Okta Identity Engine release notes (Preview)

Version: 2025.10.0

October 2025

Generally Available

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

  • iOS 18.7.1
  • iOS 26.0.1
  • macOS Sonoma 14.8.1
  • macOS Sequoia 15.7.1
  • macOS Tahoe 26.0.1

Detections added to entity risk policy

New detections have been added to the entity risk policy.

  • Suspicious Login From An IP Flagged By FastPass: Indicates a sign-in event occurred from an IP address that Okta FastPass flagged in a phishing event.

  • Suspicious Login From An IP Flagged In A Credential Based Attack: Indicates a successful sign-in event occurred from an IP address where multiple sign-in failures also occurred.

  • Breached Credentials Detected: Indicates that a username-password combination in your org appears in a third-party list of public data breaches.

See Detection settings for entity risk policy.

Okta Active Directory Password Sync agent, version 1.7.0

This version of the agent includes security enhancements.

Trace ID added to event

A traceId has been added to the security.breached_credential.detected System Log event so that you can easily query and link ITP events like user.risk.detect and ERP events in system logs.

New look and feel for delegated flows

On the Delegated flows page, the buttons, modals, and input fields have been redesigned for a better user experience. See Delegated flows.

Euskara (Basque) language translations for end users

In the End-User Dashboard, users can now set the display language to Euskara (Basque). When they select a language, the end-user experience, including when a user signs in, is translated accordingly. See Supported display languages.

Simplified Windows Autopilot integration

You can use Okta to secure and streamline the Windows Autopilot flow on end-user devices. You can add a sign-on policy rule in Okta that requires MFA when enrolling a device through Windows Autopilot. This increases security without compromising the user experience and ensures that every new device is provisioned by the right user. See Typical workflow for using Okta with Windows Autopilot.

New VPN service for enhanced dynamic zones

The SURF_EASY_VPN is now supported as an individual VPN service category in enhanced dynamic zones. See Supported IP service categories.

Error message update

The error message text that appears when activating a group rule that has an invalid expression has been updated to include the reason for the failure, making it easier to troubleshoot.

Create user permission conditions

You can now add conditions to the Create user permission for custom admin roles, applicable to both realm-enabled orgs and those without realms. See Permission conditions.

ITP landing page

Previously, ITP information and controls were nested across various pages of the Admin Console. We have now brought all of your ITP insights and controls together onto one consolidated page under the Security tab in the Admin Console. This unified view saves you time and enables faster action by allowing you to investigate data and configure a response, all in a single place. See Identity Threat Protection with Okta AI.

Inline FastPass enrollment on multiple devices

Users can complete inline enrollment of Okta Verify when they have already enrolled in Okta Verify on a different device platform using a different method.

Changes to the Session Protection Violation report

A filter has been added to the Session Protection Violation report that allows filtering on risk level (LOW, MEDIUM, HIGH). Also, the Session Context Change count has been removed from the report.

Network restrictions for OIDC token endpoints is GA in Preview

You can now apply network restrictions to OIDC token endpoints to enhance token security. See Create OpenID Connect app integrations.

Export Okta Identity Governance reports in PDF format

You can now export Okta Identity Governance reports to PDF. When exporting, you can also select specific columns to include in the report.

Behavior Detections for new ASN

Admins have been able to create behavior detections for IP, Velocity, Location, or Device. This new functionality introduces behavior detection on a new ASN (Autonomous System Number), based on the IP found in the request tied to the event. See Add an ASN behavior.

Temporary Access Code authenticator

The Temporary Access Code (TAC) authenticator allows admins to generate temporary codes that let users authenticate in onboarding, account recovery, and other temporary access scenarios. This authenticator enhances security in these scenarios by granting users access to their orgs without having to use their usual authenticators. See Configure the temporary access code authenticator.

Automatically select Okta Verify and custom push methods

Okta now automatically selects Okta Verify (OV) and custom push methods when they are the only options that meet assurance requirements. Previously, in some scenarios, users had to manually select these methods. This update eliminates that extra step.

