Under what scenario would a user’s group membership be unaffected by the JIT provisioning process?

The scenario in which a user’s group membership would remain unaffected by the Just-In-Time (JIT) provisioning process is when the user has no group memberships in Active Directory (AD). JIT provisioning creates user accounts in Okta in real-time based on assertions received during the authentication process. If a user does not have any group memberships in AD, there are no groups to provision into Okta. Hence, the process doesn't have any group memberships to dynamically assign, making the user’s group status unaffected.

In contrast, situations such as a disconnected AD during login would prevent any provisioning from occurring, but if the user has group memberships in AD, those memberships would still be relevant at the time the AD is accessible. Similarly, existing user accounts in other Okta tenants or multiple organizational units would not inherently negate or influence the user’s group memberships derived from their default AD location during JIT provisioning. Thus, the absence of group memberships in AD is the definitive condition for having no impact on group affiliation in Okta during the JIT process.