Elevate or lower an entity risk level

Your Entity risk policy configurations determine what actions Identity Threat Protection with Okta AI should take when it identifies a risk. These actions are automatic and don't require any action from an admin. However, you may want to take manual actions in response to a security threat.

Elevate an entity risk level

You can manually elevate a low or medium entity risk level to high.

  1. In the Admin Console, go to DirectoryPeople.
  2. Select a user from the People & username column.
  3. Click More actions, and then click Elevate Risk Level. The Elevate entity risk level dialog opens.
  4. Click Yes, elevate risk level.

When you manually elevate a user's risk level, the user.risk.detect event appears in the System Log.

Lower an entity risk level

Okta changes the entity risk level to Low when the entity risk policy or the Clear user sessions action triggers Universal Logout and terminates the Okta Identity Provider session. See Universal Logout revocations for information on which artifacts are revoked.

You can manually lower a high entity risk level to low by ending a user session or using the public API.

End a user session

You can manually revoke a user's IdP sessions and refresh tokens by clearing their sessions.

  1. In the Admin Console, go to DirectoryPeople.
  2. Select a user from the People & username column.
  3. Click More Actions, and then select Clear user sessions. The Clear sessions and revoke tokens dialog opens.
  4. Select Clear active sessions for apps with logout enabled to invoke Universal Logout for the user.

    If you don't select this checkbox, Okta clears all active Identity Provider sessions and revokes the OpenID Connect and OAuth refresh and access tokens that were issued to the user. The user must then authenticate the next time they sign in.

  5. Click Clear and revoke.

Use the public API

Change the user risk object for a user ID. See Upsert the user's risk.

Related topics

Deactivate and delete user accounts

Suspend and unsuspend users

View System Log events for Identity Threat Protection