Okta Identity Engine release notes (Preview)

Version: 2026.04.0

April 2026

Generally Available

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

  • Android 13, 14, 15, 16 security patch 2026-01-05

CSV report of AD migration progress now available

You can now download a CSV report to view the password migration of specific users. This report provides a detailed breakdown of each user's migration status, such as whether their password was successfully migrated or if a specific error occurred. See Monitor a password migration.

URL validation for custom identity verification (IDV)

Validation has been added to the URL fields from the custom IDV configurations. This helps prevent malicious Distributed Denial-of-Service (DDoS) attacks based on Server-Side Request Forgery (SSRF).

Increase to the maximum access duration limit

When you create or edit access request conditions, you can now set the Access duration field to a maximum of 365 days or 52 weeks.

Skip counts for authenticator enrollment grace periods

This feature allows admins to define a number of skips end users can defer enrollment into an authenticator, as well as customizations to the prompt when end users see the grace period. See Authenticator enrollment policies.

Release controls for Okta Verify on Windows

With the new release controls feature, admins can configure whether to allow, pause, or restrict automatic updates to Okta Verify on Windows. This provides greater flexibility for meeting enterprise change management requirements and managing version rollouts across Windows endpoints. See Configure Okta Verify release controls.

Passkeys rebrand

The FIDO2 (WebAuthn) authenticator is being rebranded to Passkeys (FIDO2 WebAuthn), and Okta is introducing enhanced administrative controls and a streamlined user experience. This update centralizes passkey management through a consolidated settings page, allows for customized authenticator naming, and introduces a dedicated Sign in with a passkey button within the Sign-In Widget. These enhancements simplify the authentication journey and provide users with a more intuitive sign-in process with the Sign in with a passkey button. See Configure the Passkeys (FIDO2 WebAuthn) authenticator.

New Personal details page in My Settings

In My Settings, the Personal information page is now called Personal details, and the Display language page has been removed. Users now choose a display language on the Personal details page.

User password migration from AD to Okta

Seamlessly migrate user passwords from AD to Okta without disrupting your users or operations. This establishes Okta as the source of truth for user passwords, enabling it to handle user authentication and eliminating the need for delegated authentication. See Password migration from AD to Okta.

Early Access

Okta for AI Agents is self-service EA

Orgs that are subscribed to Okta for AI Agents can now enable the product from the Features page. You can use Okta for AI Agents to register, secure, and govern AI agent identities directly within Okta. See Manage AI agents.

New System Log events for Cross App Access connections

The following events are fired when you create, delete, or update a Cross App Access connection:

  • app.cross_app_access.connection.create
  • app.cross_app_access.connection.delete
  • app.cross_app_access.connection.update

IBM Db2 LUW support for On-premises Connector for Generic Databases

The On-premises Connector for Generic Databases now supports IBM Db2 LUW. This enables admins to manage users and entitlements in IBM Db2 LUW environments. See On-premises Connector for Generic Databases.

Fixes

  • Data was missing from the policy.rule.update System Log event. (OKTA-888091)

  • Users couldn't complete authentication or proceed past the sign-in page when a policy rule required user verification but users hadn't yet enrolled in that factor type. (OKTA-914818)

  • Apps created from the On-premises Connector for Generic Databases incorrectly appeared on the End-User Dashboard. Clicking the app resulted in an invalid redirect because the connector doesn't support SSO. (OKTA-1076893)

  • When users tried to sign in with an unenrolled passkey, the Sign-In Widget (third generation) error page didn't display the Username and Keep me signed in fields. (OKTA-1093610)

  • An incorrect error message was displayed when a Bidirectional Group Management issue occurred. (OKTA-1104305)

  • Users received an error if they double tapped Sign in with a Passkey on Safari or Chrome browser on iOS. (OKTA-1107055)

  • The passkeys option was missing from some text strings in the Sign-In Widget. (OKTA-1108991)

  • The passkey icon wasn't displayed consistently on the Sign-In Widget when the Create passkeys setting was enabled. (OKTA-1109452)

  • In some orgs, when users authenticated with an OIDC IdP, Okta deleted their account and made them a new one with a different user ID. (OKTA-1112671)

  • When an admin deactivated a Group Push mapping rule, membership updates stopped for previously matched groups. (OKTA-1125151)

  • When a DirSync import failed with a permission error, the agent was operational but had the Disruption label in the Admin Console. (OKTA-1128087)

  • Some admins couldn't use the Send a test email feature with their custom email provider. (OKTA-1129589)

Okta Integration Network

  • Dokio now supports an additional custom attribute.

