Preview release notes

May 2023

2023.05.0: Monthly Preview release began deployment on May 11

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Okta AD agent, version 3.15.0

This version of the agent contains the following changes:

  • Bug fixes. Active Directory (AD) agent auto-update health check caused auto-update to fail when upgrading from version 3.13.0 to 3.14.0.

See Okta Active Directory agent version history.

Okta On-Prem MFA agent, version 1.7.0

This version includes support for extended client session timeout. See Install the agent.

Confluence Authenticator, version 3.2.2

This release contains security fixes. See Okta Confluence Authenticator version history.

Okta Jira Authenticator, version 3.2.2

This release contains security fixes. See Okta Jira Authenticator Version History.

Multibrand customizations

Multibrand customizations allow customers to use one org to manage multiple brands and multiple custom domains. This drastically simplifies multi-tenant architectures where customers create multiple orgs to satisfy branding requirements. Multibrand customizations allow orgs to create up to three custom domains (more upon request), which can be mapped to multiple sign-in pages, multiple sets of emails, error pages, and multiple versions of the End-User Dashboard. See Branding.

Device assurance remediation instructions in the sign-in widget

When users try to access Okta-protected resources from devices that don’t meet device assurance policies, access is denied. To help users troubleshoot, you can now enable remediation messages in the Sign-In Widget. This helps users learn why they can’t access an app and how to fix the problem. The messages also include links to more troubleshooting instructions. See Add user help for device assurance.

New authenticator management functionality

Okta now enables you to manage which authenticators are allowed in your org for new enrollments, authentication enrollment policies, and user verification. You can view a list of all Okta-recognized authenticators, create authenticator groups, and use them in policies. This allows admins to have greater control over which authenticators may be used in their orgs and determine which users may access them in a granular way. See Configure the FIDO2 (WebAuthn) authenticator.

Flexible deny enrollment options for SSO and recovery scenarios

Admins now have the option to deny enrollment to any authenticator for both SSO and recovery scenarios. Previously, admins could only deny authenticator enrollment to users signing in with SSO. This enhancement gives granular control to admins when configuring authenticator enrollment policies for either scenario. See Configure an authentication enrollment policy rule.

Enhancement to the Remember Last-Used Factor feature

On the Sign-In Widget, if a user clicks Verify with something else and then selects a new authentication method, the Remember Last-Used Factor feature no longer retains the user's previously selected factor. This helps streamline the sign-in and authentication flow.

Unauthorized IdP setup options hidden

Two group-related options on the IdP configuration page were visible to admins in a custom role that lacked group viewing permissions: Auto-Link Restrictions in Authentication Settings and Group Assignments in JIT Settings. Now these settings are visible only when the user has the appropriate permissions.

More events eligible for hooks

The following System Log events are now eligible for event hooks:

  • group.application_assignment.add

  • group.application_assignment.remove

  • group.application_assignment.update

New legal disclaimer in Okta Trial accounts

A new legal disclaimer is displayed on the Add Person dialog in Okta trial accounts to prevent sending unsolicited and unauthorized activation emails.

Okta branding changes for the Admin Console

Branding updates to headings, fonts, colors, borders, and logos are now available in the Admin Console.

Additional measures to counter toll fraud

For SMS and voice authentications, additional mitigation measures now help counter phone number-based toll fraud.

Early Access Features

Permission conditions for profile attributes

You can now apply conditions to the View users and their details and Edit users' profile attributes custom admin role permissions. Permission conditions help you limit the scope of a role by including or excluding admins' access to individual profile attributes. This gives you more granular control over your custom admin roles and helps meet your org’s unique security needs. See Permission conditions.

RADIUS sign-in error prevention

If orgs that upgraded from Classic Engine configure the Okta Verify authenticator with number challenge, the challenge may be presented unexpectedly to RADIUS users. This can cause errors because RADIUS doesn't support number challenges. To prevent this, you can enable the new feature Disable number matching challenge for RADIUS. See RADIUS applications in Okta.

