Okta Classic Engine release notes (Preview)
Generally Available
Version: 2026.07.0
- Provisioning for Rapid7 InsightAppSec
Provisioning is now available for the Rapid7 InsightAppSec app integration. When you provision the app, you can enable security features like Entitlement Management. See Rapid7 InsightAppSec.
- Provisioning for SAP BTP
Provisioning is now available for the SAP BTP app integration. When you provision the app, you can enable security features like Entitlement Management.
- Admin OIDC App Phase Two Tranch One
When the Admin OIDC App Phase Two Tranch One feature is enabled, the Okta Admin Console automatically initiates the OIDC sign-in flow on page load, and admins are briefly redirected to the authentication page before the requested page appears.
- Removal of search filters from the Inbox page
The Requester type and Follower options have been removed from Filters on the Inbox page of the Okta Access Requests web app to improve performance.
- New VPN service for enhanced dynamic zones
The VIGOR_SSL_VPN is now supported as an individual VPN service category in enhanced dynamic zones. See Supported IP categories.
- Update group rule assignments
Admins can now update the groups assigned to a group rule without deleting and recreating the rule. This streamlines the management of group memberships and rule conditions. See Edit group rules.
- Improved MFA enrollment policy validator
Orgs that have no self-initiated
user.account.update_passwordsyslog events over last 30 days are now excluded from the MFA enrollment policy validator warning triggered during the Okta Identity Engine upgrade, making it easier to upgrade.- Import unlicensed users from Azure Active Directory to Okta
You can now import users from Microsoft Azure Active Directory (AAD) who don't have an assigned Office 365 license. This allows admins to centralize their workforce lifecycle within Okta and eliminates the need to manage unlicensed accounts across both platforms. See Import users to Office 365 using Microsoft Graph API.
- Group push support in API Integration Actions apps
Apps that use API Integration Actions to perform provisioning can now use the Group Push feature. This enables the group import functionality for apps that use group API contracts in their provisioning actions.
- On-demand rotation of Office 365 SSO signing certificates
Office 365 app integrations that use WS-Federation for authentication now support the use of app-level certificates. Switching from org-level certificates to app-level certificates improves your security outcomes by eliminating a single point of failure if a shared org-level certificate expires. UI updates enable IT admins to easily monitor certificate status, generate certificates on demand, and perform certificate rotations without disrupting operations. See Configure Single Sign-On for Office 365.
Early Access
- Auditor mode for admin role assignments
A new Auditor (Read-Only) mode allows super admins to apply a read-only restriction to any individual or group admin assignment. This setting restricts admins to read-only access across the Admin Console and Okta APIs, except for Okta first-party apps. This feature provides auditors with system visibility while maintaining security transparency. See Auditor read-only mode.
Fixes
-
When a system error occurred in the Admin Console, the error message didn't wrap and the content overflowed outside the dialog box. (OKTA-1008359)
-
When a user was assigned a SAML app through a group, they couldn't always access the app after signing in to Okta. (OKTA-1140346)
-
The DirSync readiness warning banner on the Integration Agents dashboard displayed outdated status information. (OKTA-1185146)
-
Viewing a flow with an API Endpoint configured for OAuth 2.0 sometimes failed to display the specific app selected until the page was refreshed. (OKTA-1188461)
Okta Integration Network
-
SAP LeanIX - SaaS Discovery (API Service) was updated.
-
Camino (OIDC) is now available. Learn more.
-
Camino (SAML) is now available. Learn more.
-
Rubrik Security Cloud (API Service) was updated.
-
Vercel (SAML) is now available. Learn more.
-
Zoom (OIDC) is now available. Learn more.
-
Commvault (API service) is now available. Learn more.
-
Camino (SCIM) is now available. Learn more.
Preview org features
- Workday supports incremental imports
Workday now has the ability to run immediate, incremental imports. Incremental imports are much faster than full imports. However, they don't detect when users only have changes to custom attributes, so you must periodically run a full import to capture these changes. See Incremental imports.
