⚠️ Select your experience
The steps depend on your interface version. Select a link to skip to the instructions for your version.
Customers who joined Drata on or after Feb 24, 2026 are automatically on the New Experience.
Instructions for the New Experience ⬇️
Group-based policy assignments let you control which personnel must acknowledge each policy. Instead of requiring every employee to acknowledge every policy, you can assign policies to specific identity provider (IdP) groups, all personnel, or no personnel.
This helps reduce unnecessary acknowledgments while keeping compliance requirements accurate and audit-ready.
Prerequisites
You must have an active connection to a supported Identity Provider:
Google Workspace
If you already have an active Google connection with Drata, make sure you have the following 2 additional scopes enabled:
Microsoft 365
Okta
Groups must be created and managed in your Identity Provider.
Drata doesn't support HRIS-based groups or creating groups directly in Drata.
Google Workspace note: If you already have your Google connection ready but do not have any groups defined in Google Workspace, please check these instructions:
How to Create groups in Google Workspace
How to Create Organizational Units in Google Workspace
How group syncing works
Drata imports groups and group membership from your connected Identity Provider.
Group and membership changes sync once per day after the nightly (Autopilot) runs.
New groups appear automatically after the next sync.
Deleted groups are removed from Drata and unassigned from policies.
If the IdP connection is disconnected, existing groups and assignments remain unchanged until the connection is restored.
If multi-domain support isn't enabled, only groups from the primary domain sync.
Verify groups are synced
Open Personnel.
Use the Groups filter to view imported groups.
If you don't see the Groups filter, groups may not be synced or don't exist in your Identity Provider.
Assign policies to personnel groups
Each policy includes a Personnel groups setting that determines who must acknowledge it. When selecting specific groups, only members of selected IdP groups must acknowledge the policy.
Only group members see the policy during onboarding
Monitoring tests apply only to assigned group members
Tests fail only if members of the assigned groups don't acknowledge
Group membership changes:
New members are assigned after the next Autopilot sync
Removed members are no longer required to acknowledge the policy
If all members are removed from assigned groups, the Policy Owner is notified
You can choose to notify new group members automatically when they're added.
Add personnel group to an existing policy
Open Governance → Policies.
Open the policy.
Select Edit Details section within the Overview tab.
Update the Applicable personnel options.
Save your changes.
How group assignments affect monitoring
Group-based policy assignments directly affect which personnel appear in policy-related monitoring tests. Monitoring only evaluates acknowledgment for users who are in scope for the policy based on their group assignment.
Find non-compliant personnel from Monitoring page
From Compliance → Monitoring, you can identify personnel who still need to acknowledge a policy:
Filter tests by Category: Policy and Result: Failed.
Open a failed test.
In the Latest result section, confirm the failure is due to missing personnel acknowledgment.
Open the Findings tab to view the personnel who haven't acknowledged the policy.
Select Fix now to open the Personnel page filtered to non-compliant users.
Find non-compliant personnel from Personnel page:
On the Personnel page, you can further narrow the list by:
Employment status (for example, employee vs. contractor)
Compliance → Policies non-compliant
This helps you focus follow-ups on the right users and send reminder emails only to personnel who are expected to acknowledge the policy.
Integration limitations
Groups can only be created in Identity Providers
HRIS groups aren't supported
Microsoft 365 syncs user membership only (no devices or contacts)
Okta group sync doesn't include deactivated or suspended users
Instructions for the Classic Experience ⬇️
We know that not every policy needs to be signed by every member of your organization, or that some policies may not need to be signed by any of your personnel. In Drata we now support the ability to import groups from your identity providers (Google Groups, Google Organizational Units, Microsoft 365, and Okta) and assign policies to certain groups of personnel, all personnel or no one.
Here's how
Step 1: Connect Your Identity Provider
Before importing groups, you need to have an active connection to one of the 3 supported identity providers: Google, Microsoft, or Okta.
GOOGLE: Here are Drata's instructions for setting up the Google Workspace connection.