Assign admin roles to an app

Orgs can now assign admin roles to their custom API Service Integrations. Apps with assigned admin roles are constrained to the permissions and resources that are included in the role assignment. This helps ensure that apps only have access to the resources that are needed to perform their tasks, and improves orgs' overall security. See Work with the admin component.

Event hook filters

You can now filter individual events of the same event type based on custom business logic hosted in Okta. These filters reduce the amount of events that trigger hooks, removing an unnecessary load on your external service.

This feature includes an improved creation workflow for event hooks and a new Filters tab that you can use to create event filters with direct Expression Language statements or with a simple UI format.

Using event hook filters significantly reduces the amount of event hook requests and the need for custom code on your respective services. See Edit an event hook filter.


  • OKTA-566113

    After changing the display language for an Okta org from English to another language, some text was still displayed in English.

  • OKTA-580684

    In the Okta Expression Language, the isMemberOfGroupNameContains expression couldn't differentiate underscores and hyphens, which caused unexpected user membership assignments.

  • OKTA-587429

    Admins saw Okta FastPass listed in the GET /api/v1/users/{{userId}}/factors response for users who didn't enable the factor.

  • OKTA-595053

    Users who clicked Back to sign in before setting up their security methods were incorrectly notified that their configuration was successful. This occurred only in orgs with custom domains.

  • OKTA-596444

    Users received an error message after successfully performing a self-service account unlock.

  • OKTA-596600

    For apps with Group Push enabled, the Application Push Groups tab displayed incorrect dates and times.

  • OKTA-597396

    Pushing groups from Okta to Microsoft Office 365 sometimes failed if an empty group description was updated.

  • OKTA-599408

    GMT timezones couldn't be selected correctly in the System Log.

  • OKTA-600867

    The Yubikey Reports page wasn't properly translated.

  • OKTA-600874

    When a user responded to a Custom Push prompt while attempting to edit their profile, the profile displayed in read-only mode. If the user tried to edit their profile again, an authentication loop occurred.

  • OKTA-603305

    On the Edit resource set page, an error appeared when an admin deleted a resource type and then added it again. This occurred when the redesigned resource editor feature was enabled.

  • OKTA-607249

    Service clients with the correct permissions couldn't modify policies that contained the Okta Administrator Group.


New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog:

SAML for the following Okta Verified applications

OIDC for the following Okta Verified applications

Weekly Updates

Facebook at Work integration enhancement

Facebook at Work uses the Okta Expression Language to map the manager attribute. This allows admins to adjust how the manager attribute is stored in the user profile so they can choose between an id field or a name.

Smart Card IdP with Agentless DSSO

Okta can now be configured to allow users to use Agentless DSSO without being prompted when Smart Card IdP is configured.

Improvements to the self-service registration experience

Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your application requires immediate verification of the end user’s email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the application, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the application. See Customize email notifications and the Okta email (magic link/OTP) integration guide.

New App Drawer

The updated app settings panel on the Okta End-User Dashboard allows end users to see all app details in a single view without having to expand multiple sections. End users can quickly differentiate between SWA apps where they have set a username and password and SAML / OIDC apps that are admin-managed with no additional user settings. The updated app settings panel also provides accessibility improvements with better screen reader support and color contrast. See View the app settings page.

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org’s apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org. See Monitor your apps.

Improvements to the self-service unlock process

Earlier versions of the self-service unlock (SSU) flow created unnecessary friction in the end user experience. The newly enhanced SSU feature introduces a seamless magic link experience in emails sent out to unlock accounts. Users no longer need to provide consent when using the same browser. In addition, after successfully unlocking their account, clicking the email magic link counts towards the application's assurance policy. After the assurance requirements are met, the user is signed directly in to the application. See Configure the Email authenticator.

Toggle password visibility on the Okta Sign-In page

End users can now toggle visibility of their password on the Sign-In Widget, allowing them to check their password before they click Sign In. Note that passwords are visible for 30 seconds and then hidden automatically. See Authentication. See Enable delegated authentication.

Email failure events in the System Log

Admins can now view email delivery failure events in the System Log. This helps admins better monitor the email event activity in their org. See System Log.

