Identity Health Score
Based on 4 key indicators
—
Calculating...
MFA coverage—
Active accounts—
With manager—
Secrets OK—
Conditional Access
—
of — policies
Enabled
—
Report only
—
Disabled
—
—
Total users
—
convatec.okta.com
—
Active
—
of total
—
Provisioned
—
awaiting activation
—
Staged
—
not yet activated
↑
Locked out
—
action required
—
Password expired
—
must reset on login
—
Suspended
—
admin action
—
Deprovisioned
—
deactivated
Status distribution
Current user state distribution
Users by domain
Users grouped by email domain
By cost centre / dept
Top cost centres by user count
Login recency
Active users grouped by login recency
User summary
Key derived metrics from
—
Total groups
—
convatec.okta.com
—
Okta-managed
—
native groups
—
AD-synced
—
from Azure AD
Group types
Group type distribution
Name prefix patterns
Naming pattern frequency
Update recency
How recently groups were modified
Group summary
Summary metrics from
Recommendations
Automated hygiene recommendations
—
Total apps
—
convatec.okta.com
—
Active
—
in use
↑
Inactive
—
review recommended
App status
App status
Sign-on method
Sign-on methods
Top app name prefixes
Name patterns
App summary
Summary metrics from
Recommendations
Recommendations
Events today
—
last 24h
Failed logins
—
—
Policy violations
—
review
Success rate
—
healthy
Events by type
Distribution of event categories
Top actors
Most active users · last 24h
Failures by hour
Failed auth attempts
Top countries
Sign-in events by country
Top apps accessed
SSO sign-ons by application
Okta system logs
Real-time event stream · convatec.okta.com
Okta retains System Logs for 90 days. Events older than 90 days are not available via API.
6 events
Loading Okta logs...
—
Total users
—
Entra ID
—
Licensed
—
M365 assigned
—
Guests
—
external users
—
Disabled
—
review recommended
Account status
Account status
By domain
Domain breakdown
By department
Departments
Sign-in recency
Login recency
By country
Countries
—
Total groups
—
Entra ID
—
Security groups
—
access control
—
M365 groups
—
Teams / SharePoint
↑
No owner
—
governance risk
Group types
Group types
Mail-enabled
Mail groups
Name prefixes
Name patterns
Group summary
Summary metrics from
Recommendations
Recommendations
—
Total apps
—
App Registrations
↑
Expiring secrets
—
within 90 days
↑
No owner
—
governance risk
—
Healthy apps
—
no issues
Apps by audience
App scope
Apps with most secrets
Credential count
Recommendations
Recommendations
↑
Expired
—
immediate action
↑
Critical <30 days
—
renew urgently
—
Warning <90 days
—
plan renewal
↓
Healthy
—
no action needed
Status breakdown
Credential status
Apps with most secrets
Most credential-heavy apps
Recommended actions
Action items
Type breakdown
Client secrets vs certificates
Expiry timeline
Expiry timeline
Sign-ins today
—
last 24h
Risky sign-ins
—
—
CA compliance
—
healthy
MFA challenges
—
—
Azure AD activity logs
Audit & sign-in · Microsoft Graph API
Azure AD retains Sign-in logs for 30 days (free tier) · Audit logs 30 days. Upgrade to P1/P2 for 90 days.
5 events
Loading Azure logs...
—
Total guests
—
external users
↑
Never signed in
—
action needed
↑
Inactive >90d
—
review recommended
—
Enabled accounts
—
active accounts
Guests by domain
Guest users by organisation domain
Activity status
Guest activity status
Recommended actions
Automated recommendations
Sign-in recency
Days since last Azure AD sign-in
Guest summary
Summary metrics from (userType=Guest)
Microsoft Entra ID
Azure AD
Registered
—
of total users
Not registered
—
action needed
MFA capable
—
can enroll now
Admins no MFA
—
critical risk
Methods used
Authentication methods registered by users
Registration trend
Loading snapshots...
Coverage % over time
Registered as % of total
Okta Identity
Workforce IdP
Pipeline running...
Data will appear when pipeline_mfa.py completes
↑
Never logged in
—
— of total
↑
Stale · no login >365d
—
— of total
↑
No manager assigned
—
— of total
—
Locked out
—
require unlock
Issue breakdown
· lastLogin + manager + status
By cost centre / dept
Top departments by orphaned account count
Recommended actions
Actions ranked by business impact
Inactivity buckets
Grouped by inactivity period
No manager · by domain
Accounts without an assigned manager
Inactivity distribution
Distribution by inactivity duration
Summary stats
Key derived metrics from
—
Okta super admins
—
review regularly
—
Azure global admins
—
review regularly
—
Total privileged
—
Azure + Okta combined
↑
Without MFA
—
critical risk
—
Disabled with role
—
review required
↑
Stale admins >90d
—
no login >90 days
Permanent roles only · PIM not active
Azure roles breakdown
· role distribution
MFA coverage
MFA coverage for privileged accounts
Risk alerts
Action items
Last login recency
Privileged account activity
Platform stats
Privileged access summary
Azure AD privileged roles
· real data
| User | Role | MFA | Last login |
|---|---|---|---|
| Loading... | |||
Okta admin roles
· real data
| User | Role | MFA | Status |
|---|---|---|---|
| Loading... | |||
⚠ PIM just-in-time activation and role history requires Azure AD P2. This view shows permanent role assignments only.
