Universal Logout
Universal Logout lets you terminate users’ sessions and their tokens for supported apps when Identity Threat Protection identifies a change in risk.
A user session is the time during which a user is authenticated and authorized to access apps secured by Okta. An app session refers to sessions that an app generates to allow users to access the app’s resources.
You can add Universal Logout actions as a response to Post Auth Session and Entity risk policy evaluations. See Post auth session evaluation and Entity risk policy. You can also manually end a user session from the user risk profile. See End a user session.
Supported apps
The following apps support Universal Logout.
Okta apps
- Admin Console
- End-User Dashboard
- End-User Settings
Third-party apps
- Box
- Dropbox for Business
- Google Workspace and Google Cloud Platform: These apps share an identity stack. If a user has access to both of these apps, they’re signed out of both apps when Universal Logout is triggered in Google Workspace.
- Microsoft 365, Defender for Cloud Apps, Defender for Endpoint, Defender for Office 365, and Azure Portal: These apps share an identity stack and only provide a partial Universal Logout. Universal Logout only revokes their refresh tokens. User sessions aren’t terminated until the user’s existing access tokens expire or the user signs out. The token expiration timeout is different for each app. See Revoke user access in Microsoft Entra ID.
- PagerDuty
- Salesforce
- Slack: You can only enable Universal Logout for Slack Enterprise’s Slack account.
- Zendesk
- Zoom
Unsupported Okta apps
Universal Logout isn't available for the following Okta applications:
- Access Gateway
- Access Requests
- End-User Plugins
- Identity Governance
- Privileged Access
- Workflows