Last import:
—
·
— Okta users
·
— Azure users
·
—
checking...
Compliance Score
88%
↑ +3% vs last month
Okta Users
11,481
↑ +759 YTD
Active Applications
247
↑ +12 this month
Risk Alerts
14
↑ 3 high severity
Azure AD Users
11,624
incl. 143 guests
Azure Alerts
3
Risky sign-ins
Identity trends
Total Okta users — last 12 snapshots
Never logged in — trend
Hygiene improvement over time
Microsoft Entra ID
Enabled · Disabled · Guests — from last pipeline run
Total users
—
Entra ID
Enabled
—
active accounts
Disabled
—
review required
Guests
—
external users
Recent activity
Last events across both platforms
Account locked out
2m ago
New user provisioned
14m ago
Risky sign-in detected
31m ago
Password expired
1h ago
Group membership changed
3h ago
Top risks
Items requiring attention
Never logged in
Accounts never activated
1,203
No login >365 days
Potentially orphaned
473
Locked out
Require admin action
12
No manager assigned
Orphaned from org
1,327
Governance
Click to navigate to each area
Orphaned & Stale
Identity hygiene
Privileged Access
Admin roles
Licence Optimisation
M365 waste
MFA & Password
Policy compliance
Guest & External
External access risk
Conditional Access
Policy coverage
App Risk
App security posture
Secrets & Certs
Loading...
Overall Score
88%
↑ +3%
MFA Coverage
94%
↑ +2%
Open Risks
14
3 high severity
Active Policies
38
both platforms
Compliance breakdown
88%
Score
MFA Coverage94%
Active accounts99.4%
Manager assigned88.4%
No orphaned >365d95.9%
AD Provider coverage99.5%
Security checklist
MFA for all admins
All 43 admin accounts protected
Password policy enforced
Complexity required, 12+ chars
Inactive accounts review
1,203 never logged in
Orphaned accounts
473 accounts with no activity >365d
Conditional Access
38 CA policies active in Azure AD
Total users
—
convatec.okta.com
Active
—
of total
Never logged in
—
action required
Locked out
—
action required
Status distribution
Current snapshot
Users by domain
Email domain breakdown
Okta — User Directory
Loading...
| User | Status | Dept | Country | Last login | |
|---|---|---|---|---|---|
| Loading users... | |||||
Total groups
—
convatec.okta.com
Okta-managed
—
native
AD-synced
—
from Azure AD
Group types
Okta-managed vs AD-synced
Top groups by name prefix
Most common naming patterns
Okta — Groups & Memberships
Loading...
| Group | Type | Description | Last updated |
|---|---|---|---|
| Loading groups... | |||
Total apps
—
convatec.okta.com
Active
—
in use
Inactive
—
review
Active vs Inactive
App status breakdown
Sign-on method
SAML, OIDC, SWA, etc.
Okta — App Catalogue
Loading...
| Application | Status | Sign-on | Created |
|---|---|---|---|
| Loading apps... | |||
Events today
24,891
last 24h
Failed logins
143
↑ +23
Policy violations
7
review
Success rate
99.4%
healthy
Okta system logs
Real-time event stream · convatec.okta.com
Okta retains System Logs for 90 days. Events older than 90 days are not available via API.
6 events
Authentication failed — MFA required
09:42:11
Login successful
09:41:58
New user provisioned via AD
09:40:22
Account locked — 5 failed attempts
09:38:05
User added to IT-Administrators
09:35:12
Policy denied — device not trusted
09:33:29
Total users
—
Entra ID
Licensed
—
M365
Guests
—
external
Disabled
—
review
Account status
Enabled vs Disabled vs Guest
Users by domain
UPN domain breakdown
Microsoft Entra ID — User Directory
Loading...
| User | UPN | Status | Dept | Type | Last sign-in |
|---|---|---|---|---|---|
| Loading users... | |||||
Total groups
—
Entra ID
Security groups
—
access control
M365 groups
—
Teams/SharePoint
No owner
—
governance risk
Group types
Security vs M365 vs Distribution
Top name prefixes
Most common group naming patterns
Microsoft Entra ID — Groups & Memberships
Loading...
