Okta Identity Engine release notes (Production)

Generally Available

Version: 2026.07.0

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

  • Android 13, 14, 15, 16 security patch 2026-01-05
Spec-compliant client ID claims for AI agent tokens

Okta Expression Language profiles now include the app.clientId property during user claim evaluations for AI agent OAuth 2.0 clients. This allows developers to generate spec-compliant tokens during AI agent flows.

OAuth secure token exchange for Salesforce requests

Okta for AI Agents now uses the OAuth 2.0 secure token exchange flow when it sends requests to the Salesforce app integration, resource server, or MCP server.

AI agent events are now event-hook eligible

The AI agent and AI agent provider events are now event-hook eligible, enabling Workflows to be triggered based on events. See Event hooks.

Provisioning for Rapid7 InsightAppSec

Provisioning is now available for the Rapid7 InsightAppSec app integration. When you provision the app, you can enable security features like Entitlement Management. See Rapid7 InsightAppSec.

Reassign steps to multiple users

You can now reassign steps within an approval sequence or request type to 10 users. This applies to tasks, questions, actions, and approvals.

Admin OIDC App Phase Two Tranch One

When the Admin OIDC App Phase Two Tranch One feature is enabled, the Okta Admin Console automatically initiates the OIDC sign-in flow on page load, and admins are briefly redirected to the authentication page before the requested page appears.

Sign-In Widget, version 7.46.2

For details about this release, see Sign-In Widget Release Notes. For more information about the widget, see Okta Sign-In Widget.

Unique client authorization settings required for OIN apps

When you enter client authorization details for an app integration, an error now appears if another integration already uses those details.

New protocol runtime for Amazon Bedrock AgentCore AI agents

You can now import both standard HTTP and agent-to-agent protocol runtimes from the Amazon Bedrock AgentCore platform.

MCP servers active by default

Newly created MCP servers are now in an active state by default. See Add MCP servers.

AI agent admin role

Super admins can now delegate AI agent management tasks using the new AI agent admin role. Admins with this role can perform tasks like registering AI agents, assigning owners, and configuring resource connections. See Manage Okta for AI Agents admin roles.

Date range filter for AI agents

The AI Agents page now provides a date range filter so admins can filter AI agents by when they were created or updated.

Import AI agents from Google Vertex AI

You can now import and manage AI agents built in Google Vertex AI directly through Okta. See Configure Google Vertex AI for AI agent imports.

Sign-In Widget, version 7.46.3

For details about this release, see Sign-In Widget Release Notes. For more information about the widget, see Okta Sign-In Widget.

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

  • Android 17 (2026-06-01)
  • Windows 10 builds (10.0.17763.8880, 10.0.19044.7417, 10.0.19045.7417)
  • Windows 11 builds (10.0.22631.7219, 10.0.26100.8655, 10.0.26200.8655)
UI updates to Okta Access Requests web app

The All requests page in the Okta Access Requests web app now shows 999+ count if there are 1000 or more requests instead of giving the count. This change helps reduce the time taken to list the requests on the page.

Import Azure Active Directory users with null first and last name

You can now import users from Microsoft Azure Active Directory (AAD) who have null first name and last name values. This provides admins with a centralized view of their AAD users within Okta. See Import users to Office 365 using Microsoft Graph API.

Removal of search filters from the Inbox page

The Requester type and Follower options have been removed from Filters on the Inbox page of the Okta Access Requests web app to improve performance.

Okta for AI Agents UI updates

The AI agents page now provides Owner and Platform filters. Also, the AI agent providers page now has Registered AI agents column that displays the number of AI agents that are registered from the provider. 

Suspicious Login Using A Sprayed Password

This detection indicates that a user's password has been identified in a password spray campaign and used to successfullly sign in. The detection enables ITP to trigger configured remediation actions such as Universal Logout or password reset through a workflow. See Suspicious login using a sprayed password.

This feature is following a slow rollout process.

Bot protection

Bot protection enables orgs to automatically identify and mitigate bot traffic by configuring remediation actions within the Identity Threat Protection (ITP) landing page. See Bot protection.

