Okta Classic Engine release notes (Production)
Generally Available
Version: 2026.07.0
- Provisioning for Rapid7 InsightAppSec
Provisioning is now available for the Rapid7 InsightAppSec app integration. When you provision the app, you can enable security features like Entitlement Management. See Rapid7 InsightAppSec.
- Reassign steps to multiple users
You can now reassign steps within an approval sequence or request type to 10 users. This applies to tasks, questions, actions, and approvals.
- Provisioning for SAP BTP
Provisioning is now available for the SAP BTP app integration. When you provision the app, you can enable security features like Entitlement Management.
- Admin OIDC App Phase Two Tranch One
When the Admin OIDC App Phase Two Tranch One feature is enabled, the Okta Admin Console automatically initiates the OIDC sign-in flow on page load, and admins are briefly redirected to the authentication page before the requested page appears.
- UI updates to Okta Access Requests web app
The All requests page in the Okta Access Requests web app now shows 999+ count if there are 1000 or more requests instead of giving the count. This change helps reduce the time taken to list the requests on the page.
- Import Azure Active Directory users with null first and last name
You can now import users from Microsoft Azure Active Directory (AAD) who have null first name and last name values. This provides admins with a centralized view of their AAD users within Okta. See Import users to Office 365 using Microsoft Graph API.
- Removal of search filters from the Inbox page
The Requester type and Follower options have been removed from Filters on the Inbox page of the Okta Access Requests web app to improve performance.
- New VPN service for enhanced dynamic zones
The VIGOR_SSL_VPN is now supported as an individual VPN service category in enhanced dynamic zones. See Supported IP categories.
- Improved MFA enrollment policy validator
Orgs that have no self-initiated
user.account.update_passwordsyslog events over last 30 days are now excluded from the MFA enrollment policy validator warning triggered during the Okta Identity Engine upgrade, making it easier to upgrade.- Import unlicensed users from Azure Active Directory to Okta
You can now import users from Microsoft Azure Active Directory (AAD) who don't have an assigned Office 365 license. This allows admins to centralize their workforce lifecycle within Okta and eliminates the need to manage unlicensed accounts across both platforms. See Import users to Office 365 using Microsoft Graph API.
- Role-assignable push groups for Office 365
When you create a new push group for the Office 365 app integration, select the Is this role assignable checkbox to make the group role assignable in Microsoft Entra ID. This allows you to push Okta groups to Microsoft Entra ID
and assign rolesinstead of manually creating groups in Entra ID and then linking them to Okta using push groups. See Configure Push Group.- Group push support in API Integration Actions apps
Apps that use API Integration Actions to perform provisioning can now use the Group Push feature. This enables the group import functionality for apps that use group API contracts in their provisioning actions.
- DirSync group imports for Active Directory
For Active Directory (AD) integrations, the Provisioning tab now provides an Enable imports with AD using DirSync checkbox. When you enable the checkbox, admins can perform incremental group imports using DirSync. See Configure Active Directory import and account settings.
- On-demand rotation of Office 365 SSO signing certificates
Office 365 app integrations that use WS-Federation for authentication now support the use of app-level certificates. Switching from org-level certificates to app-level certificates improves your security outcomes by eliminating a single point of failure if a shared org-level certificate expires. UI updates enable IT admins to easily monitor certificate status, generate certificates on demand, and perform certificate rotations without disrupting operations. See Configure Single Sign-On for Office 365.
- Update group rule assignments
Admins can now update the groups assigned to a group rule without deleting and recreating the rule. This streamlines the management of group memberships and rule conditions. See Edit group rules.
Early Access
- Auditor mode for admin role assignments
A new Auditor (Read-Only) mode allows super admins to apply a read-only restriction to any individual or group admin assignment. This setting restricts admins to read-only access across the Admin Console and Okta APIs, except for Okta first-party apps. This feature provides auditors with system visibility while maintaining security transparency. See Auditor read-only mode.
Fixes
-
When a system error occurred in the Admin Console, the error message didn't wrap and the content overflowed outside the dialog box. (OKTA-1008359)
-
When a user was assigned a SAML app through a group, they couldn't always access the app after signing in to Okta. (OKTA-1140346)
-
The DirSync readiness warning banner on the Integration Agents dashboard displayed outdated status information. (OKTA-1185146)
-
Viewing a flow with an API Endpoint configured for OAuth 2.0 sometimes failed to display the specific app selected until the page was refreshed. (OKTA-1188461)
Okta Integration Network
-
SAP LeanIX - SaaS Discovery (API Service) was updated.
-
Camino (OIDC) is now available. Learn more.
-
Camino (SAML) is now available. Learn more.
-
Rubrik Security Cloud (API Service) was updated.
-
Vercel (SAML) is now available. Learn more.
-
Zoom (OIDC) is now available. Learn more.
-
Commvault (API service) is now available. Learn more.
-
Camino (SCIM) is now available. Learn more.