Okta Identity Engine release notes (Preview)

Generally Available

Version: 2026.07.0

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

  • Android 13, 14, 15, 16 security patch 2026-01-05
Spec-compliant client ID claims for AI agent tokens

Okta Expression Language profiles now include the app.clientId property during user claim evaluations for AI agent OAuth 2.0 clients. This allows developers to generate spec-compliant tokens during AI agent flows.

OAuth secure token exchange for Salesforce requests

Okta for AI Agents now uses the OAuth 2.0 secure token exchange flow when it sends requests to the Salesforce app integration, resource server, or MCP server.

AI agent events are now event-hook eligible

The AI agent and AI agent provider events are now event-hook eligible, enabling Workflows to be triggered based on events. See Event hooks.

Provisioning for Rapid7 InsightAppSec

Provisioning is now available for the Rapid7 InsightAppSec app integration. When you provision the app, you can enable security features like Entitlement Management. See Rapid7 InsightAppSec.

Admin OIDC App Phase Two Tranch One

When the Admin OIDC App Phase Two Tranch One feature is enabled, the Okta Admin Console automatically initiates the OIDC sign-in flow on page load, and admins are briefly redirected to the authentication page before the requested page appears.

Unique client authorization settings required for OIN apps

When you enter client authorization details for an app integration, an error now appears if another integration already uses those details.

New protocol runtime for Amazon Bedrock AgentCore AI agents

You can now import both standard HTTP and agent-to-agent protocol runtimes from the Amazon Bedrock AgentCore platform.

MCP servers active by default

Newly created MCP servers are now in an active state by default. See Add MCP servers.

AI agent admin role

Super admins can now delegate AI agent management tasks using the new AI agent admin role. Admins with this role can perform tasks like registering AI agents, assigning owners, and configuring resource connections. See Manage Okta for AI Agents admin roles.

Date range filter for AI agents

The AI Agents page now provides a date range filter so admins can filter AI agents by when they were created or updated.

Import AI agents from Google Vertex AI

You can now import and manage AI agents built in Google Vertex AI directly through Okta. See Configure Google Vertex AI for AI agent imports.

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

  • Android 17 (2026-06-01)
  • Windows 10 builds (10.0.17763.8880, 10.0.19044.7417, 10.0.19045.7417)
  • Windows 11 builds (10.0.22631.7219, 10.0.26100.8655, 10.0.26200.8655)
Removal of search filters from the Inbox page

The Requester type and Follower options have been removed from Filters on the Inbox page of the Okta Access Requests web app to improve performance.

Okta for AI Agents UI updates

The AI agents page now provides Owner and Platform filters. Also, the AI agent providers page now has Registered AI agents column that displays the number of AI agents that are registered from the provider. 

Suspicious Login Using A Sprayed Password

This detection indicates that a user's password has been identified in a password spray campaign and used to successfullly sign in. The detection enables ITP to trigger configured remediation actions such as Universal Logout or password reset through a workflow. See Suspicious login using a sprayed password.

This feature is following a slow rollout process.

New VPN service for enhanced dynamic zones

The VIGOR_SSL_VPN is now supported as an individual VPN service category in enhanced dynamic zones. See Supported IP categories.

AI agents admin role help link

On the Administrators > Roles tab, the AI agents admin role now has a help link. 

Strong cipher enforcement for X.509 client certificate authentication

Okta now enforces strong cryptographic ciphers for X.509 client certificates used in mTLS authentication. Client certificates signed with weak ciphers, such as RSA-1024, are no longer accepted for new orgs. If you use X.509 certificate-based authentication, ensure that your client certificates meet FIPS 140-2 cipher requirements.

Customizable emails for Passkeys (FIDO2 WebAuthn) authenticator

The email that users receive when the admin configures a Passkeys (FIDO2 WebAuthn) authenticator is now available as a customizable template in Customizations > Brands > Emails. Admins can modify the subject line, email body, and dynamic variables such as the PIN, first name, and org name, and can add content in multiple languages. 

Email auto-enrollment and recovery management

Admins can control the automatic enrollment of email as an authenticator and configure email-based password recovery, unlock, and change where email is not an authenticator. See Make email an optional authenticator.

