---
title: Adding user groups
description: PingOne for Enterprise user groups authorize user access to applications based on a user's group membership.
component: pingoneforenterprise
page_id: pingoneforenterprise:pingone_for_enterprise:p14e_add_groups
canonical_url: https://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise/p14e_add_groups.html
revdate: December 13, 2021
section_ids:
  about-this-task: About this task
  steps: Steps
  choose-from: Choose from:
---

# Adding user groups

PingOne for Enterprise user groups authorize user access to applications based on a user's group membership.

## About this task

You'll need to add the relevant groups to PingOne for Enterprise from the identity repository associated with your identity bridge

You can create user groups in the following ways:

* PingOne for Enterprise creates groups automatically based on a user's group membership during single sign-on (SSO) *(tooltip: \<div class="paragraph">
  \<p>The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without reauthenticating.\</p>
  \</div>)*. For example, PingOne for Enterprise will create a group based on the user's `memberOf` attribute in the Security Assertion Markup Language (SAML) *(tooltip: \<div class="paragraph">
  \<p>A standard, XML-based, message-exchange framework enabling the secure transmittal of authentication tokens and other user attributes across domains.\</p>
  \</div>)* response.

* If you're using an identity provider (IdP) *(tooltip: \<div class="paragraph">
  \<p>A service that manages identity information and provides authentication services to relying clients or SPs within a federated or distributed network.\</p>
  \</div>)* that supports provisioning, you can also create groups through provisioning. AD Connect and PingOne for Enterprise Directory do this automatically. Learn more in [PingOne for Enterprise identity repositories](p14e_idps.html).

  PingFederate requires you to configure group provisioning on the PingFederate side. Learn more in [Creating a provisioning connection](https://docs.pingidentity.com/integrations/scim/setup/pf_scim_connector_creating_a_provisioning_connection.html) in the PingFederate SCIM Provisioner documentation.

* Follow the steps below to create groups manually.

Provisioned groups appear automatically at **Users > User Groups**. Groups are removed when they're deprovisioned.

If you don't use provisioning, groups will appear when you create groups manually or after a user SSOs into the group.

You can remove old groups manually. Learn more in [Delete groups](p14e_delete_groups.html).

If you're using Microsoft Entra ID (formerly known as Azure AD) as your IdP, PingOne for Enterprise has a **Sync Groups** button on the **User Groups** page that fetches groups from Azure. This adds new groups to PingOne for Enterprise and removes old groups that no longer exist in Azure. You can also create groups manually or have a user SSO to create a group. Learn more in [Connect to Azure](p14e_connect_azure.html).

If you haven't added any applications for SSO, no applications will be listed when you add a group, but you can assign the groups to applications when you add SAML, OpenID Connect (OIDC) *(tooltip: \<div class="paragraph">
\<p>An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\</p>
\</div>)*, or [Application Catalog](p14e_add_application_application_catalog.html) apps.

For all other applications and general use, follow the steps in [Authorize group access to applications](p14e_authorize_group_access_applications.html). The applications you've added then will be displayed.

|   |                                                                                                                                                                   |
| - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | Unless you specify group authorization for an application when you add the application, all members of all groups are given access to the application by default. |

## Steps

1. Go to **Users > User Groups**.

2. Do one of the following, depending on whether or not you're using an Azure identity bridge with group synchronization:

   ### Choose from:

   * For an Azure identity bridge configured for group synchronization, the initial group synchronization has already occurred as part of the Azure identity bridge setup. To resynchronize the PingOne for Enterprise groups when additions or changes have occurred on your Azure provider, click **Synchronize Groups**.

   * For all other identity bridges as well as for Azure identity bridges without group synchronization, click **Add New Groups** and enter the name of one of your groups in the entry field.

3. Click **Save**. The new group is added to PingOne for Enterprise and will appear in the groups listing on the **User Groups** page.

4. Repeat these steps for each of the groups to add to PingOne for Enterprise.