- Prevent new single-factor access to the Admin Console
This feature prevents admins from configuring any new single-factor access to the Admin Console. This feature is currently available to new orgs only.
- Descriptive System Log events
When Okta identifies a security threat, the resulting
security.threat.detectedSystem Log entry now provides a descriptive reason for the event. See System Log.- New flexible LDAP
A new LDAP schema allows flexibility by moving email to the custom schema and making first name, last name, username, and UID optional. This avoids error scenarios when an LDAP schema doesn't include specific attributes.
- ThreatInsight coverage on core Okta API endpoints
Okta ThreatInsight coverage is now available for core Okta API endpoints:
Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. Requests from these bad IP addresses can be blocked or elevated for further analysis when Okta ThreatInsight is enabled for an Okta org. Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints. There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new
Negative IP Reputationreason is available for highsecurity.threat.detectedevents. See System Log events for Okta ThreatInsight.- SSO apps dashboard widget
The new SSO apps widget displays the number of user sign-in events across each of your org's apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org.
- Federation Broker Mode
The new Federation Broker Mode allows Okta SSO without the need to pre-assign apps to specific users. Access is managed only by the authentication policy and the authorization rules of each app. This mode can improve import performance and can be helpful for larger-scale orgs that manage many users and apps.
- User Import Scheduling
When importing users from an app to Okta, you can now schedule imports to occur at hourly, daily, or weekly intervals. Scheduling imports at a time that is convenient for your org reduces the likelihood of service disruptions and eliminates the need to start imports manually. If an application allows incremental imports, you can create both full and incremental import schedules. This is a self-service feature.
- Null values for SCIM provisioning
You can now submit null values for any attribute type to Okta when using SCIM provisioning. This change reduces the error messages customers receive and simplifies end user identity management.
- Device Authorization grant type
Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to apps that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error prone and time consuming.
The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to sign in to apps that run on such devices.
- LDAP admin password reset
For orgs integrated with LDAP, admins can now perform password resets for an active individual end user. See Reset a user password.
- LDAP password reset option
You can now configure LDAP delegated authentication settings to allow users to reset their passwords. This change reduces the time needed for password management and allows users to reset their passwords quickly and easily. See Enable delegated authentication for LDAP.
- Windows Device Registration Task, version 1.4.1
This release fixed the following issues:
- If there was a space in the sAMAccountName, an error appeared when installing the Okta Device Registration task and the installation completed but didn't function.
- An unknown publisher warning appeared when the Okta Device Registration MSI file was double-clicked.
Affected customers should uninstall the registration task and install 1.4.1 or later. See Enforce Okta Device Trust for managed Windows computers and Okta Device Trust for Windows Desktop Registration Task Version History.
- Incremental Imports for CSV
Incremental imports improve performance by importing only users who were created, updated, or deleted since your last import. See Manage your CSV directory integration. Note that this feature is being re-released having previously being released to Production in 2020.09.0.
- Password changed notification email
To eliminate unnecessary email notifications, the Password changed notification email setting is no longer enabled by default on new preview orgs. See Password changed notification for end users.
- Office 365 Silent Activation
Using Okta as the Identity Provider, Okta Office 365 Silent Activation allows for a seamless experience for your Microsoft Office 365 end users accessing Office 365 apps on domain-joined shared Workstations or VDI environments. After your end users have signed in to a domain-joined Windows machine, no further activation steps are required. See Office 365 Silent Activation: New Implementations.
- End-user Welcome emails localized
The ability to localize the Welcome email that Okta sends to new end users by referencing the users' default
localeproperty is now Generally Available. See Configure general customization settings.- People page improvements
You can now filter the People page by user type. See Universal Directory custom user types known issues.
- Early Access features, auto-enroll
You can now opt to auto-enroll in all Early Access features, instead of having to enable them as they become available.
- Connecting Apps to Okta using the LDAP Interface
The LDAP Interface allows you to authenticate legacy LDAP apps to Universal Directory in the Cloud. With the LDAP Interface, authentication is done directly against Okta through LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search.