Okta Identity Engine release notes (Production)

Manage agents permission granted to certain roles

Custom admin roles with the View application and their details permission now have the View agents permission. This is a temporary change that helps Okta separate the two permissions in a future release. See Role permissions.

New System Log event for AD agent changes

The System Log event system.agent.ad.config.change.detected reports when Okta support modified an AD agent configuration.

Express Configuration supports Universal Logout

Admins can now quickly integrate Universal Logout-enabled apps using Express Configuration. When Universal Logout is available for an Express Configuration app, a Configure SSO & UL button appears on the configuration page. See Add an app with Express Configuration.

Custom domains and certificates

Okta now supports the use of SHA 384 and SHA 512 signed certificates for custom domains. See Configure a custom domain.

Sign-In Widget, version 7.36.3

For details about this release, see the Sign-In Widget Release Notes. For more information about the Widget, see the Okta Sign-In Widget.

Partner Admin Portal App Switcher

In the Partner Admin Portal, you can now use the App Switcher to navigate to your apps.

Okta Active Directory agent, version 3.22.0

This release includes LDAPS support and bug fixes. See Okta Active Directory agent version history.

Remember last-used authenticator: Okta FastPass

Okta now remembers FastPass as the last-used authenticator when users click "Sign in with Okta FastPass" on the Sign-In Widget.

Simplified Windows Autopilot integration

You can use Okta to secure and streamline the Windows Autopilot flow on end-user devices. You can add a sign-on policy rule in Okta that requires MFA when enrolling a device through Windows Autopilot. This increases security without compromising the user experience and ensures that every new device is provisioned by the right user. See Typical workflow for using Okta with Windows Autopilot.

ITP landing page

Previously, Identity Threat Protection with Okta AI (ITP) information and controls were nested across various pages of the Admin Console. All of your ITP insights and controls are now consolidated on the Security tab in the Admin Console. This unified view saves you time and enables faster action by allowing you to investigate data and configure a response, all in a single place. See Identity Threat Protection with Okta AI.

Inline FastPass enrollment on multiple devices

Users can complete inline enrollment of Okta Verify when they have already enrolled in Okta Verify on a different device platform using a different method.

Network restrictions for OIDC token endpoints is GA in Production

You can now apply network restrictions to OIDC token endpoints to enhance token security. See Create OpenID Connect app integrations.

Export Okta Identity Governance reports in PDF format

You can now export Okta Identity Governance reports to PDF. When exporting, you can also select specific columns to include in the report.

Changes to the Okta Sign-In Widget UI

The Okta Sign-In Widget (first and second generation) now uses the native Select component for dropdown elements. These UI elements have a new appearance, and the dropdown search functionality is no longer available.

Behavior Detections for new ASN

Admins have been able to create behavior detections for IP, Velocity, Location, or Device. This new functionality introduces behavior detection on a new ASN (Autonomous System Number), based on the IP found in the request tied to the event. See Add an ASN behavior.

Temporary Access Code authenticator

The Temporary Access Code (TAC) authenticator allows admins to generate temporary codes that let users authenticate in onboarding, account recovery, and other temporary access scenarios. This authenticator enhances security in these scenarios by granting users access to their orgs without having to use their usual authenticators. See Configure the temporary access code authenticator.

Automatically select Okta Verify and custom push methods

Okta now automatically selects Okta Verify (OV) and custom push methods when they are the only options that meet assurance requirements. Previously, in some scenarios, users had to manually select these methods. This update eliminates that extra step.

Enrollment grace periods

Today, when admins define an enrollment policy for a group, the entire group must enroll immediately, which can be disruptive to their day-to-day tasks.

With Enrollment Grace Periods, end users can defer enrollment in new authenticators until an admin-defined deadline when enrollment becomes mandatory. This allows end users to enroll at a time convenient to them and allows for more graceful enrollment before enforcing new authenticator types in authentication policies. See Authenticator enrollment policies.

Enhanced security for Okta Access Requests web app

The Okta Access Requests web app now performs policy evaluations before granting new access tokens.