New VPN service for enhanced dynamic zones

The VIGOR_SSL_VPN is now supported as an individual VPN service category in enhanced dynamic zones. See Supported IP categories.

AI agents admin role help link

On the Administrators > Roles tab, the AI agents admin role now has a help link. 

Maximum number of IDPs in an IDP routing rule increased

The maximum number of allowed IdPs in an IdP routing rule has been increased to 100. See Configure identity provider routing rules.

Advanced posture checks for device assurance

Advanced posture checks let admins configure specific device security conditions beyond what standard device assurance policies support. Using osquery, you can write custom SQL queries to assess device state on macOS and Windows devices, configure checks for unmanaged devices, and integrate with endpoint detection and response (EDR) tools. See Configure advanced posture checks for device assurance.

Okta SSF Transmitter now available to CIAM orgs

Okta uses CAEP to send security-related events and other data-subject signals to third-party security vendors. See Shared Signals Framework.

This feature is now available to Customer Identity and Access Management orgs.

Improved MFA enrollment policy validator

Orgs that have no self-initiated user.account.update_password syslog events over last 30 days are now excluded from the MFA enrollment policy validator warning triggered during the Okta Identity Engine upgrade, making it easier to upgrade.

Clear Managed Chrome Profile Browsing Data

Clear Managed Chrome Profile Browsing Data provides real-time remediation by instantly purging local session data (cookies and cache) within managed Chrome profiles upon ITP detection. By transforming the browser into a policy-enforced workspace, it ensures immediate, automated protection. See Clear managed Chrome profile browsing data.

Import unlicensed users from Azure Active Directory to Okta

You can now import users from Microsoft Azure Active Directory (AAD) who don't have an assigned Office 365 license. This allows admins to centralize their workforce lifecycle within Okta and eliminates the need to manage unlicensed accounts across both platforms. See Import users to Office 365 using Microsoft Graph API.

Role-assignable push groups for Office 365

When you create a new push group for the Office 365 app integration, select the Is this role assignable checkbox to make the group role assignable in Microsoft Entra ID. This allows you to push Okta groups to Microsoft Entra ID and assign roles instead of manually creating groups in Entra ID and then linking them to Okta using push groups. See Configure Push Group.

Group push support in API Integration Actions apps

Apps that use API Integration Actions to perform provisioning can now use the Group Push feature. This enables the group import functionality for apps that use group API contracts in their provisioning actions.

Native to Web SSO

Native to Web SSO creates a seamless, unified authentication experience when a user transitions from an OIDC app (like a native or web app) to a web app (either OIDC or SAML). This feature uses standard, web-based federation protocols like SAML and OpenID Connect that help bridge the gap between two different application environments, using a single-use, one-way interclient trust SSO token. This eliminates repeating already provided sign-on assurances, and simplifies development by reducing authentication complexity. See Configure Native to Web SSO.

DirSync group imports for Active Directory

For Active Directory (AD) integrations, the Provisioning tab now provides an Enable imports with AD using DirSync checkbox. When you enable the checkbox, admins can perform incremental group imports using DirSync. See Configure Active Directory import and account settings.

ITP detections for AMFA orgs

Adaptive MFA orgs now benefit from ITP detections on sessions and entity users when these are detected on directly assigned super admins. These detection events are actionable using Workflows. This feature aligns with the Okta Secure Identity Commitment. See Identity Threat Protection events in System Log.

This feature is now available to Okta for US Military customers.

On-demand rotation of Office 365 SSO signing certificates

Office 365 app integrations that use WS-Federation for authentication now support the use of app-level certificates. Switching from org-level certificates to app-level certificates improves your security outcomes by eliminating a single point of failure if a shared org-level certificate expires. UI updates enable IT admins to easily monitor certificate status, generate certificates on demand, and perform certificate rotations without disrupting operations. See Configure Single Sign-On for Office 365.