Enrollment grace periods

Today, when admins define an enrollment policy for a group, the entire group must enroll immediately, which can be disruptive to their day-to-day tasks.

With Enrollment Grace Periods, end users can defer enrollment in new authenticators until an admin-defined deadline when enrollment becomes mandatory. This allows end users to enroll at a time convenient to them and allows for more graceful enrollment before enforcing new authenticator types in authentication policies. See Authenticator enrollment policies.

Enhanced device assurance with Android Device Trust

Android Device Trust integration for Device Assurance enhances Okta's capability to evaluate and enforce security measures on Android devices. It introduces additional security settings such as checks for Play Integrity status and Wi-Fi security. This integration strengthens device compliance while eliminating the need for Mobile Device Management (MDM), providing orgs with increased flexibility in securing their Android endpoints. See Integrate Okta with Android Device Trust.

Behavior Detections for new ASN

The error message text that appears when activating a group rule that has an invalid expression has been updated to include the reason for the failure, making it easier to troubleshoot.

Early Access

User password migration from AD to Okta

Seamlessly migrate user passwords from AD to Okta without disrupting your users or operations. This establishes Okta as the source of truth for user passwords, enabling it to handle user authentication and eliminating the need for delegated authentication. See Password migration from AD to Okta

Protected action support for device signal collection policies

Okta prompts for step-up authentication when admins make changes to device signal collection policies in the Admin Console. The changes are only allowed after the admin authenticates successfully. This feature enhances org security by allowing admins to require MFA before performing protected actions. See Protected actions in the Admin Console.

Fixes

  • Users found accessibility issues in the Sign-In Widget (third generation) error messages, SVG icons, and the show/hide password toggle. (OKTA-867363)

  • Sometimes, inactive apps that had provisioning enabled sent deprovisioning calls to downstream apps. (OKTA-930436)

  • Sometimes, users who were assigned an app were unable to view or access the app on their End-User Dashboard. (OKTA-985663)

  • Some users saw a Conflicting App User IDs specified on state token error message when they tried to sign in to an OIDC app using the embedded Okta Sign-In Widget. (OKTA-992348)

  • SAML assertions were encrypted if they included the oktaAuthPayload parameter even though encryption wasn't enabled on the app. (OKTA-998820)

  • If the "End-user remediation for management attestation" feature was enabled and an admin had also configured a custom access denied error message, users were shown the custom error message instead of the remediation steps in the Okta Sign-In Widget. (OKTA-1008850)

  • In some orgs with the Unified claims generation for Okta-protected SAML and OIDC custom app integrations early access feature enabled, users were unable to use the dropdown menus in the Attribute Statements > Show legacy configuration section of the app page. (OKTA-1010898)

  • When an OIDC app had an authentication policy with a rule that includes device assurance through a Chrome device trust connector, users received an error when accessing the app through a sign-in URL configured with prompt=none. (OKTA-1016620)

  • In orgs with the Custom Password Policy Restrictions early access feature enabled, some admins saw an incorrect error message when they selected Use an OEL statement to block restricted content and entered an expression. (OKTA-1027968)

  • In orgs with Japanese translations, untranslated text appeared on the Active Directory Policy page. (OKTA-1029000)

  • In orgs with the Custom Password Policy Restrictions early access feature enabled, some admins saw an Internal Server Error message when they tried to reset a user's password using a temporary password. (OKTA-1030190)

Okta Integration Network

  • Paychex Online was updated.

  • Ravenna is now available (API Service Integration). Learn more.

  • zkipster was updated.

Doc Updates

Okta Aerial documentation

Documentation for Okta Aerial has been added to help.okta.com with the following updates:

  • Aerial card added to the home page.
  • Aerial option added to Documentation dropdown list.
  • Aerial release notes added to Release notes dropdown list.