| Group | Type | Security | Mail-enabled | Created | Owner |
|---|---|---|---|---|---|
| Loading groups... | |||||
Total apps
—
registered
Multi-tenant
—
external access
Single-tenant
—
internal only
No owner
—
governance risk
Azure AD — Enterprise Applications
Loading from SharePoint...
| Application | App ID | Audience | Created | Owner |
|---|---|---|---|---|
| Loading Azure apps... | ||||
Expired
—
immediate action
Critical <30 days
—
renew urgently
Warning <90 days
—
plan renewal
Healthy
—
no action needed
App Secrets & Certificates
Loading from SharePoint...
| Application | Type | Secret / Cert name | Expiry date | Days left | Status |
|---|---|---|---|---|---|
| Loading secrets... | |||||
Sign-ins today
18,420
last 24h
Risky sign-ins
23
↑ flagged
CA compliance
99.1%
healthy
MFA challenges
4,201
22.8%
Azure AD activity logs
Audit & sign-in · Microsoft Graph API
Azure AD retains Sign-in logs for 30 days (free tier) · Audit logs 30 days. Upgrade to P1/P2 for 90 days.
5 events
Sign-in success — Microsoft 365
09:44:01
Risky sign-in — Unfamiliar location
09:41:33
MFA challenge — Conditional Access
09:39:18
Audit — User account enabled
09:35:00
Audit — Group membership change
09:32:47
Never logged in
1,203
10.5% of total
No login >365 days
473
4.1% of total
No manager assigned
1,327
11.6% of total
Locked out
12
require unlock
Stale & orphaned accounts
Accounts with no activity or missing attributes · Read-only view
| User | Issue | Last login | Created | Manager | Action | |
|---|---|---|---|---|---|---|
NP Nina Park | [email protected] | Never logged in | Never | 2024-11-01 | S. Lee | Open in Okta ↗ |
RG Robert Green | [email protected] | No login >365d | 2023-02-14 | 2019-06-20 | — | Open in Okta ↗ |
MF Maria Flores | [email protected] | No manager | Last week | 2022-03-08 | — | Open in Okta ↗ |
JK Jan Kowalski | [email protected] | Locked out | 3 days ago | 2021-09-14 | B. Nowak | Open in Okta ↗ |
Okta Super Admins
5
review regularly
Azure Global Admins
8
reduce recommended
Admins with MFA
13/13
100% coverage
Privileged role age
avg 387d
some roles >1 year
Okta admin roles
Read-only · manage in Okta Admin Console
| User | Role | MFA | Assigned |
|---|---|---|---|
TA Tiago Teixeira | Super Admin | On | 2021-01-10 |
JW James Wilson | Org Admin | On | 2022-03-15 |
SA Sara Ahmed | Read Only Admin | On | 2023-06-01 |
Azure AD privileged roles
P1 available · PIM requires P2
PIM just-in-time activation & role history requires Azure AD P2
| User | Role | MFA | Type |
|---|---|---|---|
TA Tiago Teixeira | Global Admin | On | Permanent |
AT Ana Torres | User Admin | On | Permanent |
BP Bob Peters | Security Reader | On | Permanent |
Access Reviews (automated certification campaigns) require Azure AD P2. This view shows a manual snapshot of current access for audit purposes.
