ConvaTec Identity Platform

Last import: — · — Okta users · — Azure users · —

checking...

Compliance Score

88%

↑ +3% vs last month

Okta Users

11,481

↑ +759 YTD

Active Applications

247

↑ +12 this month

Risk Alerts

↑ 3 high severity

Azure AD Users

11,624

incl. 143 guests

Azure Alerts

Risky sign-ins

Identity trends

Total Okta users — last 12 snapshots

Never logged in — trend

Hygiene improvement over time

Recent activity

Last events across both platforms

Account locked out

[email protected] · Okta

2m ago

New user provisioned

[email protected] · Okta AD Sync

14m ago

Risky sign-in detected

[email protected] · Azure AD · Beijing, CN

31m ago

Password expired

[email protected] · Okta

1h ago

Group membership changed

CVT-IT-Admins · Azure AD

3h ago

Top risks

Items requiring attention

Never logged in

Accounts never activated

No login >365 days

Potentially orphaned

473

Locked out

Require admin action

No manager assigned

Orphaned from org

1,327

Governance

Click to navigate to each area

Orphaned & Stale

Identity hygiene

Privileged Access

Admin roles

Licence Optimisation

M365 waste

MFA & Password

Policy compliance

Guest & External

External access risk

Conditional Access

Policy coverage

App Risk

App security posture

Secrets & Certs

Overall Score

88%

↑ +3%

MFA Coverage

94%

↑ +2%

Open Risks

3 high severity

Active Policies

both platforms

Compliance breakdown

88%

Score

MFA Coverage94%

Active accounts99.4%

Manager assigned88.4%

No orphaned >365d95.9%

AD Provider coverage99.5%

Security checklist

MFA for all admins

All 43 admin accounts protected

Pass

Password policy enforced

Complexity required, 12+ chars

Pass

Inactive accounts review

1,203 never logged in

Review

Orphaned accounts

473 accounts with no activity >365d

Action needed

Conditional Access

38 CA policies active in Azure AD

Pass

Total users

—

convatec.okta.com

Active

—

of total

Never logged in

action required

Locked out

—

action required

Status distribution

Current snapshot

Users by domain

Email domain breakdown

Okta — User Directory

User	Email	Status	Dept	Country	Last login
Loading users...

Total groups

—

convatec.okta.com

Okta-managed

—

native

AD-synced

—

from Azure AD

Group types

Okta-managed vs AD-synced

Top groups by name prefix

Most common naming patterns

Okta — Groups & Memberships

Group	Type	Description	Last updated
Loading groups...

Total apps

—

convatec.okta.com

Active

—

in use

Inactive

—

review

Active vs Inactive

App status breakdown

Sign-on method

SAML, OIDC, SWA, etc.

Okta — App Catalogue

Application	Status	Sign-on	Created
Loading apps...

Events today

24,891

last 24h

Failed logins

143

↑ +23

Policy violations

review

Success rate

99.4%

healthy

Okta system logs

Real-time event stream · convatec.okta.com

Okta retains System Logs for 90 days. Events older than 90 days are not available via API.

6 events

Authentication failed — MFA required

[email protected] · Chrome / Windows · 192.168.1.45

09:42:11

[email protected] · Safari / macOS · 10.0.0.12

09:41:58

New user provisioned via AD

[email protected] · Okta Workflow

09:40:22

Account locked — 5 failed attempts

[email protected] · 203.0.113.42 · Unknown location

09:38:05

User added to IT-Administrators

Admin: [email protected] → [email protected]

09:35:12

Policy denied — device not trusted

[email protected] · Android / Mobile

09:33:29

Total users

—

Entra ID

Licensed

—

M365

Guests

—

external

Disabled

—

review

Account status

Enabled vs Disabled vs Guest

Users by domain

UPN domain breakdown

Microsoft Entra ID — User Directory

User	UPN	Status	Dept	Type	Last sign-in
Loading users...

Total groups

—

Entra ID

Security groups

—

access control

M365 groups

—

Teams/SharePoint

Group types

Security vs M365 vs Distribution

Top name prefixes

Most common group naming patterns

Microsoft Entra ID — Groups & Memberships

Group	Type	Security	Mail-enabled	Created
Loading groups...

Total apps

—

registered

Multi-tenant

—

external access

Single-tenant

—

internal only

AzureAD only

—

legacy

Azure AD — Enterprise Applications

Loading from SharePoint...

Application	App ID	Audience	Created
Loading Azure apps...

Expired

—

immediate action

Critical <30 days

—

renew urgently

Warning <90 days

—

plan renewal

Healthy

—

no action needed

App Secrets & Certificates

Loading from SharePoint...

Application	Type	Secret / Cert name	Expiry date	Days left	Status
Loading secrets...

Sign-ins today

18,420

last 24h

Risky sign-ins

↑ flagged

CA compliance

99.1%

healthy

MFA challenges

4,201

22.8%

Azure AD activity logs

Audit & sign-in · Microsoft Graph API

Azure AD retains Sign-in logs for 30 days (free tier) · Audit logs 30 days. Upgrade to P1/P2 for 90 days.

5 events

Sign-in success — Microsoft 365

[email protected] · London, UK · Compliant device

09:44:01

Risky sign-in — Unfamiliar location

[email protected] · Beijing, CN → unusual for this user

09:41:33

MFA challenge — Conditional Access

[email protected] · Mumbai, IN · Unmanaged device

09:39:18

Audit — User account enabled

Admin: [email protected] → [email protected]

09:35:00

Audit — Group membership change

CVT-IT-Admins: added [email protected]

09:32:47

Never logged in

1,203

10.5% of total

No login >365 days

473

4.1% of total

No manager assigned

1,327

11.6% of total

Locked out

require unlock

Stale & orphaned accounts

Accounts with no activity or missing attributes · Read-only view

User	Email	Issue	Last login	Created	Manager	Action
NP Nina Park	[email protected]	Never logged in	Never	2024-11-01	S. Lee	Open in Okta ↗
RG Robert Green	[email protected]	No login >365d	2023-02-14	2019-06-20	—	Open in Okta ↗
MF Maria Flores	[email protected]	No manager	Last week	2022-03-08	—	Open in Okta ↗
JK Jan Kowalski	[email protected]	Locked out	3 days ago	2021-09-14	B. Nowak	Open in Okta ↗

Okta Super Admins

review regularly

Azure Global Admins

reduce recommended

Admins with MFA

13/13

100% coverage

Privileged role age

avg 387d

some roles >1 year

Okta admin roles

Read-only · manage in Okta Admin Console

User	Role	MFA	Assigned
TA Tiago Teixeira	Super Admin	On	2021-01-10
JW James Wilson	Org Admin	On	2022-03-15
SA Sara Ahmed	Read Only Admin	On	2023-06-01

Azure AD privileged roles

P1 available · PIM requires P2

PIM just-in-time activation & role history requires Azure AD P2

User	Role	MFA	Type
TA Tiago Teixeira	Global Admin	On	Permanent
AT Ana Torres	User Admin	On	Permanent
BP Bob Peters	Security Reader	On	Permanent

Access Reviews (automated certification campaigns) require Azure AD P2. This view shows a manual snapshot of current access for audit purposes.

Apps reviewed

247

last 90 days

Over-privileged users

access beyond role

Clean certifications

163

66% access justified

Access certification snapshot

Who has access to high-value apps · export for audit

Application	Users assigned	High-privilege users	Last reviewed	Status
ServiceNow	4,820	43	2025-01-15	Reviewed
Workday	9,100	12	2025-02-01	Reviewed
SAP	2,340	89	2024-09-10	Overdue
Legacy Portal v1	0	0	Never	Decommission

Total M365 licences

11,200

assigned

Unused licences

843

no activity 90d

Est. monthly saving

~£22k

if reclaimed

Downgrade candidates

1,240

E3 → F3 eligible

Licence waste by type

Users with assigned licence but no activity in 90 days

M365 E3 — unused

High-cost licence, no recent sign-in

312

M365 F3 — unused

Firstline licence, account inactive

531

Disabled accounts with licence

Should be reclaimed immediately

190

Downgrade opportunities

E3 users eligible for F3 (Firstline Workers)