Changes to access request notifications

To ensure conversations are displayed consistently across platforms, messages sent within an access request from the web app now automatically appear for the message sender in the corresponding Slack or Microsoft Teams thread. This reduces confusion for the message sender around the messages associated that are with a request.

Okta Provisioning agent, version 3.0.4

Okta Provisioning agent 3.0.4 is now available. This release contains bug fixes and minor improvements.

Simplified Windows Installer for Okta Provisioning agent

The Windows Installer UI for the Okta Provisioning agent has been simplified. The environment selection dropdown list has been removed to support a wider range of Okta environments.

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

• iOS 18.7.1
• iOS 26.0.1
• macOS Sonoma 14.8.1
• macOS Sequoia 15.7.1
• macOS Tahoe 26.0.1

Detections added to entity risk policy

New detections have been added to the entity risk policy.

• Suspicious Login From An IP Flagged By FastPass: Indicates a sign-in event occurred from an IP address that Okta FastPass flagged in a phishing event.

• Suspicious Login From An IP Flagged In A Credential Based Attack: Indicates a successful sign-in event occurred from an IP address where multiple sign-in failures also occurred.

• Breached Credentials Detected: Indicates that a username-password combination in your org appears in a third-party list of public data breaches.

See Detection settings for entity risk policy.

Okta Active Directory Password Sync agent, version 1.7.0

This version of the agent includes security enhancements.

Trace ID added to event

A traceId has been added to the security.breached_credential.detected System Log event so that you can easily query and link ITP events like user.risk.detect and ERP events in system logs.

New look and feel for delegated flows

On the Delegated flows page, the buttons, modals, and input fields have been redesigned for a better user experience. See Delegated flows.

Euskara (Basque) language translations for end users

In the End-User Dashboard, users can now set the display language to Euskara (Basque). When they select a language, the end-user experience, including when a user signs in, is translated accordingly. See Supported display languages.

New VPN service for enhanced dynamic zones

The SURF_EASY_VPN is now supported as an individual VPN service category in enhanced dynamic zones. See Supported IP service categories.

Error message update

The error message text that appears when activating a group rule that has an invalid expression has been updated to include the reason for the failure, making it easier to troubleshoot.

Create user permission conditions

You can now add conditions to the Create user permission for custom admin roles, applicable to both realm-enabled orgs and those without realms. This update strictly enforces that admins must have explicit Create user permissions for a specific group to perform this action. See Permission conditions.

User status in Okta Expression Language

You can now reference User Status in the Okta expression language. Group Rules can leverage user statuses to drive group membership.

SharePoint On-Premises integration supports SHA-256

SharePoint integrations (WS-Fed) now use SHA-256 for signing the authentication token.

Group Push Linking for Microsoft Office 365

The Group Push feature in the Microsoft Office 365 integration has been enhanced to link existing Okta groups with existing Entra groups.

This change establishes Okta as the single source of truth for group membership. Once linked, the membership changes made in Okta are pushed automatically, ensuring consistency and seamless access control.

Supporting additional attributes in O365's Universal Sync provisioning

To enable seamless access to Kerberos resources through Windows Hello for Business and to help you manage data based on geographies, Okta now supports four additional attributes in O365's Universal Sync provisioning.

• onPremisesSamAccountName
• onPremisesDomainName
• onPremisesUserPrincipalName
• PreferredDataLocation

Changes to the Session Protection Violation report

A filter has been added to the Session Protection Violation report that allows filtering on risk level (LOW, MEDIUM, HIGH). Also, the Session Context Change count has been removed from the report.

Okta Integration IdP type

The Okta Integration IdP allows you to use an Okta org as an external IdP, simplifying configuration and providing secure defaults. See Add an Okta Integration identity provider.

Custom admin roles for ITP

Through this feature, customers can use granular ITP permissions and resources to create custom roles to right-size authorization for ITP configuration and monitoring. See Configure custom admin roles for ITP.

Behavior Detections for new ASN

Admins have been able to create behavior detections for IP, Velocity, Location, or Device. This new functionality introduces behavior detection on a new ASN (Autonomous System Number), based on the IP found in the request tied to the event. See Add an ASN behavior.