Apps reviewed
247
last 90 days
Over-privileged users
84
access beyond role
Clean certifications
163
66% access justified
Access certification snapshot
Who has access to high-value apps · export for audit
| Application | Users assigned | High-privilege users | Last reviewed | Status |
|---|---|---|---|---|
| ServiceNow | 4,820 | 43 | 2025-01-15 | Reviewed |
| Workday | 9,100 | 12 | 2025-02-01 | Reviewed |
| SAP | 2,340 | 89 | 2024-09-10 | Overdue |
| Legacy Portal v1 | 0 | 0 | Never | Decommission |
Total M365 licences
11,200
assigned
Unused licences
843
no activity 90d
Est. monthly saving
~£22k
if reclaimed
Downgrade candidates
1,240
E3 → F3 eligible
Licence waste by type
Users with assigned licence but no activity in 90 days
M365 E3 — unused
High-cost licence, no recent sign-in
312
M365 F3 — unused
Firstline licence, account inactive
531
Disabled accounts with licence
Should be reclaimed immediately
190
Downgrade opportunities
E3 users eligible for F3 (Firstline Workers)
| Dept | Current | Suggested | Count | Est. saving |
|---|---|---|---|---|
| Manufacturing | M365 E3 | M365 F3 | 487 | ~£8.4k/mo |
| Operations | M365 E3 | M365 F3 | 753 | ~£13k/mo |
| Inactive (90d) | M365 E3/F3 | Reclaim | 843 | ~£22k/mo |
In Okta, not Azure
71
potential orphans
In Azure, not Okta
143
mostly guests
Status mismatch
29
active in one, disabled in other
Fully synced
11,338
98.8% consistent
Platform discrepancies
Accounts with inconsistencies between Okta and Azure AD
| User | Okta status | Azure status | Issue | Action | |
|---|---|---|---|---|---|
| Tom Baker | [email protected] | Active | Not found | Okta only | Investigate ↗ |
| Lisa Chen | [email protected] | Active | Disabled | Status mismatch | Check Azure ↗ |
| External Partner | [email protected] | Not found | Guest | Azure only | Review ↗ |
Apps without MFA
16
high risk
Inactive apps (>90d)
23
no auth events
Shared credentials (SWA)
8
weak auth method
SAML/OIDC apps
200
81% using SSO
Application risk assessment
Apps flagged for security review · Read-only
| Application | Auth method | MFA enforced | Last auth | Users | Risk |
|---|---|---|---|---|---|
| Legacy Portal v1 | SWA | No | 6 months ago | 0 | High · Decommission |
| Vendor Portal | SWA | No | 2 days ago | 143 | High · Migrate to SAML |
| Internal Wiki | SAML | Partial | Today | 2,100 | Medium · Enable MFA |
| Microsoft 365 | SAML 2.0 | Yes | Just now | 11,200 | Low |
New accounts (30d)
142
provisioned
Never activated (new)
38
27% of new accounts
Accounts >30d unactivated
94
likely leavers
Avg activation time
3.2d
from provision to first login
Onboarding health
Recently provisioned accounts
Activated same day
Provisioned and logged in immediately
62
Activated within 7 days
Normal onboarding window
42
Not activated >7 days
Delayed or abandoned onboarding
38
Offboarding risk
Accounts that may belong to leavers
Active accounts with no recent manager
Manager may have left; account orphaned
94
Active but no login >180d
Possible leaver not yet offboarded
312
Deprovisioned this month
Accounts successfully offboarded
67
MFA enrolled (Okta)
94%
↑ +2% this month
MFA not set
689
6% of active users
Password expiry <7d
143
will be locked soon
Okta native auth users
56
not on AD provider
MFA method breakdown
Okta · enrolled authenticators
Okta Verify (push)
Strongest method — recommended
8,420
Microsoft Authenticator
Used via Azure AD MFA
2,301
SMS OTP
Weaker — consider upgrading users
681
Password policy compliance
Okta password policy status
Complex passwords enforced100%
MFA enrolled94%
Password not expiring soon98.7%
On AD provider (not native)99.5%
Guest user risk scoring & Identity Protection for external users requires Azure AD P2. This view shows manual risk indicators available with P1.
Azure AD guests
143
external users
Guests no MFA
89
62% of guests
Inactive guests (>90d)
47
review for removal
External domains
23
distinct orgs
Guest & external accounts
Azure AD B2B guests · Read-only
| User | Email domain | MFA | Last sign-in | Apps accessed | Risk |
|---|---|---|---|---|---|
| Raj Kumar | 180medical.com | On | 2h ago | Partner Portal | Low |
| External Partner | vendor.com | Off | 1 month ago | SharePoint | High · No MFA |
| Consultant A | consulting.co.uk | Off | 4 months ago | Teams | Medium · Inactive |
CA policies active
38
Azure AD P1
Users covered
99.1%
nearly full coverage
Policies in report-only
5
not yet enforced
CA blocks (7d)
1,247
policy working
Conditional Access policy management available with Azure AD P1 ✓ · Identity Protection (risk-based CA) requires P2
Conditional Access policies
Azure AD · 38 active policies
| Policy name | State | Users included | Conditions | Grant control |
|---|---|---|---|---|
| Require MFA for all users | Enabled | All users | Any location | Require MFA |
| Block legacy authentication | Enabled | All users | Legacy auth clients | Block |
| Require compliant device (Corp) | Enabled | Employees | Unmanaged device | Require compliant |
| Guests — MFA required | Report only | Guests | Any access | Not enforced yet |
| Admin MFA always | Enabled | Global Admins | All platforms | Require MFA |
Platform Guide
This platform provides real-time identity governance visibility across Okta and Microsoft Entra ID. Data is refreshed hourly via an automated pipeline. The sections below explain what each area shows and what data source it uses.