Dept	Current	Suggested	Count	Est. saving
Manufacturing	M365 E3	M365 F3	487	~£8.4k/mo
Operations	M365 E3	M365 F3	753	~£13k/mo
Inactive (90d)	M365 E3/F3	Reclaim	843	~£22k/mo

In Okta, not Azure

potential orphans

In Azure, not Okta

143

mostly guests

Status mismatch

active in one, disabled in other

Fully synced

11,338

98.8% consistent

Platform discrepancies

Accounts with inconsistencies between Okta and Azure AD

User	Email	Okta status	Azure status	Issue	Action
Tom Baker	[email protected]	Active	Not found	Okta only	Investigate ↗
Lisa Chen	[email protected]	Active	Disabled	Status mismatch	Check Azure ↗
External Partner	[email protected]	Not found	Guest	Azure only	Review ↗

Apps without MFA

high risk

Inactive apps (>90d)

no auth events

Shared credentials (SWA)

weak auth method

SAML/OIDC apps

200

81% using SSO

Application risk assessment

Apps flagged for security review · Read-only

Application	Auth method	MFA enforced	Last auth	Users	Risk
Legacy Portal v1	SWA	No	6 months ago	0	High · Decommission
Vendor Portal	SWA	No	2 days ago	143	High · Migrate to SAML
Internal Wiki	SAML	Partial	Today	2,100	Medium · Enable MFA
Microsoft 365	SAML 2.0	Yes	Just now	11,200	Low

New accounts (30d)

142

provisioned

Never activated (new)

27% of new accounts

Accounts >30d unactivated

likely leavers

Avg activation time

3.2d

from provision to first login

Onboarding health

Recently provisioned accounts

Activated same day

Provisioned and logged in immediately

Activated within 7 days

Normal onboarding window

Not activated >7 days

Delayed or abandoned onboarding

Offboarding risk

Accounts that may belong to leavers

Active accounts with no recent manager

Manager may have left; account orphaned

Active but no login >180d

Possible leaver not yet offboarded

312

Deprovisioned this month

Accounts successfully offboarded

MFA enrolled (Okta)

94%

↑ +2% this month

MFA not set

689

6% of active users

Password expiry <7d

143

will be locked soon

Okta native auth users

not on AD provider

MFA method breakdown

Okta · enrolled authenticators

Okta Verify (push)

Strongest method — recommended

8,420

Microsoft Authenticator

Used via Azure AD MFA

2,301

SMS OTP

Weaker — consider upgrading users

681

Password policy compliance

Okta password policy status

Complex passwords enforced100%

MFA enrolled94%

Password not expiring soon98.7%

On AD provider (not native)99.5%

Guest user risk scoring & Identity Protection for external users requires Azure AD P2. This view shows manual risk indicators available with P1.

Azure AD guests

143

external users

Guests no MFA

62% of guests

Inactive guests (>90d)

review for removal

External domains

distinct orgs

Guest & external accounts

Azure AD B2B guests · Read-only

User	Email domain	MFA	Last sign-in	Apps accessed	Risk
Raj Kumar	180medical.com	On	2h ago	Partner Portal	Low
External Partner	vendor.com	Off	1 month ago	SharePoint	High · No MFA
Consultant A	consulting.co.uk	Off	4 months ago	Teams	Medium · Inactive

CA policies active

Azure AD P1

Users covered

99.1%

nearly full coverage

Policies in report-only

not yet enforced

CA blocks (7d)

1,247

policy working

Conditional Access policy management available with Azure AD P1 ✓ · Identity Protection (risk-based CA) requires P2

Conditional Access policies

Azure AD · 38 active policies

Policy name	State	Users included	Conditions	Grant control
Require MFA for all users	Enabled	All users	Any location	Require MFA
Block legacy authentication	Enabled	All users	Legacy auth clients	Block
Require compliant device (Corp)	Enabled	Employees	Unmanaged device	Require compliant
Guests — MFA required	Report only	Guests	Any access	Not enforced yet
Admin MFA always	Enabled	Global Admins	All platforms	Require MFA

Identity &Access Platform

Welcome back

Identity &
Access Platform