About Okta provisioning

Okta Lifecycle Management (LCM) is a product with multiple functions. These include imports, access-request workflow, groups, group rules, and provisioning to and from cloud and on-premises applications.

Within an organization, there are applications and users who need access to these applications. Users and applications are the only mandatory items that you must configure to use Okta.

Who can perform Okta provisioning?

A super admin and app admin can assign users to applications. The Super Administrator role assigns a person full permissions. If Okta app groups are utilized, a group admin can provision users to applications.


The Okta administrator configuring the application needs application admin permissions to authorize API provisioning within the application from Okta.

Okta provisioning and app integration

Provisioning synchronizes cloud to on-premises application user accounts with Okta. Integration automates application provisioning.

There are hundreds of pre-built connectors in the Okta Integration Network (OIN) for cloud-based and on-premises apps.

Apps that can be Okta provisioned

Cloud and on-premises apps can be provisioned, regardless if they are upstream or downstream of Okta. An upstream app is one that sends user data to Okta. A downstream app is one that receives user data from Okta.


Deprovisioning is the deactivation of users in an assigned app to which they were provisioned.

Organizations usually have policies to keep deprovisioned user accounts available for a period. This is useful if information needs to be restored.


When an application assignment is removed (deprovisioned) from a user in Okta, Okta does not delete the user’s account, rather it deactivates the user’s account in the integrated, third-party app. Some applications may support additional options, such as deleting the user’s account. However, these options vary from app to app.