Overview
Live data
Dashboard
High-level summary of the identity estate — total users across both platforms, active applications, risk alerts, and trend charts. All counts come from the hourly pipeline snapshot stored in SharePoint.
Security Center
Compliance posture with a score based on MFA coverage, orphaned accounts, manager assignment, and AD provider coverage. The checklist highlights which controls are passing and which need attention.
Governance
Mixed — live + static
Orphaned & Stale
StaticAccounts that have never logged in, not authenticated in over 365 days, or have no manager assigned. Useful for identifying accounts that should be reviewed or deprovisioned.
Privileged Access
StaticLists Okta Super Admins and Azure Global Admins with their MFA status. Supports regular review of who holds elevated permissions across both platforms.
Access Certifications
StaticManual snapshot of who has access to high-value applications, for audit purposes. Automated access reviews require Azure AD P2 — this is a P1-compatible alternative.
Licence Optimisation
StaticIdentifies M365 licences assigned to inactive or disabled accounts, and flags E3 users eligible for F3 downgrade. Useful for cost reduction decisions.
Cross-platform Health
StaticHighlights discrepancies between Okta and Entra ID — accounts that exist in one platform but not the other, or where account status differs.
App Risk
StaticOkta apps assessed for security posture — MFA enforcement, sign-on method (SAML, OIDC, SWA), and last usage. SWA apps without MFA are flagged as high risk.
MFA & Password
StaticMFA enrolment rates and authenticator method breakdown across Okta users. Also shows password policy compliance — complexity, expiry, and AD provider coverage.
Guest & External
StaticAzure AD B2B guest accounts — external users with access to the tenant. Flags guests without MFA and those inactive for over 90 days. Risk scoring requires Azure AD P2.
Conditional Access
StaticLists active Conditional Access policies in Azure AD — what they enforce, who they cover, and whether enabled or report-only. Policy management requires Azure AD P1.
Secrets & Certificates
Live dataApp Registration client secrets and certificates in Azure AD with expiry dates. Expired and near-expiry credentials are flagged so they can be renewed before causing authentication failures. Refreshed hourly.
Okta Identity
Live data · hourly
User Directory
Full list of Okta users with status, department, country, and last login. Paginated at 50 per page with search. Source: okta_users.json written to SharePoint by the pipeline.
Groups & Memberships
All Okta groups broken down by type — Okta-managed vs AD-synced. Shows the most common naming prefixes. Source: okta_groups.json.
App Catalogue
All applications integrated with Okta, with sign-on method and active/inactive status. Provides an inventory of SSO-connected apps. Source: okta_apps.json.
Activity Feed
System log events from Okta — authentication attempts, account changes, policy violations, and admin actions. Okta retains logs for 90 days.
Microsoft Entra ID
Live data · hourly
User Directory
All Entra ID users with account status, licence assignment, guest flag, department, and last sign-in. Source: azure_users.json.
Groups & Memberships
All Entra ID groups — Microsoft 365, security, and dynamic membership groups. Shows naming patterns for governance. Source: azure_groups.json.
Enterprise Apps
App Registrations in the tenant — single-tenant vs multi-tenant, with creation dates. Includes Copilot Studio agents. Over 1,400 registered apps. Source: azure_apps.json.
Sign-in Activity
Azure AD sign-in and audit logs — successful sign-ins, risky sign-ins, MFA challenges, and Conditional Access outcomes. Retention is 30 days free tier, 90 days with P1/P2.
Data pipeline — All live data is collected by an Azure DevOps pipeline running on a self-hosted agent (Windows 11), scheduled hourly. It authenticates to Okta via API token and to Microsoft Graph via a service principal. Snapshots are written as JSON to SharePoint (IAM Governance / Identity Governance Platform / live/). The dashboard reads these files via Microsoft Graph API using your own delegated credentials — no separate backend or server is required.