Identity Health Score
Based on 4 key indicators
—
Calculating...
MFA coverage (Azure)—
Active accounts (Okta)—
Manager field coverage—
Secrets OK—
MFA Coverage
Azure data live · Okta loads separately
OKTA
—
— of — enrolled
AZURE AD
—
— of — registered
—
Enrolled
—
Not enrolled
—
Registered
—
Not registered
Conditional Access
Azure AD P1
—
of — policies
Enabled
—
Report only
—
Disabled
—
Identity trend
Okta total · active users
Total
Active
Sign-ins per day
Azure AD · Okta — availability depends on pipeline
Azure AD
Okta
Sign-in outcomes
Success · Failed · Interrupted
Success
Failed
Other
Governance
Click to navigate to each area
Orphaned & Stale
Identity hygiene
Privileged Access
Admin roles · Okta + Azure
Guest & External
External access risk
MFA & Password
Policy compliance
Licences
M365 waste analysis
Conditional Access
Policy coverage
Secrets & Certs
Loading...
Audit Logs
Activity & sign-ins
Total users
—
convatec.okta.com
Active
—
of total
Never logged in
—
action required
Locked out
—
action required
Status distribution
Current snapshot
Users by domain
Email domain breakdown
Okta — User Directory
Loading...
| User | Status | Dept | Country | Last login | |
|---|---|---|---|---|---|
| Loading users... | |||||
Total groups
—
convatec.okta.com
Okta-managed
—
native
AD-synced
—
from Azure AD
Group types
Okta-managed vs AD-synced
Top groups by name prefix
Most common naming patterns
Okta — Groups & Memberships
Loading...
| Group | Type | Description | Last updated |
|---|---|---|---|
| Loading groups... | |||
Total apps
—
convatec.okta.com
Active
—
in use
Inactive
—
review
Active vs Inactive
App status breakdown
Sign-on method
SAML, OIDC, SWA, etc.
Okta — App Catalogue
Loading...
| Application | Status | Sign-on | Created |
|---|---|---|---|
| Loading apps... | |||
Events today
—
last 24h
Failed logins
—
—
Policy violations
—
review
Success rate
—
healthy
Okta system logs
Real-time event stream · convatec.okta.com
Okta retains System Logs for 90 days. Events older than 90 days are not available via API.
6 events
Loading Okta logs...
Total users
—
Entra ID
Licensed
—
M365
Guests
—
external
Disabled
—
review
Account status
Enabled vs Disabled vs Guest
Users by domain
UPN domain breakdown
Microsoft Entra ID — User Directory
Loading...
| User | UPN | Status | Dept | Type | Last sign-in |
|---|---|---|---|---|---|
| Loading users... | |||||
Total groups
—
Entra ID
Security groups
—
access control
M365 groups
—
Teams/SharePoint
No owner
—
governance risk
Group types
Security vs M365 vs Distribution
Top name prefixes
Most common group naming patterns
Microsoft Entra ID — Groups & Memberships
Loading...
| Group | Type | Security | Mail-enabled | Created | Owner |
|---|---|---|---|---|---|
| Loading groups... | |||||
Total apps
—
registered
Multi-tenant
—
external access
Single-tenant
—
internal only
No owner
—
governance risk
Azure AD — Enterprise Applications
Loading from SharePoint...
| Application | App ID | Audience | Created | Owner |
|---|---|---|---|---|
| Loading Azure apps... | ||||
Expired
—
past expiry
Critical <30d
—
expiring soon
Warning <90d
—
plan rotation
Healthy >90d
—
no action needed
Status breakdown
Distribution of credential health
Credential type
Secrets vs certificates by status
Expired
—
immediate action
Critical <30 days
—
renew urgently
Warning <90 days
—
plan renewal
Healthy
—
no action needed
App Secrets & Certificates
Loading from SharePoint...
| Application | Type | Secret / Cert name | Expiry date | Days left | Status |
|---|---|---|---|---|---|
| Loading secrets... | |||||
Sign-ins today
—
last 24h
Risky sign-ins
—
—
CA compliance
—
healthy
MFA challenges
—
—
Azure AD activity logs
Audit & sign-in · Microsoft Graph API
Azure AD retains Sign-in logs for 30 days (free tier) · Audit logs 30 days. Upgrade to P1/P2 for 90 days.
5 events
Loading Azure logs...
