Okta Classic Engine release notes (Preview)

Version: 2026.03.0

March 2026

Generally Available

Okta On-prem SCIM Server agent, version 1.7.0

Okta On-prem SCIM Server agent 1.7.0 is available. This release adds support for IBM DB2 LUW to the On-premises Connector for Generic Databases.

Provisioning for Artifactory

Provisioning is now available for the Artifactory app integration. When you provision the app, you can enable security features like Entitlement Management. See Artifactory.

Provisioning for Twilio

Admins can now automate user lifecycle management for the Twilio app. This integration uses OAuth-based authentication to support user provisioning, profile updates, and deactivation directly from Okta.

Improved error handling for group membership searches

When an internal error is returned for a group membership search, the ordering and sorting direction options are removed and the search is performed again.

Enable custom admin permissions for inline and event hooks

The inline and event hook framework now supports read and write permissions for custom admin roles. Fine-grained access to manage inline and event hooks previously required the super admin role. See Role permissions.

Yammer rebranded to Microsoft Viva

The Yammer integration in Microsoft Office 365 now displays the Microsoft Viva logo and directs users to the Microsoft Viva homepage. This update supports Viva Insights and Viva Connections in GCC environments.

Network zone residential proxy detection

This feature adds new zones associated with Enhanced Dynamic Network Zones beyond anonymous proxies and VPNs. Customers can use service categories such as ZSCALER_PROXY, PERIMETER_81, and more. See Supported IP service categories.

Early Access

Improved DirSync-based imports

Optimize performance of AD DirSync-based imports by skipping unnecessary prechecks and downloading organizational units without using DirSync.

Self-Service for Enhanced Disaster Recovery

When unexpected infrastructure-related outages occur, orgs need an immediate and reliable way to maintain business continuity. Okta's Standard Disaster Recovery, implemented by Okta's operations teams, provides failover and failback with a recovery time objective of one hour.

Okta's Enhanced Disaster Recovery (Enhanced DR) gives admins the option to manage their org's recovery. This feature empowers admins by providing direct, self-service tools and APIs to manage, test, and automate the failover and restoration processes for their impacted orgs.

With Enhanced DR, admins gain active control to initiate a failover and restore for impacted orgs directly from the Okta Disaster Recovery Admin portal or through APIs. Additionally, teams can validate their system's resilience by safely testing these failover and restoration capabilities at their convenience. Finally, Enhanced DR enables orgs to automate failover processes by using real-time monitoring to invoke failover APIs, significantly minimizing downtime during an actual event. See Okta disaster recovery.

Fixes

  • Group rules sometimes behaved unpredictably when multiple distinct transactions ran the rules on the same user at the same time. (OKTA-954076)

  • When AD-sourced users attempted to sign in using an expired temporary password and self-service password change was disabled, an incorrect error message was displayed. (OKTA-1113434)

Okta Integration Network

  • Guardare (SAML) is now available. Learn more.

  • Valence Remediation (API) is now available. Learn more.

  • Cato Networks Provisioning now supports user imports and updates.

  • PerimeterX now supports SAML.

  • PerimeterX now supports SCIM.

  • Druva Data Security Cloud (API Service) now has the okta.clients.read scope.

  • Natoma has a new app icon.

  • Adobe Creative (SWA) was updated.

  • Adobe Fonts (SWA) was updated.

Preview Features

New System Log objects for security.request.blocked events

The System Log now displays the following IpDetails objects for dynamic and enhanced dynamic zones:

  • Operator indicates whether the type is VPN or Proxy
  • Type includes values like VPN, Proxy, and Tor
  • IsAnonymous indicates if the proxy is anonymous

These objects move risk and behavior telemetry out of string-only keys in the debug context and into dedicated, structured fields in the security context event. This change improves risk visibility and eliminates the need for string parsing.

Workday supports incremental imports

Workday now has the ability to run immediate, incremental imports. Incremental imports are much faster than full imports. However, they don't detect when users only have changes to custom attributes, so you must periodically run a full import to capture these changes. See Incremental imports

Prevent new single-factor access to the Admin Console

This feature prevents admins from configuring any new single-factor access to the Admin Console. This feature is currently available to new orgs only.

