Okta Automations enable you to quickly prepare and respond to situations that occur during the lifecycle of end users who are assigned to an Okta group. This helps improve efficiency and satisfaction among employees, partners, and contingent workforce. For example, automation can help for inactivity lockouts. If a user has been inactive for a set number of days and is on the verge of being locked out, you can use an automation to alert the inactive user in advance.
You set up an automation by defining the following items:
- Conditions — The criteria that triggers Okta to perform actions upon a group of end users. For each automation, you can choose one condition to apply to one or more groups. Conditions can be scheduled to run once or to recur daily.
The following conditions are currently available:
- User inactivity in Okta
- User password expiration in Okta
These conditions are triggered according to a schedule and can be applied to one or more groups. Conditions are mandatory for automations on recurring schedules.
- Actions — The actions that you want Okta to perform when the scheduled conditions are true. The following actions are currently available:
- Send email to the user
- Change user lifecycle state in Okta
Note: Email automations are not available for paid developer orgs or free trial editions of Okta.
You must be a super, org, or mobile admin to add automations.
Note: You can't use automations to change the user lifecycle state of a super admin. To prevent accidental deletions, Okta requires a super admin's lifecycle state to be changed manually by another super admin.
- In the Admin Console, go to Workflow > Automations.
- Click Add Automation.
- Enter a name for the automation, and then click Save. Screenshot
- Configure the following conditions.
Click Edit to select the schedule for the automation, and then click Save. The default selection is set to Run Daily, with a creation time stamp of the local time zone. For time zones, country or city names mentioned in the official Time Zone Database published by the Internet Assigned Numbers Authority (IANA) are admissible. The following options are currently available.
Specify the time and time zone for when the automation should run. Screenshot
Specify the date, time, and time zone for when the automation should run. Screenshot
Click Edit to select one or more groups to which the automation should apply, and then click Save. Note that the automation will apply to all members of the group, regardless of whether they are Okta-mastered or AD/HR-mastered. Screenshot
- Configure one or more conditions.
Click Add Condition and select one or both of the following currently available conditions.User Inactivity in Okta
This option looks for active users who have not logged into Okta for a set number of days. Note that this option does not check if the user is active in apps that they log into through Okta because application session lengths may vary. For this reason, Okta recommends setting the Duration in the User Inactivity condition to be the same as or higher than the application length configuration.User password expiration in Okta
This option looks for users whose Okta-stored passwords will expire within a set number of days. Note that users who meet this condition are impacted by the automation only once. To remind the user again as the expiration date approaches, you need to create an additional User password expiration automation.Screenshot
- Configure one or more actions to be triggered by the conditions you set. Each action is executed independently from the other actions and does not run in any particular sequence. Actions are run one time after all conditions are met.
The following actions are currently available:Send email to the user
This option enables you to create an email template by using HTML and referencing Okta end user profile attributes within the body of the message. The Subject is required before you can Preview and Save the action. Note that if you don't use HTML, the email does not have any formatting and extra spaces and line returns are not preserved. ScreenshotsChange user lifecycle state in Okta
This option enables you to change the user lifecycle to Suspended, Deactivated, or Deleted. Note that users who are manually reactivated or unsuspended must log in or they will be impacted by the next automation cycle.
Setting the Change user lifecycle state in Okta to Deleted is irreversible.
- Select Activate from the Inactive/Active drop-down.
The Activate option becomes available after you configure all the required conditions and at least one action.
After an automation moves to the Active status, it is executed according to the schedule settings configured for that automation, and then repeated every 30 days. If you want to reconfigure an automation, you need to deactivate it first.
Note: Depending on the size of your organization, there may be a 24-hour delay between when your automation begins evaluating conditions and when the actions are executed.