-b5ee-1c20facd4d6a
created: 2025-11-14T12:58:13+00:00
lastUpdated: 2025-11-14T13:05:44+00:00
lastMembershipUpdated: 2025-11-14T12:58:13+00:00

Synchronization with External Directories

Similarly to users, groups can also be synchronized from external directories. The Okta API exposes the original Active Directory attributes, which are then collected by OktaHound: Group synchronized from AD Nested (transitive) group memberships in Active Directory are always flattened (resolved) when synchronized to Okta, as illustrated below: