Okta Identity Engine release notes (Production)

Changes to access request notifications

To ensure conversations are displayed consistently across platforms, messages sent within an access request from the web app now automatically appear for the message sender in the corresponding Slack or Microsoft Teams thread. This reduces confusion for the message sender around the messages associated that are with a request.

Okta Provisioning agent, version 3.0.4

Okta Provisioning agent 3.0.4 is now available. This release contains bug fixes and minor improvements.

Simplified Windows Installer for Okta Provisioning agent

The Windows Installer UI for the Okta Provisioning agent has been simplified. The environment selection dropdown list has been removed to support a wider range of Okta environments.

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

• iOS 18.7.1
• iOS 26.0.1
• macOS Sonoma 14.8.1
• macOS Sequoia 15.7.1
• macOS Tahoe 26.0.1

Detections added to entity risk policy

New detections have been added to the entity risk policy.

• Suspicious Login From An IP Flagged By FastPass: Indicates a sign-in event occurred from an IP address that Okta FastPass flagged in a phishing event.

• Suspicious Login From An IP Flagged In A Credential Based Attack: Indicates a successful sign-in event occurred from an IP address where multiple sign-in failures also occurred.

• Breached Credentials Detected: Indicates that a username-password combination in your org appears in a third-party list of public data breaches.

See Detection settings for entity risk policy.

Okta Active Directory Password Sync agent, version 1.7.0

This version of the agent includes security enhancements.

Trace ID added to event

A traceId has been added to the security.breached_credential.detected System Log event so that you can easily query and link ITP events like user.risk.detect and ERP events in system logs.

New look and feel for delegated flows

On the Delegated flows page, the buttons, modals, and input fields have been redesigned for a better user experience. See Delegated flows.

Euskara (Basque) language translations for end users

In the End-User Dashboard, users can now set the display language to Euskara (Basque). When they select a language, the end-user experience, including when a user signs in, is translated accordingly. See Supported display languages.

New VPN service for enhanced dynamic zones

The SURF_EASY_VPN is now supported as an individual VPN service category in enhanced dynamic zones. See Supported IP service categories.

Error message update

The error message text that appears when activating a group rule that has an invalid expression has been updated to include the reason for the failure, making it easier to troubleshoot.

Create user permission conditions

You can now add conditions to the Create user permission for custom admin roles, applicable to both realm-enabled orgs and those without realms. See Permission conditions.

User status in Okta Expression Language

You can now reference User Status in the Okta expression language. Group Rules can leverage user statuses to drive group membership.

SharePoint On-Premises integration supports SHA-256

SharePoint integrations (WS-Fed) now use SHA-256 for signing the authentication token.

Group Push Linking for Microsoft Office 365

The Group Push feature in the Microsoft Office 365 integration has been enhanced to link existing Okta groups with existing Entra groups.

This change establishes Okta as the single source of truth for group membership. Once linked, the membership changes made in Okta are pushed automatically, ensuring consistency and seamless access control.

Supporting additional attributes in O365's Universal Sync provisioning

To enable seamless access to Kerberos resources through Windows Hello for Business and to help you manage data based on geographies, Okta now supports four additional attributes in O365's Universal Sync provisioning.

• onPremisesSamAccountName
• onPremisesDomainName
• onPremisesUserPrincipalName
• PreferredDataLocation

Changes to the Session Protection Violation report

A filter has been added to the Session Protection Violation report that allows filtering on risk level (LOW, MEDIUM, HIGH). Also, the Session Context Change count has been removed from the report.

Okta Integration IdP type

The Okta Integration IdP allows you to use an Okta org as an external IdP, simplifying configuration and providing secure defaults. See Add an Okta Integration Identity Provider.

Custom admin roles for ITP

Through this feature, customers can use granular ITP permissions and resources to create custom roles to right-size authorization for ITP configuration and monitoring. See Configure custom admin roles for ITP.

Behavior Detections for new ASN

Admins have been able to create behavior detections for IP, Velocity, Location, or Device. This new functionality introduces behavior detection on a new ASN (Autonomous System Number), based on the IP found in the request tied to the event. See Add an ASN behavior.

Translations update for the Partner Admin Portal

Japanese translations for the Add user and Edit user forms have been updated. This change aligns the Japanese labels with their English counterparts.

Office 365 License and Roles Management now supports sync entitlements

Sync entitlements are now supported for the Office 365 License and Roles Management provisioning type in orgs with Identity Governance enabled.

Sign-In Widget, version 7.35.0

For details about this release, see the Sign-In Widget Release Notes. For more information about the Widget, see the Okta Sign-In Widget.

Improved user experience for Access Requests

The access request details page has been improved to provide more visibility on tasks assigned approvers and answers submitted by requesters. If you integrated Slack or Teams with Access Requests, similar changes have been made to the access request message that approvers receive. Additionally, the email notification sender's name and address have been changed. The sender's name is Okta Access Requests and the email address is noreply@at.okta.com.

New versions of Okta Provisioning agent and SDK

Okta Provisioning agent 3.0.3 and Okta Provisioning agent SDK 2.4.0 are now available. These releases contain bug fixes and minor improvements.

