Add a new automation

Add a new automation by configuring its parameters.

Before you begin

Review the following information:

  • You must be a super, org, or mobile admin to add an automation. Only super admins can manually change the lifecycle state of another super admin.

  • Depending on the size of your org, there may be a 24-hour delay between when your automation begins evaluating conditions and when the actions are run.

  • User sign-in activity is not updated when users sign-in through a service-provider. Sign in activity is only updated when signing-in using the Okta End-User Dashboard. The Last Login field of the Application Usage report is not updated with service-provider sign ins and can cause users to be incorrectly deactivated.

  1. In the Admin Console, go to Workflow > Automations.
  2. Click Add Automation and enter a name for the automation. Click Save.
  3. Configure the parameters of the default conditions:

    • Click Edit next to Select a schedule and select a time zone and then configure the time when the automation will run. The default selection is set to Run daily, with a creation time stamp of the local time zone. For time zones, country or city names mentioned in the official Time Zone Database published by the Internet Assigned Numbers Authority (IANA) are admissible.
    • Click Edit next to Select group membership, and enter one or more groups to which the automation will apply. Click Save. The automation will apply to all members of the group, regardless of whether they are Okta-sourced, Active Directory or HR-sourced.
  4. Configure one or more new conditions. Click Add Condition and select one or both of the following conditions.
    • User Inactivity in Okta: This option looks for active users who haven’t logged into Okta for a set number of days. Because application session lengths can vary, this option does not check if the user is active in apps that they log into through Okta. For this reason, Okta recommends setting the duration to be the same as or higher than the application length configuration. For more information about active user accounts, see About user account status
    • User password expiration: This option looks for users whose Okta-stored passwords will expire within a set number of days. Users who meet this condition are impacted by the automation only once. To remind the user again as the expiration date approaches, you need to create an extra User password expiration automation. Although this option isn’t designed to work with your Active Directory integration, it can provide you with limited functionality.
  5. Configure one or more actions to be triggered by the conditions you set. Each action is run independently from the other actions and doesn’t run in any particular sequence. Actions are run one time after all conditions are met. The following actions are currently available:
    • Send email to the user: This option enables you to create an email template by using HTML and referencing Okta end-user profile attributes within the body of the message. The Subject is required before you can Preview and Save the action. If you don't use HTML, the email does not have any formatting and extra spaces and line returns aren’t preserved.

      The email automation is performed once on the same user for a period of 30 days.

    • Change user lifecycle state: This option enables you to change the user lifecycle to Suspended, Deactivated, or Deleted. Users who are manually reactivated or unsuspended must log in or they will be impacted by the next automation cycle. Setting the Change user lifecycle state in Okta to Deleted is irreversible.
  6. Select Activate from the Inactive/Active drop-down.

    The Activate option becomes available after you configure all the required conditions and at least one action.

    Active automations are run using the configured schedule settings for that automation, except for email automation, which is performed once on the same user for a period of 30 days. To edit an automation, deactivate it first.