Okta Identity Engine release notes (Preview)

Current release
Preview org features

Version: 2026.03.0

March 2026

Generally Available

Okta On-prem SCIM Server agent, version 1.7.0

Okta On-prem SCIM Server agent 1.7.0 is available. This release adds support for IBM DB2 LUW to the On-premises Connector for Generic Databases.

Provisioning for Artifactory

Provisioning is now available for the Artifactory app integration. When you provision the app, you can enable security features like Entitlement Management. See Artifactory.

Provisioning for Twilio

Admins can now automate user lifecycle management for the Twilio app. This integration uses OAuth-based authentication to support user provisioning, profile updates, and deactivation directly from Okta.

Improved error handling for group membership searches

When an internal error is returned for a group membership search, the ordering and sorting direction options are removed and the search is performed again.

Enable custom admin permissions for inline and event hooks

The inline and event hook framework now supports read and write permissions for custom admin roles. Fine-grained access to manage inline and event hooks previously required the super admin role. See Role permissions.

Policy Insights Dashboard

The Policy Insights Dashboard gives you a clear view of a policy's impact on your org. You can monitor trends in successful sign-ins, access denials, and authenticator enrollments, and also gain insight into the time users spend signing in and the prevalence of phishing-resistant authentications. The dashboard also tracks the frequency of rule matches and the percentage of successful sign-in attempts. See Use the Policy Insights Dashboard.

Rate limits for ITP events

The session.context.change event in ITP now has org-level and session-level rate limits.

Yammer rebranded to Microsoft Viva

The Yammer integration in Microsoft Office 365 now displays the Microsoft Viva logo and directs users to the Microsoft Viva homepage. This update supports Viva Insights and Viva Connections in GCC environments.

Network zone residential proxy detection

This feature adds new zones associated with Enhanced Dynamic Network Zones beyond anonymous proxies and VPNs. Customers can use service categories such as ZSCALER_PROXY, PERIMETER_81, and more. See Supported IP service categories.

Early Access

Improved DirSync-based imports

Optimize performance of AD DirSync-based imports by skipping unnecessary prechecks and downloading organizational units without using DirSync.

Self-Service for Enhanced Disaster Recovery

When unexpected infrastructure-related outages occur, orgs need an immediate and reliable way to maintain business continuity. Okta's Standard Disaster Recovery, implemented by Okta's operations teams, provides failover and failback with a recovery time objective of one hour.

Okta's Enhanced Disaster Recovery (Enhanced DR) gives admins the option to manage their org's recovery. This feature empowers admins by providing direct, self-service tools and APIs to manage, test, and automate the failover and restoration processes for their impacted orgs.

With Enhanced DR, admins gain active control to initiate a failover and restore for impacted orgs directly from the Okta Disaster Recovery Admin portal or through APIs. Additionally, teams can validate their system's resilience by safely testing these failover and restoration capabilities at their convenience. Finally, Enhanced DR enables orgs to automate failover processes by using real-time monitoring to invoke failover APIs, significantly minimizing downtime during an actual event. See Okta disaster recovery.

Fixes

You couldn't search for and select users with Provisioned, Active, Recovery, Password Expired, or Locked out status when assigning a step in an approval sequence and in request types. (OKTA-944822)
Group rules sometimes behaved unpredictably when multiple distinct transactions ran the rules on the same user at the same time. (OKTA-954076)
Some users couldn't upload valid YubiKey seed files. (OKTA-1078087)
Some users saw a Failed to fetch error message on the Sign-In Widget when they tried to reset their password using email. (OKTA-1083742)
In some orgs, users who authenticated on a shared device could be signed in as a previous user. (OKTA-1100263)
The passkeys option was missing from some text strings in the Sign-In Widget. (OKTA-1108991)
The Access Testing Tool incorrectly evaluated authentication policy rules for Android devices with Device Assurance. (OKTA-1111439)
When AD-sourced users attempted to sign in using an expired temporary password and self-service password change was disabled, an incorrect error message was displayed. (OKTA-1113434)
Bot detection events were logged for standard Admin/Management API calls when the Sign-In Widget wasn't involved. (OKTA-1113990)
Sometimes users on mobile devices saw a legacy authentication flow instead of the expected interface when they attempted to authenticate without Okta Verify installed. (OKTA-1115306)
In some preview orgs, admins didn't see the Security > Authentication Policies page. (OKTA-1119757)
Some orgs couldn't send email through their custom SMTP. (OKTA-1124146)

Okta Integration Network

Guardare (SAML) is now available. Learn more.
Valence Remediation (API) is now available. Learn more.
Cato Networks Provisioning now supports user imports and updates.
PerimeterX now supports SAML.
PerimeterX now supports SCIM.
Druva Data Security Cloud (API Service) now has the okta.clients.read scope.
Natoma has a new app icon.
Adobe Creative (SWA) was updated.
Adobe Fonts (SWA) was updated.

Weekly Updates

2026.03.1: Update 1 started deployment on March 12

Generally Available

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

Android 14, 15, 16 security patch 2026-03-01
iOS 18.7.6
iOS 26.3.1
macOS 26.3.1

To view the latest OS support updates, see Okta Device Assurance: Supported OS levels.

Device assurance OS version update

Windows 11 (26H1) isn't a supported release under Device Assurance policies. This is a special release only for select new devices.

Provisioning for Jamf Pro Admin Console

Provisioning is now available for the Jamf Pro Admin Console app integration. When you provision the app, you can enable security features like Entitlement Management. See Jamf Pro Admin Console.

