Identity Health Score
Based on MFA, active accounts, manager assignment and orphan hygiene
—
Calculating...
MFA Coverage—
Active accounts—
Enabled w/ manager—
Secrets OK (>90d)—
Identity trends
Total Okta users — last 12 snapshots
Never logged in — trend
Hygiene improvement over time
Recent activity
Last events across both platforms
Account locked out
2m ago
New user provisioned
14m ago
Risky sign-in detected
31m ago
Password expired
1h ago
Group membership changed
3h ago
Top risks
Items requiring attention
Never logged in
Accounts never activated
—
No login >365 days
Potentially orphaned
—
Locked out
Require admin action
—
No manager assigned
Orphaned from org
—
Governance
Click to navigate to each area
Orphaned & Stale
Identity hygiene
Privileged Access
Admin roles
Licences
M365 waste
MFA & Password
Policy compliance
Guest & External
External access risk
Conditional Access
Policy coverage
App Risk
App security posture
Secrets & Certs
Loading...
Total users
—
convatec.okta.com
Active
—
of total
Provisioned
—
awaiting activation
Staged
—
not yet activated
Locked out
—
action required
Password expired
—
must reset on login
Suspended
—
admin action
Deprovisioned
—
deactivated
Status distribution
Current snapshot
Users by domain
Email domain breakdown
Okta — User Directory
Loading...
| User | Status | Dept | Country | Last login | |
|---|---|---|---|---|---|
| Loading users... | |||||
Total groups
—
convatec.okta.com
Okta-managed
—
native
AD-synced
—
from Azure AD
Group types
Okta-managed vs AD-synced
Top groups by name prefix
Most common naming patterns
Okta — Groups & Memberships
Loading...
| Group | Type | Description | Last updated |
|---|---|---|---|
| Loading groups... | |||
Total apps
—
convatec.okta.com
Active
—
in use
Inactive
—
↗ click to review
Active vs Inactive
App status breakdown
Sign-on method
SAML, OIDC, SWA, etc.
Okta — App Catalogue
Loading...
| Application | Status | Sign-on | Created |
|---|---|---|---|
| Loading apps... | |||
Events today
—
last 24h
Failed logins
—
—
Policy violations
—
review
Success rate
—
healthy
Okta system logs
Real-time event stream · convatec.okta.com
Okta retains System Logs for 90 days. Events older than 90 days are not available via API.
6 events
Loading Okta logs...
Total users
—
Entra ID
Licensed
—
M365
Guests
—
external
Disabled
—
review
Account status
Enabled vs Disabled vs Guest
Users by domain
UPN domain breakdown
Microsoft Entra ID — User Directory
Loading...
| User | UPN | Status | Dept | Type | Last sign-in |
|---|---|---|---|---|---|
| Loading users... | |||||
Total groups
—
Entra ID
Security groups
—
access control
M365 groups
—
Teams/SharePoint
No owner
—
governance risk
Group types
Security vs M365 vs Distribution
Top name prefixes
Most common group naming patterns
Microsoft Entra ID — Groups & Memberships
Loading...
| Group | Type | Security | Mail-enabled | Created | Owner |
|---|---|---|---|---|---|
| Loading groups... | |||||
Total apps
—
registered
Multi-tenant
—
external access ↗
Single-tenant
—
internal only
No owner
—
governance risk
Azure AD — Enterprise Applications
Loading from SharePoint...
| Application | App ID | Audience | Created | Owner |
|---|---|---|---|---|
| Loading Azure apps... | ||||
Expired
—
immediate action
Critical <30 days
—
renew urgently
Warning <90 days
—
plan renewal
Healthy
—
no action needed
App Secrets & Certificates
Loading from SharePoint...
| Application | Type | Secret / Cert name | Expiry date | Days left | Status |
|---|---|---|---|---|---|
| Loading secrets... | |||||
Sign-ins today
—
last 24h
Risky sign-ins
—
—
CA compliance
—
healthy
MFA challenges
—
—
Azure AD activity logs
Audit & sign-in · Microsoft Graph API
Azure AD retains Sign-in logs for 30 days (free tier) · Audit logs 30 days. Upgrade to P1/P2 for 90 days.
5 events
Loading Azure logs...
Total guests
—
external users
Never signed in ↗
—
action needed
Inactive >90d ↗
—
review recommended
Enabled
—
active accounts
Microsoft Entra ID
Azure AD
Registered
—
of total users
Not registered
—
action needed
MFA capable
—
can enroll now
Admins no MFA
—
critical risk
Methods used
Authentication methods registered by users
Registration trend
Loading snapshots...
Coverage % over time
Registered as % of total
Okta Identity
Workforce IdP
Pipeline running...
Data will appear when pipeline_mfa.py completes
Never logged in
—
— of total
No login >365 days
—
— of total
No manager assigned
—
— of total
Locked out
—
require unlock
Stale & orphaned accounts
Accounts with no activity or missing attributes · Read-only view
| User | Issue | Last login | Created | Manager | Action | |
|---|---|---|---|---|---|---|
| Loading stale accounts... | ||||||
Okta Super Admins
—
review regularly
Azure Global Admins
—
review regularly
Total privileged
—
Azure + Okta
Without MFA
—
critical risk
Disabled with role
—
review required
Stale admins
—
no login >90d
Privilege risk alerts
Admins that require immediate attention
Loading...