Application Entitlement Policy

Admins can now override attribute mapping when assigning apps to individuals or groups. You can also revert attributes to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

Direct End-User Settings access

Users may now access their Settings page through a direct URL in addition to the End-User Dashboard. This feature provides convenience and security for users, gives admins greater flexibility when working with End-User Dashboard access control scenarios, and includes accessibility and UX improvements. See End-User Settings.

Descriptive System Log events

When Okta identifies a security threat, the resulting security.threat.detected System Log entry now provides a descriptive reason for the event. See System Log.

New flexible LDAP

A new LDAP schema allows flexibility by moving email to the custom schema and making first name, last name, username, and UID optional. This avoids error scenarios when an LDAP schema doesn't include specific attributes.

ThreatInsight coverage on core Okta API endpoints

Okta ThreatInsight coverage is now available for core Okta API endpoints:

Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. Requests from these bad IP addresses can be blocked or elevated for further analysis when Okta ThreatInsight is enabled for an Okta org. Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints. There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new Negative IP Reputation reason is available for high security.threat.detected events. See System Log events for Okta ThreatInsight.

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org's apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org.

Federation Broker Mode

The new Federation Broker Mode allows Okta SSO without the need to pre-assign apps to specific users. Access is managed only by the authentication policy and the authorization rules of each app. This mode can improve import performance and can be helpful for larger-scale orgs that manage many users and apps.

User Import Scheduling

When importing users from an app to Okta, you can now schedule imports to occur at hourly, daily, or weekly intervals. Scheduling imports at a time that is convenient for your org reduces the likelihood of service disruptions and eliminates the need to start imports manually. If an application allows incremental imports, you can create both full and incremental import schedules. This is a self-service feature.

Null values for SCIM provisioning

You can now submit null values for any attribute type to Okta when using SCIM provisioning. This change reduces the error messages customers receive and simplifies end user identity management.

Device Authorization grant type

Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to apps that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error prone and time consuming.

The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to sign-in to apps that run on such devices.

LDAP admin password reset

For orgs integrated with LDAP, admins can now perform password resets for an active individual end user. See Reset a user password.

LDAP password reset option

You can now configure LDAP delegated authentication settings to allow users to reset their passwords. This change reduces the time needed for password management and allows users to reset their passwords quickly and easily. See Enable delegated authentication for LDAP.

Windows Device Registration Task, version 1.4.1

This release fixed the following issues:

  • If there was a space in the sAMAccountName, an error appeared when installing the Okta Device Registration task and the installation completed but didn't function.
  • An unknown publisher warning appeared when the Okta Device Registration MSI file was double-clicked.

Affected customers should uninstall the registration task and install 1.4.1 or later. See Enforce Okta Device Trust for managed Windows computers and Okta Device Trust for Windows Desktop Registration Task Version History.

Incremental Imports for CSV

Incremental imports improve performance by importing only users who were created, updated, or deleted since your last import. See Manage your CSV directory integration. Note that this feature is being re-released having previously being released to Production in 2020.09.0.

Password changed notification email

To eliminate unnecessary email notifications, the Password changed notification email setting is no longer enabled by default on new preview orgs. See Password changed notification for end users.

Office 365 Silent Activation

Using Okta as the Identity Provider, Okta Office 365 Silent Activation allows for a seamless experience for your Microsoft Office 365 end users accessing Office 365 apps on domain-joined shared Workstations or VDI environments. After your end users have signed in to a domain-joined Windows machine, no further activation steps are required. See Office 365 Silent Activation: New Implementations.

End-user Welcome emails localized

The ability to localize the Welcome email that Okta sends to new end users by referencing the users' default locale property is now Generally Available. See Configure general customization settings.

People page improvements

You can now filter the People page by user type. See Universal Directory custom user types known issues.

Early Access features, auto-enroll

You can now opt to auto-enroll in all Early Access features, instead of having to enable them as they become available.

Connecting Apps to Okta using the LDAP Interface

The LDAP Interface allows you to authenticate legacy LDAP apps to Universal Directory in the Cloud. With the LDAP Interface, authentication is done directly against Okta through LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search.