Update group rule assignments

Admins can now update the groups assigned to a group rule without deleting and recreating the rule. This streamlines the management of group memberships and rule conditions. See Edit group rules.

Early Access

Agent-to-agent connections

Agent-to-agent server connections allow admins to connect AI agents to other AI agents. Admins can manage scopes to restrict access to the appropriate AI agent tasks, and allow service apps to call AI agents without user context. Using tokens and the System Log, admins can view all the users, AI agents, and apps that call an AI agent. See Agent-to-agent connections.

Removal of Cross App Access as a self-service feature

You can no longer enable or disable the Cross App Access feature from the Early Access section of the Settings > Features page in the Admin Console. To change the availability of this feature for your org, contact Okta Support. If you have an Integrator Free Plan org, contact Developer Support instead. This change doesn't impact any existing configurations.

Passkey metrics tracking

This enhancement provides additional tracking capabilities and reporting tools to gain more visibility into passkey performance. This helps admins monitor passwordless adoption and usage trends across their orgs.

Auditor mode for admin role assignments

A new Auditor (Read-Only) mode allows super admins to apply a read-only restriction to any individual or group admin assignment. This setting restricts admins to read-only access across the Admin Console and Okta APIs, except for Okta first-party apps. This feature provides auditors with system visibility while maintaining security transparency. See Auditor read-only mode.

Fixes

  • On the End-User Settings page in orgs with language localization, the non-breaking space before the colon in error messages was missing. (OKTA-1113766)

  • An Okta Verify error prevented some users from signing in to orgs that had the Advanced Posture Check feature enabled. The error wasn't recorded in the System Log. (OKTA-1120412)

  • The Access Testing Tool incorrectly reported that user sign-in events were denied by a global session policy network zone rule, even though the tested IP address was in the allowed zone. (OKTA-1130892)

  • When a user was assigned a SAML app through a group, they couldn't always access the app after signing in to Okta. (OKTA-1140346)

  • The text size of the Okta Verify number challenge on the Sign-In Widget was too small. (OKTA-1140583)

  • The Okta logo in My Settings had inaccurate alt text. (OKTA-1164454)

  • In My Settings, the Support section heading had an incorrect heading level. (OKTA-1164459)

  • In My Settings, the Recent Activity drawer didn't resize at narrow viewport widths, which made the close button inaccessible without a trackpad or scrollbar. (OKTA-1164494)

  • Users with only a password enrolled in a deferred enrollment policy received an error when they attempted to access apps that required a second authentication factor. (OKTA-1174736)

  • The Sign-In Widget (second generation) failed to load when an app requested scopes where one scope name was a prefix of another. (OKTA-1174752)

  • Admins could delete custom authorization servers that were used in AI agent resource connections. (OKTA-1182513)

  • The DirSync readiness warning banner on the Integration Agents dashboard displayed outdated status information. (OKTA-1185146)

  • In the Access Testing Tool, admins saw an error message in the Enrolled in authenticators results when they tested the access of users with enrolled smart card authenticators. (OKTA-1186554)

  • During evaluation of Okta Expression Language version 3 rules, the contains function failed to evaluate custom integer or number array attributes. (OKTA-1194797)

  • If admins modified a read-only profile attribute after a user began editing their profile, users saw an error message when they tried to save changes to their profile. (OKTA-1201181)

  • When a user enrolled multiple factors in Okta Verify, the active grace period counter incorrectly incremented per factor rather than per authenticator. (OKTA-1209603)

  • When users clicked the add button multiple times in the Add apps dialog, the dialog froze and users couldn't close it or select Done until they refreshed the page. (OKTA-1211432)

Okta Integration Network

  • SAP LeanIX - SaaS Discovery (API Service) was updated.

  • Camino (OIDC) is now available. Learn more.

  • Camino (SAML) is now available. Learn more.

  • Rubrik Security Cloud (API Service) was updated.

  • Vercel (SAML) is now available. Learn more.

  • Zoom (OIDC) is now available. Learn more.

  • Commvault (API service) is now available. Learn more.

  • Camino (SCIM) is now available. Learn more.