Guest accounts
—
Entra · userType = Guest
Never signed in
—
provisioned but unused
Stale — no sign-in 90+ days
—
review recommended
Privileged guests
—
with Azure AD role
Activity state
Guest population by sign-in recency
Top external domains
Home organisations with most guest accounts
Review triage
— guests flagged
Privileged guests
—
Never signed in
—
Stale — no sign-in >90d
—
Disabled guests
—
Guest & External Users
Microsoft Entra ID · userType = Guest · authoritative source
| Display name | External domain | Type | Last sign-in | Created | Enabled | Privilege | Review |
|---|---|---|---|---|---|---|---|
| Loading guest data... | |||||||
Authoritative source — Guest identification uses Microsoft Entra ID exclusively (
userType = Guest from azure_users.json). Okta does not have an equivalent native guest model and is not used for guest classification on this page.
·
External domain — extracted from the guest's home-tenant UPN (the part before #EXT#).
·
Stale — no Entra sign-in in 90–179 days. Critical stale — 180+ days, strongest review/remove signal. Never signed in — provisioned but no sign-in on record; tracked separately from inactivity.
·
Privileged — guest UPN found in azure_privileged.json. Requires Privileged Access section to have loaded first for cross-reference; otherwise shows 0.
·
Review type — Remove candidate: disabled or never signed in over 180 days. Review access: stale (90+ days) or privileged. Active: recent sign-in.
MFA & Password
Okta is the primary MFA control path · Azure tiles show Entra-native registration · scroll down for Okta data
Azure Registered ↓
—
of total Azure users
Not Registered (Azure)
—
not Azure-registered · Okta may cover
MFA Capable ↓
—
capable of registration (Azure)
Admins no MFA
—
critical risk · Azure AD admins
Microsoft Entra ID
azure_mfa_registrations.json
Registered ↓
—
of total
Not registered
—
action needed
MFA capable ↓
—
can enroll
Admins no MFA
—
critical risk
Registration trend
Azure Entra · loading...
Coverage % over time
Azure registered / total enabled users
Methods used
Azure Entra · per registered user
Okta Identity
okta_mfa_summary.json
Okta MFA data not yet available
pipeline_mfa.py must complete first
Primary MFA path — Okta is the primary MFA enforcement path in this environment. Entra / Azure MFA registration is a native Microsoft platform metric and does not represent the overall MFA posture. A user with no Azure registration may still have MFA enforced via Okta.
·
Azure data source —
azure_mfa_registrations.json from credentialUserRegistrationDetails API. Fields: isMfaRegistered, isMfaCapable, methodsRegistered.
·
Okta data source — okta_mfa_summary.json written by pipeline_mfa.py. Available asynchronously — page will show Okta block once pipeline has run.
·
MFA Capable (Azure) — isMfaCapable means the user has a device or browser capable of completing MFA registration. It does not indicate FIDO2 or hardware key capability specifically.
·
Admin classification — isAdmin flag comes from the Azure pipeline and reflects Azure AD privileged role assignments. Okta admin classification is separate and shown in the Okta block.
·
Service accounts (Okta) — detected heuristically by the pipeline from Okta user profile patterns (login prefix, missing first/last name, service account naming conventions). Not authoritative — treat as indicative only.
Never logged in
—
— of total
No login over 90 days
—
— of total
Workforce missing manager
—
missing at source or unsynced
Locked out
—
require unlock
Manager ownership analysis
Okta is the source of manager data — Entra receives sync downstream
Okta — Stale & Orphaned
Active Okta accounts flagged by last-login, manager, or status
Manager analysis
Inactivity aging
Review triage
— of — likely workforce accounts
Review now
—
Complex cases
—
Likely exception
—
Stale + no manager
—
Dormant accounts
—
Stale & orphaned accounts
Accounts with no sign-in recorded or missing attributes · Read-only view
| User | Type | Issue | Last login | Created | Manager | Action | |
|---|---|---|---|---|---|---|---|
| Loading stale accounts... | |||||||
Signal hierarchy — Headline KPIs: activity flags · Manager analytics: source vs downstream · Triage: enabled+active / compound risk / dormant · Population chart: issue distribution by account type
·
Inactivity bands — 30–59d: early inactivity (monitoring). 60–89d: aging inactivity (review signal). 90–179d: stale — main remediation threshold. 180+d: critical stale — strongest review/remove candidate. Never signed in: separate state, not blended into inactivity.