Okta Aerial allows you to manage multiple Okta orgs from a single, centralized account. The Aerial account lives outside of your other orgs and can manage any Production or Preview org that's linked to the Aerial account. Each Aerial account has a dedicated Aerial org where you can invite Aerial admins who can request and be granted access to connected orgs in your environment. See Okta Aerial.

Preview Features

Enhanced import monitoring with real-time updates

You can now view real-time progress for imports from the Import Monitoring dashboard. This provides greater visibility into the current status of in-progress imports such as the number of data chunks currently being processed.

Increased maximum displayed group membership count

The membership count that appears on the groups page for very large groups now maxes out at 1M+. Click this number to view the exact count, which is cached for two hours. See View group members.

Workday supports incremental imports

Workday now has the ability to run immediate, incremental imports. Incremental imports are much faster than full imports. However, they don't detect when users only have changes to custom attributes, so you must periodically run a full import to capture these changes. See Incremental imports

Same-device enrollment for Okta FastPass

On orgs with Okta FastPass, the Okta Verify enrollment process has been streamlined: - Users can initiate and complete enrollment on the device they're currently using. Previously, two different devices were required to set up an account. - Users no longer need to enter their org URL during enrollment. - The enrollment flow has fewer steps. This feature is supported on Android, iOS, and macOS devices.

Prevent new single-factor access to the Admin Console

This feature prevents admins from configuring any new single-factor access to the Admin Console. This feature is currently available to new orgs only.

Application Entitlement Policy

Admins can now override attribute mapping when assigning apps to individuals or groups. You can also revert attributes to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

End-user setting for nicknaming factors

End users can now nickname their phone, WebAuthn, and Okta Verify factors. If they have enrolled multiple instances of a factor, giving nicknames helps them identify the factors quickly (for example, "My personal cellphone" or "My office MacBook TouchID"). See the end-user documentation. This is a self-service feature.

Content security policy enforcement on end-user pages

Content security policy is now enforced for end-user pages on orgs with custom domains on non-customizable pages. Content Security Policy headers provide an additional layer of security that helps to detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. Okta already had a policy enforced in our admin pages from last year and in report-only mode for end-user pages. Future iterations of our Content Security Policy enforcement for end-user pages will become stricter than this first release.

This feature will be gradually made available to all orgs.

Descriptive System Log events

When Okta identifies a security threat, the resulting security.threat.detected System Log entry now provides a descriptive reason for the event. See System Log.

New flexible LDAP

A new LDAP schema allows flexibility by moving email to the custom schema and making first name, last name, username, and UID optional. This avoids error scenarios when an LDAP schema doesn't include specific attributes.

ThreatInsight coverage on core Okta API endpoints

Okta ThreatInsight coverage is now available for core Okta API endpoints:

Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. Requests from these bad IP addresses can be blocked or elevated for further analysis when Okta ThreatInsight is enabled for an Okta org. Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints. There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new Negative IP Reputation reason is available for high security.threat.detected events. See System Log events for Okta ThreatInsight.

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org's apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org.

Email failure events in the System Log

Admins can now view email delivery failure events in the System Log. This helps admins better monitor the email event activity in their org. See System Log.

Improvements to the self-service unlock process

Earlier versions of the self-service unlock (SSU) flow created unnecessary friction in the end user experience. The newly enhanced SSU feature introduces a seamless magic link experience in emails sent out to unlock accounts. Users no longer need to provide consent when using the same browser. In addition, after successfully unlocking their account, clicking the email magic link counts towards the app's assurance policy. After the assurance requirements are met, the user is signed directly in to the app.

Improvements to the self-service registration experience

Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your app requires immediate verification of the end user's email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the app, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the app.

Choose additional filters for Office 365 sign-on policy

Filters have been added to enable admins to distinguish between web browsers and Modern Authentication clients when creating an app sign-on policy.

Device Authorization grant type

Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to apps that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error prone and time consuming.

The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to sign-in to apps that run on such devices.