Azure AD privileged roles
azure_privileged.json · real data
| User | Role | MFA | Last login |
|---|---|---|---|
| Loading... | |||
Okta admin roles
okta_privileged.json · real data
| User | Role | MFA | Status |
|---|---|---|---|
| Loading... | |||
PIM just-in-time activation and role history requires Azure AD P2. This view shows permanent role assignments only.
Access Certifications not available
Automated certification campaigns require Azure AD P2. No data source is currently configured for this section.
Total SKUs
—
licence types in tenant
Total purchased
—
across all SKUs
Consumed
—
assigned to users
Available
—
unassigned seats
Licence consumption trend
Loading snapshots...
Available seats trend
Unassigned licences over time
CA policies active
—
Azure AD P1
Policies enabled
—
—
Report-only
—
not yet enforced
Disabled policies
—
inactive
Conditional Access policy management available with Azure AD P1 ✓ · Identity Protection (risk-based CA) requires P2
Conditional Access policies
Azure AD · loading...
| Policy name | State | Users included | Conditions | Grant control |
|---|---|---|---|---|
| Loading policies... | ||||
Total events
—
all time
Reports generated
—
all time
Unique users
—
accessed platform
Generate Identity Governance Report
Export a full snapshot of your identity posture across Okta + Microsoft Entra ID
Report type
📊
Executive
KPIs & summary only
🔧
Operational
KPIs + full tables
🔍
Audit
Full detail + metadata
Time range
or custom:
→
Include sections
Platform Guide
This platform provides real-time identity governance visibility across Okta and Microsoft Entra ID. Data is refreshed hourly via an automated pipeline. The sections below explain what each area shows and what data source it uses.
Overview
Live data
Dashboard
High-level summary of the identity estate — total users across both platforms, active applications, risk alerts, and trend charts. All counts come from the hourly pipeline snapshot stored in SharePoint.
Security Center
Compliance posture with a score based on MFA coverage, orphaned accounts, manager assignment, and AD provider coverage. The checklist highlights which controls are passing and which need attention.
Governance
Mixed — live + static
Orphaned & Stale
StaticAccounts that have never logged in, not authenticated in over 365 days, or have no manager assigned. Useful for identifying accounts that should be reviewed or deprovisioned.
Privileged Access
StaticLists Okta Super Admins and Azure Global Admins with their MFA status. Supports regular review of who holds elevated permissions across both platforms.
Access Certifications
StaticManual snapshot of who has access to high-value applications, for audit purposes. Automated access reviews require Azure AD P2 — this is a P1-compatible alternative.
Licences
StaticIdentifies M365 licences assigned to inactive or disabled accounts, and flags E3 users eligible for F3 downgrade. Useful for cost reduction decisions.
Cross-platform Health
StaticHighlights discrepancies between Okta and Entra ID — accounts that exist in one platform but not the other, or where account status differs.
App Risk
StaticOkta apps assessed for security posture — MFA enforcement, sign-on method (SAML, OIDC, SWA), and last usage. SWA apps without MFA are flagged as high risk.
MFA & Password
StaticMFA enrolment rates and authenticator method breakdown across Okta users. Also shows password policy compliance — complexity, expiry, and AD provider coverage.
Guest & External
StaticAzure AD B2B guest accounts — external users with access to the tenant. Flags guests without MFA and those inactive for over 90 days. Risk scoring requires Azure AD P2.
Conditional Access
StaticLists active Conditional Access policies in Azure AD — what they enforce, who they cover, and whether enabled or report-only. Policy management requires Azure AD P1.
Secrets & Certificates
Live dataApp Registration client secrets and certificates in Azure AD with expiry dates. Expired and near-expiry credentials are flagged so they can be renewed before causing authentication failures. Refreshed hourly.
Okta Identity
Live data · hourly
User Directory
Full list of Okta users with status, department, country, and last login. Paginated at 50 per page with search. Source: okta_users.json written to SharePoint by the pipeline.
Groups & Memberships
All Okta groups broken down by type — Okta-managed vs AD-synced. Shows the most common naming prefixes. Source: okta_groups.json.
App Catalogue
All applications integrated with Okta, with sign-on method and active/inactive status. Provides an inventory of SSO-connected apps. Source: okta_apps.json.
Activity Feed
System log events from Okta — authentication attempts, account changes, policy violations, and admin actions. Okta retains logs for 90 days.
Microsoft Entra ID
Live data · hourly
User Directory
All Entra ID users with account status, licence assignment, guest flag, department, and last sign-in. Source: azure_users.json.
Groups & Memberships
All Entra ID groups — Microsoft 365, security, and dynamic membership groups. Shows naming patterns for governance. Source: azure_groups.json.
Enterprise Apps
App Registrations in the tenant — single-tenant vs multi-tenant, with creation dates. Includes Copilot Studio agents. Over 1,400 registered apps. Source: azure_apps.json.
Sign-in Activity
Azure AD sign-in and audit logs — successful sign-ins, risky sign-ins, MFA challenges, and Conditional Access outcomes. Retention is 30 days free tier, 90 days with P1/P2.
Data pipeline — All live data is collected by an Azure DevOps pipeline running on a self-hosted agent (Windows 11), scheduled hourly. It authenticates to Okta via API token and to Microsoft Graph via a service principal. Snapshots are written as JSON to SharePoint (IAM Governance / Identity Governance Platform / live/). The dashboard reads these files via Microsoft Graph API using your own delegated credentials — no separate backend or server is required.