Import safeguards

Okta enables you to set a safeguard against an unusual number of appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. unassignments during user import. An import safeguard is the maximum percentage of app users in an orgThe Okta container that represents a real-world organization. that can be unassigned while Okta still allows the import to proceed.

You can apply an import safeguard either at the app level, the org level, or both. (Note: App-level safeguard is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, contact Okta Support.) The safeguard limit at the app-level applies to any individual app in your org—not to a specific app. The org-level safeguard limit requires that the limit be reached across users assigned to all apps in your org.



For an import safeguard to be triggered, an org must contain a minimum of 100 app assignments.

Take the example of an org with 10 apps and 100 users assigned to each app, for a total of 1,000 app users:

  • Org-Level Safeguard – Applied against the total app user population of 1,000 app users. If set at 20 percent, any import that would unassign more than 200 app users would be paused.
  • App-Level Safeguard – Applied against the population of users assigned to any given app (100 users, in this example). If set at 50 percent, any import that would unassign more than 50 users from a given app would be paused.

By default, the app-level and org-level safeguards are enabled and set at 20 percent each.

If both the app-level and org-level safeguards are set, then Okta would stop the user import when the first safeguard limit is reached, either app level or org level. If the app-level limit is set to the same value as the org-level limit, then the app-level safeguard should be reached first. In either case, Okta triggers an alert to warn against the unintended unassignment of a large number of apps from users within an org. Below, is an example of this warning as it appears in the All imports paused dialog for the app-level safeguard. This dialog is very similar to the one that would appear for the org-level safeguard.

If the app unassignment was expected

If app unassignments were intentional, you can resume the import by clicking Resume All Imports.

You can also view the event in the system log and, if you feel the current setting caused the unnecessary alert, you can click the app assignment removal limit from the All imports paused dialog to adjust the threshold of allowed app unassignments. See Increase the App Threshold.

If the app unassignment was not expected

If the number of unassignments was not intentional, clicking Cancel the Affected Import and Resume Other Imports from the All imports paused dialog enables you to terminate imports from the offending app and resume other imports. Okta recommends viewing the event in the system logs and, if the issue remains unexplained, call Okta customer support.



Import Safeguard is triggered by a specified percentage of unassignments imported into Okta. Deactivated users are counted among these unassignments, regardless of lifecycle state that you set upon import.

Increase the App Threshold

If you click the app assignment removal limit link from the All imports paused dialog, the Import Safeguard dialog appears. Here you can change the percentage of acceptable app unassignments before a safeguard is triggered.