Shareable Authentication Policies

Admins can now manage authentication policies using a centralized view. While authentication policies allowed admins the ability to make application access decisions using user, device, and other contextual information, managing these policies across hundreds of applications became challenging and error-prone. On the new Authentication Policies page, admins can create new policies, apply those policies to multiple applications, and assess what application access decisions are impacted by each policy. Two policy name changes are included in this release: app sign-on policy is renamed authentication policy, and Okta sign-on policy is renamed Global Session Policy. See Authentication policies.

Choose additional filters for Office 365 sign-on policy

Filters have been added to enable admins to distinguish between web browsers and Modern Authentication clients when creating an app sign-on policy. See Office 365 sign-on rules options.

Device Authorization grant type

Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to applications that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error-prone and time-consuming.

The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to complete sign-in to applications that run on such devices. See Configure Device Authorization.

User Verification options for admins

In the Admin Console, admins can now configure whether end users are required to provide biometrics for device enrollment. See Enable Okta FastPass

Manage admin email notification subscriptions using API endpoints

Admins can manage email subscriptions using the Admin Email Subscription API endpoints.

  • Super admins can configure default subscription settings by admin type.

  • All admins can manage their own admin email notification subscriptions.

End-User Dashboard and Plugin redesign

The Okta End-User Dashboard and Okta Browser Plugin have been redesigned with a modern look and feel that includes new sidebar navigation, fuzzy search, and sections that replaces tabs.

Okta End-User Dashboard redesign

Okta End-User Dashboard redesign

Admins can enable this new design all at once or by groups. The new experience is 50% faster, more intuitive to use, and more responsive to smaller screens. Design changes also improve accessibility and app discovery for end users.

See Create sign-on policies with Okta Applications.

This feature will gradually be made available to all Preview orgs.

Workflows Templates available

Workflows Templates is now available, providing users with access to a searchable catalog of installable Flows that address many common use cases. See Get started with Workflows Templates.

LDAP password reset option

LDAP delegated authentication settings can now be configured to allow users to reset their passwords. This change reduces the time needed for password management and allows users to reset their passwords quickly and easily. See Enable delegated authentication.

LDAP admin password reset

For orgs integrated with LDAP, admins can now perform password resets for an active individual end user. See Reset a user password.

Incremental Imports for CSV

Incremental imports improve performance by importing only users who were created, updated, or deleted since your last import. See Manage your CSV directory integration. Note that this feature is being re-released having previously been released to Production in 2020.09.0.

Password changed notification email

To eliminate unnecessary email notifications, the Password changed notification email setting is no longer enabled by default on new preview orgs. See Password changed notification for end users.

Office 365 Silent Activation

Using Okta as the Identity Provider, Okta Office 365 Silent Activation allows for a seamless experience for your Microsoft Office 365 end users accessing Office 365 apps on domain joined shared Workstations or VDI environments. Once your end users have logged into a domain-joined Windows machine, no further activation steps are required. See Office 365 Silent Activation: New Implementations.

End-user Welcome emails localized

The ability to localize the Welcome email that Okta sends to new end users by referencing the users' default locale property is now Generally Available. See Configure general customization settings.

People page improvements

The People page has been improved so the people list can be filtered by user type. See Universal Directory custom user types known issues.

Mobile tab available for mobile-capable apps

The Mobile tab available in the Okta Admin Console for mobile-capable OIN apps allows you to publish mobile applications to an App Store and deploy them to your end users.

See Enable access to managed mobile apps

Provisioning page UI element change

Drop-down menus on the Provisioning page (General Settings) were standardized.

UI element change

Drop-down menus on the Provisioning page (General Settings) are standardized. See Provision applications.

Early Access features, auto-enroll

You can now opt to auto-enroll in all Early Access features, instead of having to enable them as they become available. For more information, see Manage Early Access features.

Connecting Apps to Okta using the LDAP Interface

The LDAP Interface allows you to authenticate legacy LDAP apps to Universal Directory in the cloud. With the LDAP Interface, authentication is done directly against Okta via LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search. See Set up and manage the LDAP Interface.