IMPORTANT: If you already have an active Google connection with Drata, please make sure you have the following 2 additional scopes enabled:
https://www.googleapis.com/auth/admin.directory.group.readonly (Google Groups)
https://www.googleapis.com/auth/admin.directory.orgunit.readonly (Google Organizational Units)
If you already have your Google connection ready but do not have any groups defined in Google Workspace, please check these instructions:
How to Create groups in Google Workspace
How to Create Organizational Units in Google Workspace
MICROSOFT 365: Here are Drata's instructions for setting up the Microsoft 365 connection.
OKTA: Here are Drata's instructions for setting up the Okta connection.
Step 2: Understand Groups Sync
IMPORTANT: Changes to Identity provider groups will be reflected in Drata once a day after Autopilot completes running (nightly in US PT). This is also the case for user identities: Click here to learn more about Drata's Identity sync.
New Group(s): New groups should be automatically added to Drata once Autopilot runs. If you have multi-domain support enabled, group information from all domains will be brought into Drata. Otherwise, only the main domain's groups will be imported.
Delete Groups: If you delete groups from the Identity Provider, they will be removed from Drata once Autopilot runs. Deleted Groups will be unassigned from Policies.
Update Groups: Group name and domain changes will be synced with Drata as soon as Autopilot runs. If multi-domain support is not enabled, only updates to the main domain will be synced with Drata.
Disconnect Identity Provider: In the case of an Identity Provider disconnection, the groups, their members, and the assignments will remain in their current state.
Step 3: Verify your groups are synced
Once you have set up a connection to an Identity Provider, you can use the Personnel group filter to see all the imported groups. To view the list of groups:
Go to the Personnel section in Drata
Click on the Groups filter to view all the imported groups
Note: If you don't see the group filter, it means that either groups were not synced correctly or there are no groups defined in your identity provider.
Step 4: Personnel groups
When you go to the policy section, you will see a new column called 'Personnel groups' that shows who needs to acknowledge each policy. This column can have one of the following 3 values:
All personnel: Policy is required to be acknowledged by all personnel in your company.
<Group Name>: Policy is only required to be acknowledged by the assigned group members.
None: Policy is not required to be acknowledged by any personnel at your company.
You can change the assignment of existing policies at any time by selecting the policy and then clicking the Edit icon. Navigate to the Personnel section to update the assigned groups.
Policy Assignment Deep Dive
As covered above, each policy can have 3 assignment options: 'All Personnel', 'Specific groups', or 'Policy doesn't apply to personnel'.
All personnel
When setting a policy assignment to 'All Personnel,' it is required that every member in the organization acknowledges the policy. Therefore, if a single member does not acknowledge the policy, the associated monitoring test for that policy will fail with the list of all personnel that have not acknowledged the policy.
Policy doesn't apply to personnel
If a policy is assigned to 'Policy doesn't apply to personnel,' it means that policy is not required to be signed by any personnel.
If a policy that you own is set to 'Policy doesn't apply to personnel' by anyone but you, you will be notified automatically. External attestations, such as uploaded documents, cannot fulfill acknowledgment requirements.
Monitoring Test: When setting an existing Drata policy to 'Policy doesn't apply to personnel' if that policy has a test for employee acceptance, the test will fail the next time Autopilot runs. It is important to disable the associated test after changing the policy assignment to 'Policy doesn't apply to personnel'.
Specific groups
If a policy is assigned to a specific group, only members of the groups are required to acknowledge that policy. The rest of the employees will not see that policy as part of their onboarding.
Checkbox to notify new members: New members can be added to any group after a policy is assigned to that group. The next time Autopilot runs the new members will be assigned to the policy. If this checkbox is set, then an email notification will be sent to new personnel about this policy anytime a new member is added and that person has not signed the latest approved policy version.
Note: If all members are removed from groups associated with the policy, the policy owner will receive a notification.
Select the 'Fix Now' button to go to the 'Personnel' page, with the related policy groups, and ordering the list by non-compliant members first.
Integration Limitations
Groups can only be created in the Identity Providers. We currently do not support integration with HRIS groups. Also, groups cannot be created inside Drata.
For Microsoft 365 groups, we import user information (no organizational contacts, devices, etc).
The Okta group sync does not retrieve deactivated or suspended users.