Identity Health Score
Based on MFA, active accounts, manager assignment and orphan hygiene
88%
↑ +3% vs last month
MFA Coverage94%
Active accounts99.4%
Manager assigned88.4%
No orphans >365d95.9%
Identity trends
Total Okta users — last 12 snapshots
Never logged in — trend
Hygiene improvement over time
Recent activity
Last events across both platforms
Account locked out
2m ago
New user provisioned
14m ago
Risky sign-in detected
31m ago
Password expired
1h ago
Group membership changed
3h ago
Top risks
Items requiring attention
Never logged in
Accounts never activated
1,203
No login >365 days
Potentially orphaned
473
Locked out
Require admin action
12
No manager assigned
Orphaned from org
1,327
Governance
Click to navigate to each area
Orphaned & Stale
Identity hygiene
Privileged Access
Admin roles
Licence Optimisation
M365 waste
MFA & Password
Policy compliance
Guest & External
External access risk
Conditional Access
Policy coverage
App Risk
App security posture
Secrets & Certs
Loading...
Total users
—
convatec.okta.com
Active
—
of total
Never logged in
—
action required
Locked out
—
action required
Status distribution
Current snapshot
Users by domain
Email domain breakdown
Okta — User Directory
Loading...
| User | Status | Dept | Country | Last login | |
|---|---|---|---|---|---|
| Loading users... | |||||
Total groups
—
convatec.okta.com
Okta-managed
—
native
AD-synced
—
from Azure AD
Group types
Okta-managed vs AD-synced
Top groups by name prefix
Most common naming patterns
Okta — Groups & Memberships
Loading...
| Group | Type | Description | Last updated |
|---|---|---|---|
| Loading groups... | |||
Total apps
—
convatec.okta.com
Active
—
in use
Inactive
—
review
Active vs Inactive
App status breakdown
Sign-on method
SAML, OIDC, SWA, etc.
Okta — App Catalogue
Loading...
| Application | Status | Sign-on | Created |
|---|---|---|---|
| Loading apps... | |||
Events today
24,891
last 24h
Failed logins
143
↑ +23
Policy violations
7
review
Success rate
99.4%
healthy
Okta system logs
Real-time event stream · convatec.okta.com
Okta retains System Logs for 90 days. Events older than 90 days are not available via API.
6 events
Authentication failed — MFA required
09:42:11
Login successful
09:41:58
New user provisioned via AD
09:40:22
Account locked — 5 failed attempts
09:38:05
User added to IT-Administrators
09:35:12
Policy denied — device not trusted
09:33:29
Total users
—
Entra ID
Licensed
—
M365
Guests
—
external
Disabled
—
review
Account status
Enabled vs Disabled vs Guest
Users by domain
UPN domain breakdown
Microsoft Entra ID — User Directory
Loading...
| User | UPN | Status | Dept | Type | Last sign-in |
|---|---|---|---|---|---|
| Loading users... | |||||
Total groups
—
Entra ID
Security groups
—
access control
M365 groups
—
Teams/SharePoint
No owner
—
governance risk
Group types
Security vs M365 vs Distribution
Top name prefixes
Most common group naming patterns
Microsoft Entra ID — Groups & Memberships
Loading...
| Group | Type | Security | Mail-enabled | Created | Owner |
|---|---|---|---|---|---|
| Loading groups... | |||||
Total apps
—
registered
Multi-tenant
—
external access
Single-tenant
—
internal only
No owner
—
governance risk
Azure AD — Enterprise Applications
Loading from SharePoint...
| Application | App ID | Audience | Created | Owner |
|---|---|---|---|---|
| Loading Azure apps... | ||||
Expired
—
immediate action
Critical <30 days
—
renew urgently
Warning <90 days
—
plan renewal
Healthy
—
no action needed
App Secrets & Certificates
Loading from SharePoint...
| Application | Type | Secret / Cert name | Expiry date | Days left | Status |
|---|---|---|---|---|---|
| Loading secrets... | |||||
Sign-ins today
18,420
last 24h
Risky sign-ins
23
↑ flagged
CA compliance
99.1%
healthy
MFA challenges
4,201
22.8%
Azure AD activity logs
Audit & sign-in · Microsoft Graph API
Azure AD retains Sign-in logs for 30 days (free tier) · Audit logs 30 days. Upgrade to P1/P2 for 90 days.
5 events
Sign-in success — Microsoft 365
09:44:01
Risky sign-in — Unfamiliar location
09:41:33
MFA challenge — Conditional Access
09:39:18
Audit — User account enabled
09:35:00
Audit — Group membership change
09:32:47
Never logged in
1,203
10.5% of total
No login >365 days
473
4.1% of total
No manager assigned
1,327
11.6% of total
Locked out
12
require unlock
Stale & orphaned accounts
Accounts with no activity or missing attributes · Read-only view
| User | Issue | