Okta Classic Engine release notes (Preview)

Current release
Preview org features

Version: 2026.02.0

February 2026

Generally Available

Okta Mobile End of Life

The Okta Mobile app will transition to End of Life (EOL) status on May 31, 2026.

After this deprecation date, Okta Mobile will not receive any further security updates, bug fixes, or support. The app will no longer be available for download through the Apple App Store or the Google Play Store.

Okta previously announced the End of Support for Okta Mobile, effective November 1, 2025.

See Okta Mobile End of Life for available migration solutions.

Group push for Zoho Mail

Group push is now available for the Zoho Mail app integration. See Zoho Mail supported features.

Okta Provisioning agent, version 3.0.7

Okta Provisioning agent 3.0.7 is now available. This release contains the following updates:

The Generic Database Connector now supports Base64 encoded path parameters.
Root ownership and permissions for the /var/run directory are restored in the OPP agent RPM build.

Access revoked notifications

For access requests that are managed by conditions, requesters now get notified when their access to a resource expires. Requesters are notified by email, Slack, or Microsoft Teams depending on your configurations.

Admin Console French translation

Now when you set your display language to French, the Admin Console is also translated. See Supported display languages.

Agents page description

The Agents page now provides a helpful description so admins can quickly understand the scope and purpose of the page. See View your org agents' status.

Admin Console recent search results

The spotlight search now displays the admin's recent search results. See Admin Console search.

Protected action notifications removed

For orgs that have migrated to OIDC, toast notifications no longer appear when an admin performs a protected action. See Protected actions in the Admin Console. This update is following a slow rollout process.

More granular maximum clock skew options for LDAP incremental imports

More granular maximum clock skew intervals for LDAP incremental imports have been added to allow for better tuning and improved performance. You can now configure the clock skew to 1, 2, 5, or 10 minutes. This granularity helps you improve import speed by using a clock skew value closer to the actual maximum clock drive of your LDAP server. It also prevents missed updates when the server's clock temporarily moves backward, which ensures data accuracy.

Radius Agent version 2.26

This version includes internal improvements and fixes.

Enhanced provisioning controls for Microsoft Office 365

Admins can now configure the Microsoft Office 365 integration to sync only user profile attributes, or to sync attributes, licenses, and roles. This setting helps prevent Okta from overwriting licenses and roles that are managed directly in Microsoft. See Provision users to Office 365.

New System Log objects for security.request.blocked events

The System Log now displays the following IpDetails objects for dynamic and enhanced dynamic zones:

Operator indicates whether the type is VPN or Proxy
Type includes values like VPN, Proxy, and Tor
IsAnonymous indicates if the proxy is anonymous

These objects move risk and behavior telemetry out of string-only keys in the debug context and into dedicated, structured fields in the security context event. This change improves risk visibility and eliminates the need for string parsing.

Early Access

On-premises connector for Generic Databases

The new on-premises connector for Generic Databases allows admins to manage users and entitlements in on-premises databases using the Okta On-Prem SCIM Server. This connector supports Oracle, MySQL, PostgreSQL, and Microsoft SQL Server. It enables orgs to apply governance features like Access Requests, Certifications, Lifecycle Management, and Entitlement Management to their database environments. See On-premises Connector for Generic Databases.

Fixes

When an admin ran a delegated flow from the Admin Console, there was sometimes a delay before the flow was invoked in Workflows. (OKTA-803849)
Deprovisioning tasks on the Tasks page contained a grammatical error in the message that stated when the app was unassigned. (OKTA-1049153)
When importing users from Office 365 using Profile Sync, the mail attribute didn't update the primary email field in the user profile. (OKTA-1080609)
When users clicked the Microsoft Teams tile on the Okta End-User Dashboard, they were directed to an error page stating that "Classic Teams is no longer available." This occurred because the destination URL was outdated following a change by Microsoft. (OKTA-1084267)
The header on the authorization server page sometimes rendered twice. (OKTA-1089098)

Doc Updates

Documentation in French

Documentation for Okta Classic Engine and Okta Identity Engine is now published in French.

Improvements to Okta release notes

Release notes for the following products now cover the current month and the previous 12 months on a single page for faster browsing:

This improvement allows you to find recent updates more efficiently. If you need release notes for a release older than 12 months, contact Okta Support.

Okta Integration Network

Peaxy Lifecycle Intelligence (OIDC) is now available. Learn more.
HashiCorp Vault (OIDC) is now available. Learn more.
Instagram (SWA) was updated.
Mailchimp (SWA) was updated.
Solarwinds Customer Portal (SWA) was updated.
Peaxy Lifecycle Intelligence (OIDC) has a new app name.