Improved search in the Partner Admin Portal

The Partner Admin Portal user list now sorts by the Last Updated column in descending order by default. The search feature uses a Contains operator for three or more characters.

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

• Android 13, 14, 15, 16 security patch 2025-09-01
• iOS 18.6.2
• iOS 26.0.0 (major version)
• macOS Ventura 13.7.8
• macOS Sonoma 14.7.8
• macOS Sequoia 15.6.1
• macOS Tahoe 26.0.0 (major version)
• Windows 10 (10.0.17763.7678, 10.0.19044.6216, 10.0.19045.6216)
• Windows 11 (10.0.22621.5768, 10.0.22631.5768, 10.0.26100.4946)

The following versions are no longer supported:

• iOS 15.8.4
• iOS 16.7.11
• macOS 12.7.6
• Windows 11 (10.0.22000.3260)

Nonce rollout for Content Security Policy

Okta is rolling out nonces for the style-src directive of the Content Security Policy for every endpoint that returns html content. This is a two stage process: first, the nonce is added to the Content-Security-Policy-Report-Only header style-src directive; later, after any unsafe inline instances are identified and fixed, the nonce is added to the Content-Security-Policy header style-src directive. This update will be gradually applied to all endpoints.

These updates will be applied to Okta domains and custom domain pages that aren't customizable by admins (for example, sign-in pages, and error pages on custom domains). See Customize an error page.

Export Admin Console reports in GZIP format

You can now export most Admin Console reports in GZIP format, in addition to the existing CSV format. GZIP exports have a higher row limit (30 million) and a smaller file size.

Breached Credentials Protection

Protect your org from the impact of credentials that have been compromised. If Okta determines that a username and password combination has been compromised after being compared to a third-party curated dataset, the protection response is customizable through password policies, including resetting the user's password, forcing a logout, or calling a delegated Workflow. See Breached credentials protection.

This feature is following a slow rollout process.

Assigning/revoking an admin role is a protected action

Now when an admin assigns or revokes an admin role from a user, they're prompted for additional authentication. See Protected actions in the Admin Console.

API service apps

API service apps are no longer assigned to the shared default app sign-in policy when they're created. See App sign-in policies.

Authentication policy UI updates

Authentication policies have been renamed and are now known as "app sign-in policies." The term "authentication policies" now refers to a group of policies: app sign-in policies, the Okta account management policy, and the session protection policy. UI enhancements have also been made to these pages to improve navigation and user experience. See App sign-in policies.

New option to clear "keep me signed in"

When revoking a user's IdP sessions and refresh tokens in the Clear sessions and revoke tokens dialog, admins can now choose whether or not to use the Clear "keep me signed in" option.

Admin Console Realm updates

The hint text for the Realm dropdown on the Add User form has been updated to provide clearer instructions.

Secure Identity Integrations filters in the OIN catalog

The Browse App Integration Catalog page now provides three new Secure Identity Integrations checkboxes: Secure Identity Integrations - Fundamental, Secure Identity Integrations - Advanced, and Secure Identity Integrations - Strategic. When you select one, the OIN catalog displays only the apps with that specific functionality.

New System Log target

The Authentication Enrollment Policy target was added to the 'policy.evaluate_sign_on' System Log event. This change makes it easier for admins to identify the policy that was involved in user sign-in attempts.

LDAP Interface OIDC app

LDAP Interface now has an app sign-in policy that only enforces password. This only applies to Okta orgs without a prior LDAP interface setup. For orgs with an existing LDAP interface setup, global session policies still control LDAP Interface authentication policies. See Set up and manage the LDAP Interface. The session length for OpenID Connect (OIDC) connections is now limited to one hour. After the session expires, a new BIND operation is required to continue performing SEARCH queries on the same connection. You may need to update existing scripts to account for this enforced session length.

Map unknown platform to desktop

Okta now maps unrecognized platform conditions to Other desktop. Previously, unrecognized platform conditions matched correctly only when the Any platform condition was selected in the app sign-in policy.

Send app context to external IdPs

You can now forward context about an app to an external identity provider (IdP) when a user attempts to access the app. When you enable the Application context checkbox for an IdP, the app name and unique instance ID are included in the SAML or OpenID Connect request sent to the external IdP. This enhancement allows external IdPs to make more informed, context-aware authentication decisions, supporting advanced security scenarios, and Zero Trust environments.

Child Domain Authentication for Office 365 WS-Federation

Office 365 WS-Federation automatic configuration now supports child domain authentication. See Federate multiple Office 365 domains in a single app instance.

App Switcher for Okta first-party apps

The End-User Dashboard, Admin Console, and Workflows Console now have an App Switcher that helps admins quickly navigate between their assigned Okta apps. Note that you must enable the Unified look and feel for Okta Admin Console and Unified look and feel for Okta Dashboard Early Access features for the App Switcher to appear.

New change password feature for end users

The Security methods page in My Settings now allows end users to change their password.

Custom remediation for device assurance

You can now display custom remediation instructions to users when authentication fails due to unsuccessful device posture checks with Okta Verify or Chrome Device Trust. See Configure custom remediation instructions for device assurance.