Fixes

An error occurred when an admin attempted to add a duplicate SWA integration. (OKTA-600590)
Authentication policy rules with user type conditions weren't evaluated when users initiated a Native to Web SSO flow using an interclient token. (OKTA-1103810)
When DirSync was enabled, AD incremental imports removed group description values in Okta. (OKTA-1108167)
When an admin integrated an app through the API, some of the custom SSO properties didn't populate on the integration page. (OKTA-1109692)
The Add Resource dialog couldn't load more users or groups if the search term included special characters. (OKTA-1114749)
When an admin pressed the Enter key to select a recent spotlight search result, the search field disappeared. (OKTA-1115374)
The Microsoft Teams app integration incorrectly redirected users to an outdated URL during the Secure Web Authentication (SWA) flow. (OKTA-1117744)
The mandatory SSO configuration check for testing information was incorrectly bypassed for all SSO submissions. (OKTA-1119127)
Workflows admins couldn't edit their admin email notifications. (OKTA-1119296)
When admins provisioned users, incremental synchronizations for permission sets failed. The connector pushed duplicate permission set assignments, which resulted in errors for sets already assigned to the user. (OKTA-1121168)
Admins could initiate temporary password resets for users sourced from Okta, Active Directory (AD), or LDAP, bypassing the password policy that disabled self-service password reset. (OKTA-1122913)
The Sign-In Widget didn't load the bot protection enforcement challenge required on some endpoints, leading to an incorrect user redirect to a 403 page. (OKTA-1125106)

Okta Integration Network

CyberProof Threat Exposure Management Platform (API integration) is now available. Learn more.
Google Cloud Workforce Identity Federation (SAML) is now available. Learn more.
Google Cloud Workforce Identity Federation (SCIM) is now available. Learn more.
Sensor Tower (SAML) is now available. Learn more.
YakChat (OIDC) is now available. Learn more.
Google Cloud Workforce Identity Federation (OIDC) has a new Redirect URI. Learn more.
JetBrains (SWA) was updated.

Preview Features

Policy Insights Dashboard

Detection settings in session protection

Tailor ITP to your org's security priorities to gain control and balance security with a seamless user experience. With new detection settings, you can define which session context changes trigger policy re-evaluations, helping you focus only on what truly matters. See Session protection.

New System Log objects for security.request.blocked events

The System Log now displays the following IpDetails objects for dynamic and enhanced dynamic zones:

Operator indicates whether the type is VPN or Proxy
Type includes values like VPN, Proxy, and Tor
IsAnonymous indicates if the proxy is anonymous

These objects move risk and behavior telemetry out of string-only keys in the debug context and into dedicated, structured fields in the security context event. This change improves risk visibility and eliminates the need for string parsing.

Maximum consecutive characters setting for passwords

You can now set a maximum number of consecutive repeating characters in passwords. This feature enhances security by allowing you to customize your password strength requirements.

Block words from being used in passwords

You can now use Okta Expression Language to block words from being used in passwords. This feature enhances security by allowing you to customize your password strength requirements.

Workday supports incremental imports

Workday now has the ability to run immediate, incremental imports. Incremental imports are much faster than full imports. However, they don't detect when users only have changes to custom attributes, so you must periodically run a full import to capture these changes. See Incremental imports

Network zone residential proxy detection

Same-device enrollment for Okta FastPass

On orgs with Okta FastPass, the Okta Verify enrollment process has been streamlined: - Users can initiate and complete enrollment on the device they're currently using. Previously, two different devices were required to set up an account. - Users no longer need to enter their org URL during enrollment. - The enrollment flow has fewer steps. This feature is supported on Android, iOS, and macOS devices.

Prevent new single-factor access to the Admin Console

This feature prevents admins from configuring any new single-factor access to the Admin Console. This feature is currently available to new orgs only.

Application Entitlement Policy

Admins can now override attribute mapping when assigning apps to individuals or groups. You can also revert attributes to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

Direct End-User Settings access

Users may now access their Settings page through a direct URL in addition to the End-User Dashboard. This feature provides convenience and security for users, gives admins greater flexibility when working with End-User Dashboard access control scenarios, and includes accessibility and UX improvements. See End-User Settings.

End-user setting for nicknaming factors

End users can now nickname their phone, WebAuthn, and Okta Verify factors. If they have enrolled multiple instances of a factor, giving nicknames helps them identify the factors quickly (for example, "My personal cellphone" or "My office MacBook TouchID"). See the end-user documentation. This is a self-service feature.

Descriptive System Log events

When Okta identifies a security threat, the resulting security.threat.detected System Log entry now provides a descriptive reason for the event. See System Log.

New flexible LDAP

A new LDAP schema allows flexibility by moving email to the custom schema and making first name, last name, username, and UID optional. This avoids error scenarios when an LDAP schema doesn't include specific attributes.

ThreatInsight coverage on core Okta API endpoints

Okta ThreatInsight coverage is now available for core Okta API endpoints:

Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. Requests from these bad IP addresses can be blocked or elevated for further analysis when Okta ThreatInsight is enabled for an Okta org. Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints. There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new Negative IP Reputation reason is available for high security.threat.detected events. See System Log events for Okta ThreatInsight.

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org's apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org.

Improvements to the self-service unlock process

Earlier versions of the self-service unlock (SSU) flow created unnecessary friction in the end user experience. The newly enhanced SSU feature introduces a seamless magic link experience in emails sent out to unlock accounts. Users no longer need to provide consent when using the same browser. In addition, after successfully unlocking their account, clicking the email magic link counts towards the app's assurance policy. After the assurance requirements are met, the user is signed directly in to the app.

Improvements to the self-service registration experience

Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your app requires immediate verification of the end user's email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the app, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the app.

Device Authorization grant type

Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to apps that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error prone and time consuming.

The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to sign-in to apps that run on such devices.