Preview Features

Workday supports incremental imports

Workday now has the ability to run immediate, incremental imports. Incremental imports are much faster than full imports. However, they don't detect when users only have changes to custom attributes, so you must periodically run a full import to capture these changes. See Incremental imports

Prevent new single-factor access to the Admin Console

This feature prevents admins from configuring any new single-factor access to the Admin Console. This feature is currently available to new orgs only.

Application Entitlement Policy

Admins can now override attribute mapping when assigning apps to individuals or groups. You can also revert attributes to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

Content security policy enforcement on end-user pages

Content security policy is now enforced for end-user pages on orgs with custom domains on non-customizable pages. Content Security Policy headers provide an additional layer of security that helps to detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. We already had a policy enforced in our admin pages from last year and in report-only mode for end-user pages. We plan that future iterations of our Content Security Policy enforcement for end-user pages will become stricter than this first release.

This feature will be gradually made available to all orgs.

Descriptive System Log events

When Okta identifies a security threat, the resulting security.threat.detected System Log entry now provides a descriptive reason for the event. See System Log.

New flexible LDAP

A new LDAP schema allows flexibility by moving email to the custom schema and making first name, last name, username, and UID optional. This avoids error scenarios when an LDAP schema doesn't include specific attributes.

ThreatInsight coverage on core Okta API endpoints

Okta ThreatInsight coverage is now available for core Okta API endpoints:

Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. Requests from these bad IP addresses can be blocked or elevated for further analysis when Okta ThreatInsight is enabled for an Okta org. Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints. There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new Negative IP Reputation reason is available for high security.threat.detected events. See System Log events for Okta ThreatInsight.

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org's apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org.

Email failure events in the System Log

Admins can now view email delivery failure events in the System Log. This helps admins better monitor the email event activity in their org. See System Log.

Federation Broker Mode

The new Federation Broker Mode allows Okta SSO without the need to pre-assign apps to specific users. Access is managed only by the authentication policy and the authorization rules of each app. This mode can improve import performance and can be helpful for larger-scale orgs that manage many users and apps.

User Import Scheduling

When importing users from an app to Okta, you can now schedule imports to occur at hourly, daily, or weekly intervals. Scheduling imports at a time that is convenient for your org reduces the likelihood of service disruptions and eliminates the need to start imports manually. If an application allows incremental imports, you can create both full and incremental import schedules. This is a self-service feature.

Null values for SCIM provisioning

You can now submit null values for any attribute type to Okta when using SCIM provisioning. This change reduces the error messages customers receive and simplifies end user identity management.

Device Authorization grant type

Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to apps that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error prone and time consuming.

The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to sign-in to apps that run on such devices.

LDAP admin password reset

For orgs integrated with LDAP, admins can now perform password resets for an active individual end user. See Reset a user password.

LDAP password reset option

You can now configure LDAP delegated authentication settings to allow users to reset their passwords. This change reduces the time needed for password management and allows users to reset their passwords quickly and easily. See Enable delegated authentication for LDAP.

Windows Device Registration Task, version 1.4.1

This release fixed the following issues:

If there was a space in the sAMAccountName, an error appeared when installing the Okta Device Registration task and the installation completed but didn't function.
An unknown publisher warning appeared when the Okta Device Registration MSI file was double-clicked.

Affected customers should uninstall the registration task and install 1.4.1 or later. See Enforce Okta Device Trust for managed Windows computers and Okta Device Trust for Windows Desktop Registration Task Version History.

Incremental Imports for CSV

Incremental imports improve performance by importing only users who were created, updated, or deleted since your last import. See Manage your CSV directory integration. Note that this feature is being re-released having previously being released to Production in 2020.09.0.

Password changed notification email

To eliminate unnecessary email notifications, the Password changed notification email setting is no longer enabled by default on new preview orgs. See Password changed notification for end users.

Office 365 Silent Activation

Using Okta as the Identity Provider, Okta Office 365 Silent Activation allows for a seamless experience for your Microsoft Office 365 end users accessing Office 365 apps on domain-joined shared Workstations or VDI environments. After your end users have signed in to a domain-joined Windows machine, no further activation steps are required. See Office 365 Silent Activation: New Implementations.

End-user Welcome emails localized

The ability to localize the Welcome email that Okta sends to new end users by referencing the users' default locale property is now Generally Available. See Configure general customization settings.

People page improvements

You can now filter the People page by user type. See Universal Directory custom user types known issues.

UI element change

Drop-down menus on the Provisioning page (General Settings) are standardized. See Provision apps

Early Access features, auto-enroll

You can now opt to auto-enroll in all Early Access features, instead of having to enable them as they become available.

Connecting Apps to Okta using the LDAP Interface

The LDAP Interface allows you to authenticate legacy LDAP apps to Universal Directory in the Cloud. With the LDAP Interface, authentication is done directly against Okta through LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search.