Access Certifications not available
Automated certification campaigns require Azure AD P2. No data source is currently configured for this section.
—
SKUs active
—
licence types
—
Total seats
—
purchased
—
In use
—
utilisation rate
↓
Available seats
—
unused
Consumption by SKU
· consumed units
Utilisation by SKU
Percentage of seats in use · colour coded by health
Cost optimisation
Based on utilisation analysis
Consumption trend
· pipeline snapshots
Licence summary
Summary metrics from
| SKU name | Part number | Purchased | Consumed | Available | Utilisation | Status |
|---|---|---|---|---|---|---|
| Loading licences... | ||||||
—
CA policies active
—
Azure AD P1
—
Policies enabled
—
55% enforced
—
Report only
—
not yet enforced
—
Disabled
—
inactive
Policy state
Enabled vs report-only vs disabled
Grant controls
Policy enforcement type
User scope
Policy user scope
Coverage stats
Policy coverage summary
Recommendations
Automated policy recommendations
Most visited section
—
this session
Total section visits
—
all sections · this session
Time on platform
—
total seconds · this session
CSV exports
—
data exports · this session
Total events
—
all time
Reports generated
—
all time
Unique users
—
accessed platform
Generate Identity Governance Report
Export a full snapshot of your identity posture across Okta + Microsoft Entra ID
Report type
📊
Executive
KPIs & summary only
🔧
Operational
KPIs + full tables
🔍
Audit
Full detail + metadata
Time range
or custom:
→
Include sections
Platform Guide
This platform provides real-time identity governance visibility across Okta and Microsoft Entra ID. Data is refreshed hourly via an automated pipeline. The sections below explain what each area shows and what data source it uses.
Overview
Live data
Dashboard
High-level summary of the identity estate — total users across both platforms, active applications, risk alerts, and trend charts. All counts come from the hourly pipeline snapshot stored in SharePoint.
Security Center
Compliance posture with a score based on MFA coverage, orphaned accounts, manager assignment, and AD provider coverage. The checklist highlights which controls are passing and which need attention.
Governance
Mixed — live + static
Orphaned & Stale
StaticAccounts that have never logged in, not authenticated in over 365 days, or have no manager assigned. Useful for identifying accounts that should be reviewed or deprovisioned.
Privileged Access
StaticLists Okta Super Admins and Azure Global Admins with their MFA status. Supports regular review of who holds elevated permissions across both platforms.
Access Certifications
StaticManual snapshot of who has access to high-value applications, for audit purposes. Automated access reviews require Azure AD P2 — this is a P1-compatible alternative.
Licences
StaticIdentifies M365 licences assigned to inactive or disabled accounts, and flags E3 users eligible for F3 downgrade. Useful for cost reduction decisions.
Cross-platform Health
StaticHighlights discrepancies between Okta and Entra ID — accounts that exist in one platform but not the other, or where account status differs.
App Risk
StaticOkta apps assessed for security posture — MFA enforcement, sign-on method (SAML, OIDC, SWA), and last usage. SWA apps without MFA are flagged as high risk.
MFA & Password
StaticMFA enrolment rates and authenticator method breakdown across Okta users. Also shows password policy compliance — complexity, expiry, and AD provider coverage.
Guest & External
StaticAzure AD B2B guest accounts — external users with access to the tenant. Flags guests without MFA and those inactive for over 90 days. Risk scoring requires Azure AD P2.
Conditional Access
StaticLists active Conditional Access policy inventory in Azure AD — what they enforce, who they cover, and whether enabled or report-only. Policy management requires Azure AD P1.
Secrets & Certificates
Live dataApp Registration client secrets and certificates in Azure AD with expiry dates. Expired and near-expiry credentials are flagged so they can be renewed before causing authentication failures. Refreshed hourly.
Okta Identity
Live data · hourly
User Directory
Full list of Okta users with status, department, country, and last login. Paginated at 50 per page with search. Source: written to SharePoint by the pipeline.
Groups & Memberships
All Okta groups broken down by type — Okta-managed vs AD-synced. Shows the most common naming prefixes. Source:
App Catalogue
All applications integrated with Okta, with sign-on method and active/inactive status. Provides an inventory of SSO-connected apps. Source:
Activity Feed
System log events from Okta — authentication attempts, account changes, policy violations, and admin actions. Okta retains logs for 90 days.
Microsoft Entra ID
Live data · hourly
User Directory
All Entra ID users with account status, licence assignment, guest flag, department, and last sign-in. Source:
Groups & Memberships
All Entra ID groups — Microsoft 365, security, and dynamic membership groups. Shows naming patterns for governance. Source:
Enterprise Apps
App Registrations in the tenant — single-tenant vs multi-tenant, with creation dates. Includes Copilot Studio agents. Over 1,400 registered apps. Source:
Sign-in Activity
Azure AD sign-in and audit logs — successful sign-ins, risky sign-ins, MFA challenges, and Conditional Access outcomes. Retention is 30 days free tier, 90 days with P1/P2.
Data pipeline — All live data is collected by an Azure DevOps pipeline running on a self-hosted agent (Windows 11), scheduled hourly. It authenticates to Okta via API token and to Microsoft Graph via a service principal. Snapshots are written as JSON to SharePoint (IAM Governance / Identity Governance Platform / live/). The dashboard reads these files via Microsoft Graph API using your own delegated credentials — no separate backend or server is required.