  • Reftab Discovery (API Service) now supports the Groups Read scope.

  • ZoomInfo (SCIM) was updated.

Preview Features

Policy Insights Dashboard

The Policy Insights Dashboard gives you a clear view of a policy's impact on your org. You can monitor trends in successful sign-ins, access denials, and authenticator enrollments, and also gain insight into the time users spend signing in and the prevalence of phishing-resistant authentications. The dashboard also tracks the frequency of rule matches and the percentage of successful sign-in attempts. See Use the Policy Insights Dashboard.

Workday supports incremental imports

Workday now has the ability to run immediate, incremental imports. Incremental imports are much faster than full imports. However, they don't detect when users only have changes to custom attributes, so you must periodically run a full import to capture these changes. See Incremental imports

Network zone residential proxy detection

This feature adds new zones associated with Enhanced Dynamic Network Zones beyond anonymous proxies and VPNs. Customers can use service categories such as ZSCALER_PROXY, PERIMETER_81, and more. See Supported IP service categories.

Same-device enrollment for Okta FastPass

On orgs with Okta FastPass, the Okta Verify enrollment process has been streamlined: - Users can initiate and complete enrollment on the device they're currently using. Previously, two different devices were required to set up an account. - Users no longer need to enter their org URL during enrollment. - The enrollment flow has fewer steps. This feature is supported on Android, iOS, and macOS devices.

Prevent new single-factor access to the Admin Console

This feature prevents admins from configuring any new single-factor access to the Admin Console. This feature is currently available to new orgs only.

Application Entitlement Policy

Admins can now override attribute mapping when assigning apps to individuals or groups. You can also revert attributes to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

Direct End-User Settings access

Users may now access their Settings page through a direct URL in addition to the End-User Dashboard. This feature provides convenience and security for users, gives admins greater flexibility when working with End-User Dashboard access control scenarios, and includes accessibility and UX improvements. See End-User Settings.

End-user setting for nicknaming factors

End users can now nickname their phone, WebAuthn, and Okta Verify factors. If they have enrolled multiple instances of a factor, giving nicknames helps them identify the factors quickly (for example, "My personal cellphone" or "My office MacBook TouchID"). See the end-user documentation. This is a self-service feature.

Descriptive System Log events

When Okta identifies a security threat, the resulting security.threat.detected System Log entry now provides a descriptive reason for the event. See System Log.

New flexible LDAP

A new LDAP schema allows flexibility by moving email to the custom schema and making first name, last name, username, and UID optional. This avoids error scenarios when an LDAP schema doesn't include specific attributes.

ThreatInsight coverage on core Okta API endpoints

Okta ThreatInsight coverage is now available for core Okta API endpoints:

Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. Requests from these bad IP addresses can be blocked or elevated for further analysis when Okta ThreatInsight is enabled for an Okta org. Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints. There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new Negative IP Reputation reason is available for high security.threat.detected events. See System Log events for Okta ThreatInsight.

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org's apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org.

Improvements to the self-service unlock process

Earlier versions of the self-service unlock (SSU) flow created unnecessary friction in the end user experience. The newly enhanced SSU feature introduces a seamless magic link experience in emails sent out to unlock accounts. Users no longer need to provide consent when using the same browser. In addition, after successfully unlocking their account, clicking the email magic link counts towards the app's assurance policy. After the assurance requirements are met, the user is signed directly in to the app.

Improvements to the self-service registration experience

Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your app requires immediate verification of the end user's email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the app, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the app.

Device Authorization grant type

Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to apps that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error prone and time consuming.

The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to sign-in to apps that run on such devices.