·
Manager model — Okta = source (Workday HR sync). Propagation gap: Okta has manager, Entra empty — check AD sync. Missing in both: Entra record found, both empty — HR data gap. AAD unresolved: no Entra match at all. Compound risk: stale + manager issue together.
·
Account type is pattern-derived from login/name — heuristic only, not authoritative. Technical = svc/app/system/noreply patterns or missing first+last name. Shared = mailbox/generic/team prefix patterns. Workforce = all others.
Review candidates only — not automatic actions
Total privileged accounts
—
Azure AD + Okta
Without MFA
—
critical risk
Stale privileged accounts
—
no sign-in over 90 days
Disabled with active role
—
review required
Platform breakdown
Coverage may be partial — see methodology
Privilege risk alerts
Accounts requiring immediate attention
Loading...
Review triage
— accounts require action
Critical — no MFA
—
Stale admins (>90d)
—
Guest privileged
—
Disabled with role
—
Azure AD privileged roles
azure_privileged.json · permanent role assignments · full coverage
| User | Role | Type | MFA | Last sign-in | Enabled |
|---|---|---|---|---|---|
| Loading... | |||||
Okta admin roles
okta_privileged.json · coverage depends on API token scope — see methodology
| User | Role | MFA | Status |
|---|---|---|---|
| Loading... | |||
What counts as privileged — Azure AD permanent role assignments (Global Admin, User Admin, Exchange Admin, etc.) + Okta admin roles (Super Admin, Org Admin, etc.)
·
Okta coverage — may be partial: Okta admin role visibility requires a specific API token scope. If the token lacks
okta.roles.read, the Okta count will be 0 or incomplete.
·
Stale — no sign-in in 90–179 days (Azure AD only; Okta last sign-in not available in current data). Critical stale — 180+ days; escalated to Critical alert where present.
·
MFA — from azure_mfa_registrations.json. Partial for Okta users whose UPN differs from their Okta login.
·
Guest / external — UPN contains #EXT#.
·
PIM / just-in-time — not covered. This view shows permanent assignments only. Azure AD P2 required for activation history.
Access Certifications not available
Automated certification campaigns require Azure AD P2. No data source is currently configured for this section.
SKUs Active
—
M365 subscriptions
Total Purchased
—
seats purchased
Consumed
—
seats assigned
Available
—
unassigned seats
Total SKUs
—
licence types in tenant
Total purchased
—
across all SKUs
Consumed
—
assigned to users
Available
—
unassigned seats
Licence consumption trend
Loading snapshots...
Available seats trend
Unassigned licences over time
CA policies active
—
Azure AD P1
Policies enabled
—
—
Report-only
—
not yet enforced
Disabled policies
—
inactive
Conditional Access policy management available with Azure AD P1 ✓ · Identity Protection (risk-based CA) requires P2
Conditional Access policies
Azure AD · loading...
| Policy name | State | Users included | Conditions | Grant control |
|---|---|---|---|---|
| Loading policies... | ||||
Total events
—
all time
Reports generated
—
all time
Unique users
—
accessed platform
Generate Identity Governance Report
Export a full snapshot of your identity posture across Okta + Microsoft Entra ID
Report type
📊
Executive
KPIs & summary only
🔧
Operational
KPIs + full tables
🔍
Audit
Full detail + metadata
Time range
or custom:
→
Include sections
Platform Guide
This platform provides real-time identity governance visibility across Okta and Microsoft Entra ID. Data is refreshed hourly via an automated pipeline. The sections below explain what each area shows and what data source it uses.
Overview
Live data
Dashboard
High-level summary of the identity estate — total users across both platforms, active applications, risk alerts, and trend charts. All counts come from the hourly pipeline snapshot stored in SharePoint.
Security Center
Compliance posture with a score based on MFA coverage, orphaned accounts, manager assignment, and AD provider coverage. The checklist highlights which controls are passing and which need attention.
Governance
Mixed — live + static
Orphaned & Stale
StaticAccounts that have never logged in, not authenticated in over 90 days, or have no manager assigned. Useful for identifying accounts that should be reviewed or deprovisioned.
Privileged Access
StaticLists Okta Super Admins and Azure Global Admins with their MFA status. Supports regular review of who holds elevated permissions across both platforms.