Intro
Synchronizing users from Active Directory (AD) into Okta can be simple at first, until you need to precisely control which users are brought into Okta and how group memberships are managed. The difference between syncing too many users or too few often comes down to a single line of LDAP filter logic.
This post serves as a comprehensive reference; a “bible” for Okta administrators covering all the essential and advanced LDAP scoping filters you can use to control your AD → Okta synchronization process.
Why Scoping Matters
When Okta integrates with AD, it can import users, groups, and membership information. Without a scoped filter, Okta might import all AD users, even those who do not need Okta accounts.
By using scoping filters, you define exactly which users should sync based on group membership, nested group logic, attributes, or combinations of all three.
How Okta Uses LDAP Filters
An LDAP (Lightweight Directory Access Protocol) filter is a search expression that tells Okta’s AD agent which objects to import.
You can configure this in Directory Integrations → <Active Directory Domain> → Provisioning → Integration.
Key facts to remember:
- OU Scoping limits which containers are searched.
- LDAP Filter Scoping further restricts which users are imported.
- Both can be combined for fine-grained control.
- Okta flattens nested groups, it resolves nested membership but does not maintain true group-in-group structure.
Basic Group Scoping Examples
1. Sync a Single Group
Use this to import only users who are direct members of a specific group:
(memberOf=CN=GroupName,OU=Groups,DC=example,DC=com)
Use case: Simple scenarios where all users to be synced belong directly to one AD group.
2. Sync a Group Including Nested Groups
To include users who are members of nested or child groups, use the recursive membership OID:
(memberOf:1.2.840.113556.1.4.1941:=CN=GroupName,OU=Groups,DC=example,DC=com)
Explanation:
The :1.2.840.113556.1.4.1941: syntax tells Active Directory to evaluate nested group membership recursively.
Benefit:
You can create a “sync parent group” and nest multiple department or app-specific groups under it. This allows central control from AD; adding or removing a user in any nested group will affect their Okta sync status.
Attribute-Based Scoping Examples
Attribute-based scoping allows user inclusion based on custom attribute values rather than group membership.
3. Sync Based on Attribute Values
This example uses extensionAttribute1 or extensionAttribute2 as triggers to determine which users sync:
(&(objectCategory=person)(objectClass=user)
(|(extensionAttribute1=sync)(extensionAttribute2=okta))
(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Explanation:
objectCategory=personandobjectClass=user— ensures only user objects are included.(| ... )— “OR” condition, includes users matching either attribute.- The
userAccountControlclause excludes disabled accounts.
Use case:
Ideal when multiple departments or processes mark users differently for Okta inclusion.
Advanced Filter Patterns
4. Require Multiple Attribute Matches (AND Logic)
To include only users that have both attribute values matching your criteria:
(&(objectCategory=person)(objectClass=user)
(extensionAttribute1=sync)
(extensionAttribute2=okta)
(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Use case:
When Okta inclusion should require multiple flags; for example, an HR flag and an IT provisioning flag.
5. Combine Group Membership and Attribute Logic
To include users only if they belong to a specific group and have a defined attribute value:
(&(objectCategory=person)(objectClass=user)
(memberOf:1.2.840.113556.1.4.1941:=CN=SyncParentGroup,OU=Groups,DC=example,DC=com)
(extensionAttribute1=okta_sync)
(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Alternative (OR condition):
To include users who either belong to a specific group or have a sync flag:
(&(objectCategory=person)(objectClass=user)
(|(memberOf:1.2.840.113556.1.4.1941:=CN=SyncGroup,OU=Groups,DC=example,DC=com)
(extensionAttribute1=sync))
(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
6. Exclude Specific Subgroups or OUs
To exclude users that are members of a particular subgroup:
(&(objectCategory=person)(objectClass=user)
(memberOf:1.2.840.113556.1.4.1941:=CN=SyncGroup,OU=Groups,DC=example,DC=com)
(!(memberOf:1.2.840.113556.1.4.1941:=CN=Contractors,OU=Groups,DC=example,DC=com))
(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Use case:
Common in large environments where contractors or external users should not be imported into Okta.
7. Multiple Sync Groups (OR Logic)
To sync users who belong to any of multiple approved groups:
(&(objectCategory=person)(objectClass=user)
(|(memberOf:1.2.840.113556.1.4.1941:=CN=GroupA,OU=Groups,DC=example,DC=com)
(memberOf:1.2.840.113556.1.4.1941:=CN=GroupB,OU=Groups,DC=example,DC=com))
(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Use case:
Allows multiple functional or regional groups to sync under one directory integration.
8. Attribute and Group Branch Logic
Complex example combining multiple criteria for different groups:
(&(objectCategory=person)(objectClass=user)
(|
(&(memberOf:1.2.840.113556.1.4.1941:=CN=GroupA,OU=Groups,DC=example,DC=com)
(extensionAttribute2=okta))
(&(memberOf:1.2.840.113556.1.4.1941:=CN=GroupB,OU=Groups,DC=example,DC=com)
(extensionAttribute3=syncflag))
)
(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Use case:
Different business units use different attributes to mark Okta-eligible users, but all route through one unified filter.
Practical Admin Tips
1. Always Exclude Disabled Accounts
Include this clause in every filter:
(!(userAccountControl:1.2.840.113556.1.4.803:=2))
2. Test Filters Before Use
Use tools like ldp.exe or an LDAP browser to confirm your query returns the expected users.
Testing first prevents accidental over-syncing.
3. Understand Precedence
OU scoping limits which AD containers are searched, while the LDAP filter defines user inclusion criteria.
If no users appear after applying your filter, re-test each clause individually.
4. Avoid Circular Group Membership
Okta flattens nested groups but does not support true recursive “group-in-group” structures.
Circular memberships (A → B → A) can cause unpredictable results.
5. Consider Multi-Domain Environments
If your Okta AD integration spans multiple domains, confirm that each domain controller and trust allows group membership resolution for the specified users.