3.2.4¶
Release Date: March 6, 2026
🐛 Bug Fixes¶
Okta Business Roles¶
Entra ID Dynamic Group Rules — Replace memberOf with Synced User Attributes 🔧¶
Module: src/terraform/okta-business-roles
Fixed Entra ID dynamic group membership rules that used the user.memberOf operator with on-premises synced groups, which silently matched no users.
Root Cause:
The user.memberOf -any (group.objectId -in [...]) syntax only works with cloud-native groups. Windows Server AD (on-premises synced) groups do not generate the directoryLinkChange events required by the memberOf dynamic rule evaluator, so rules matched no users even when users were members of those groups in on-prem AD.
The Fix:
Replaced memberOf group lookups with direct user attribute comparisons using values synced from on-premises AD via Entra Connect:
- Division —
user.extension_b8e8b57b4f3545eba5dd0309992d8e0c_division(synced from on-prem AD division field via the "Tenant Schema Extension App") - Job Title —
user.jobTitle -in [...](standard synced user property, supports-inoperator unlikememberOf)
Before (broken):
After (working):
(user.extension_b8e8b57b4f3545eba5dd0309992d8e0c_division -eq "Information Technology Div") -and (user.jobTitle -in ["Software Engineer","Senior Software Engineer"])
Additional Changes:
- Renamed
department→divisionthroughout all module files and the caller (main-corp.tf) - Retained
azuread_groupdata source for division name validation only (division groups have real backing AD security groups; job titles are freeform values and are not validated against groups) - Removed stale
looked_up_groupsoutput that referenced deleted local value - Updated README to document the new attribute-based approach with correct rule syntax examples
PR: #491
📦 Dependencies¶
NPM Packages¶
- 📦 @types/node — bumped from
24.11.0to24.12.0(#490)
🔄 Breaking Changes¶
None in this release ✅
📋 Additional Notes¶
- Total commits: 3
- Files changed: ~6
- Contributors: Emmitt Johnson, dependabot[bot]
Support¶
- 📧 Teams Support Channel: Support