Suspicious Activity Reporting for End Users

This is a Beta feature. To see about participating in this Beta program, please refer to the Beta Programs page.


1. Overview

This feature provides end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. with an option to notify their orgThe Okta container that represents a real-world organization. adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. of any unrecognized or suspicious activity on their account by submitting a report via an email notification. The submitted report contains activity details such as browser type, OS, location, and IP address.


2. User Roles

Okta admins (Super admins and Org admins)


End Users
  • Can report suspicious or unrecognized activity to their org admin from an email notification once they sign in to their org.
  • Can trigger an automated set of actions to help secure their account it they report suspected suspicious activity.
  • Are signed out of all devices and be required to reset their password if they submit a report.

3. Prerequisites

To use this feature, your Okta preview tenant must have the feature flag enabled: REPORT_SUSPICIOUS_ACTIVITY_VIA_EMAIL

Note: You will be informed via email once the feature flag has been enabled on your preview account.


4. Procedure

  1. Sign in to the Okta admin console.
  2. Navigate to Settings > Email & SMS. The Email & SMS Customization page is displayed.

  3. From the left navigation menu, scroll down to Other.

  4. Edit one or all of the following templates, each which contain a new section with a link that provides users with the option to report unrecognized activity:

    • New Device Notification
    • MFA Factor Enrolled
    • MFA Factor Reset
    Note: If your org has already enabled customized email templates, reset the template for the Report suspicious activity link to appear and customize again as needed.
  5. Once this link is made available, end users can choose to send a report to their org admin from an email notification they receive once they sign in to their org.


5. Result

Once this feature is configured, admins will receive an email notification when the report is submitted by an end user.

Note: To view details in the system log, click Review Security Event. The event name is: user.account.report_suspicious_activity_by_enduser