Advanced posture checks for device assurance

Advanced posture checks let admins configure specific device security conditions beyond what standard device assurance policies support. Using osquery, you can write custom SQL queries to assess device state on macOS and Windows devices, configure checks for unmanaged devices, and integrate with endpoint detection and response (EDR) tools. See Configure advanced posture checks for device assurance.

Update group rule assignments

Admins can now update the groups assigned to a group rule without deleting and recreating the rule. This streamlines the management of group memberships and rule conditions. See Edit group rules.

Improved MFA enrollment policy validator

Orgs that have no self-initiated user.account.update_password syslog events over last 30 days are now excluded from the MFA enrollment policy validator warning triggered during the Okta Identity Engine upgrade, making it easier to upgrade.

Import unlicensed users from Azure Active Directory to Okta

You can now import users from Microsoft Azure Active Directory (AAD) who don't have an assigned Office 365 license. This allows admins to centralize their workforce lifecycle within Okta and eliminates the need to manage unlicensed accounts across both platforms. See Import users to Office 365 using Microsoft Graph API.

Group push support in API Integration Actions apps

Apps that use API Integration Actions to perform provisioning can now use the Group Push feature. This enables the group import functionality for apps that use group API contracts in their provisioning actions.

ITP detections for AMFA orgs

Adaptive MFA orgs now benefit from ITP detections on sessions and entity users when these are detected on directly assigned super admins. These detection events are actionable using Workflows. This feature aligns with the Okta Secure Identity Commitment. See Identity Threat Protection events in System Log.

This feature is now available to Okta for US Military customers.

On-demand rotation of Office 365 SSO signing certificates

Office 365 app integrations that use WS-Federation for authentication now support the use of app-level certificates. Switching from org-level certificates to app-level certificates improves your security outcomes by eliminating a single point of failure if a shared org-level certificate expires. UI updates enable IT admins to easily monitor certificate status, generate certificates on demand, and perform certificate rotations without disrupting operations. See Configure Single Sign-On for Office 365.

Direct End-User Settings access

Users may now access their Settings page through a direct URL in addition to the End-User Dashboard. This feature provides convenience and security for users, gives admins greater flexibility when working with End-User Dashboard access control scenarios, and includes accessibility and UX improvements. See End-User Settings.

Early Access

Agent-to-agent connections

Agent-to-agent server connections allow admins to connect AI agents to other AI agents. Admins can manage scopes to restrict access to the appropriate AI agent tasks, and allow service apps to call AI agents without user context. Using tokens and the System Log, admins can view all the users, AI agents, and apps that call an AI agent. See Agent-to-agent connections.

Removal of Cross App Access as a self-service feature

You can no longer enable or disable the Cross App Access feature from the Early Access section of the Settings > Features page in the Admin Console. To change the availability of this feature for your org, contact Okta Support. If you have an Integrator Free Plan org, contact Developer Support instead. This change doesn't impact any existing configurations.

Passkey metrics tracking

This enhancement provides additional tracking capabilities and reporting tools to gain more visibility into passkey performance. This helps admins monitor passwordless adoption and usage trends across their orgs.

Auditor mode for admin role assignments

A new Auditor (Read-Only) mode allows super admins to apply a read-only restriction to any individual or group admin assignment. This setting restricts admins to read-only access across the Admin Console and Okta APIs, except for Okta first-party apps. This feature provides auditors with system visibility while maintaining security transparency. See Auditor read-only mode.

Fixes

  • On the End-User Settings page in orgs with language localization, the non-breaking space before the colon in error messages was missing. (OKTA-1113766)

  • An Okta Verify error prevented some users from signing in to orgs that had the Advanced Posture Check feature enabled. The error wasn't recorded in the System Log. (OKTA-1120412)

  • The Access Testing Tool incorrectly reported that user sign-in events were denied by a global session policy network zone rule, even though the tested IP address was in the allowed zone. (OKTA-1130892)

  • When a user was assigned a SAML app through a group, they couldn't always access the app after signing in to Okta. (OKTA-1140346)

  • The text size of the Okta Verify number challenge on the Sign-In Widget was too small. (OKTA-1140583)

  • The Okta logo in My Settings had inaccurate alt text. (OKTA-1164454)

  • In My Settings, the Support section heading had an incorrect heading level. (OKTA-1164459)

  • In My Settings, the Recent Activity drawer didn't resize at narrow viewport widths, which made the close button inaccessible without a trackpad or scrollbar. (OKTA-1164494)

  • Users with only a password enrolled in a deferred enrollment policy received an error when they attempted to access apps that required a second authentication factor. (OKTA-1174736)

  • The Sign-In Widget (second generation) failed to load when an app requested scopes where one scope name was a prefix of another. (OKTA-1174752)

  • Admins could delete custom authorization servers that were used in AI agent resource connections. (OKTA-1182513)

  • The DirSync readiness warning banner on the Integration Agents dashboard displayed outdated status information. (OKTA-1185146)

  • In the Access Testing Tool, admins saw an error message in the Enrolled in authenticators results when they tested the access of users with enrolled smart card authenticators. (OKTA-1186554)

  • During evaluation of Okta Expression Language version 3 rules, the contains function failed to evaluate custom integer or number array attributes. (OKTA-1194797)

  • If admins modified a read-only profile attribute after a user began editing their profile, users saw an error message when they tried to save changes to their profile. (OKTA-1201181)

  • When a user enrolled multiple factors in Okta Verify, the active grace period counter incorrectly incremented per factor rather than per authenticator. (OKTA-1209603)

  • When users clicked the add button multiple times in the Add apps dialog, the dialog froze and users couldn't close it or select Done until they refreshed the page. (OKTA-1211432)

Okta Integration Network

  • SAP LeanIX - SaaS Discovery (API Service) was updated.

  • Camino (OIDC) is now available. Learn more.

  • Camino (SAML) is now available. Learn more.

  • Rubrik Security Cloud (API Service) was updated.

  • Vercel (SAML) is now available. Learn more.

  • Zoom (OIDC) is now available. Learn more.

  • Commvault (API service) is now available. Learn more.

  • Camino (SCIM) is now available. Learn more.

Preview org features

Bot protection

Bot protection enables orgs to automatically identify and mitigate bot traffic by configuring remediation actions within the Identity Threat Protection (ITP) landing page. See Bot protection.

Workday supports incremental imports

Workday now has the ability to run immediate, incremental imports. Incremental imports are much faster than full imports. However, they don't detect when users only have changes to custom attributes, so you must periodically run a full import to capture these changes. See Incremental imports.

Same-device enrollment for Okta FastPass

On orgs with Okta FastPass, the Okta Verify enrollment process has been streamlined:

  • Users can initiate and complete enrollment on the device they're currently using. Previously, two different devices were required to set up an account.
  • Users no longer need to enter their org URL during enrollment.
  • The enrollment flow has fewer steps. This feature is supported on Android, iOS, and macOS devices.
Prevent new single-factor access to the Admin Console

This feature prevents admins from configuring any new single-factor access to the Admin Console. This feature is currently available to new orgs only.

End-user setting for nicknaming factors

End users can now nickname their phone, WebAuthn, and Okta Verify factors. If they have enrolled multiple instances of a factor, giving nicknames helps them identify the factors quickly (for example, "My personal cellphone" or "My office MacBook TouchID"). See the end-user documentation. This is a self-service feature.

Descriptive System Log events

When Okta identifies a security threat, the resulting security.threat.detected System Log entry now provides a descriptive reason for the event. See System Log.

New flexible LDAP

A new LDAP schema allows flexibility by moving email to the custom schema and making first name, last name, username, and UID optional. This avoids error scenarios when an LDAP schema doesn't include specific attributes.

ThreatInsight coverage on core Okta API endpoints

Okta ThreatInsight coverage is now available for core Okta API endpoints:

Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. Requests from these bad IP addresses can be blocked or elevated for further analysis when Okta ThreatInsight is enabled for an Okta org. Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints. There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new Negative IP Reputation reason is available for high security.threat.detected events. See System Log events for Okta ThreatInsight.

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org's apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org.

Improvements to the self-service unlock process

Earlier versions of the self-service unlock (SSU) flow created unnecessary friction in the end user experience. The newly enhanced SSU feature introduces a seamless magic link experience in emails sent out to unlock accounts. Users no longer need to provide consent when using the same browser. In addition, after successfully unlocking their account, clicking the email magic link counts towards the app's assurance policy. After the assurance requirements are met, the user is signed directly in to the app.

Improvements to the self-service registration experience

Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your app requires immediate verification of the end user's email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the app, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the app.

Device Authorization grant type

Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to apps that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error prone and time consuming.

The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to sign in to apps that run on such devices.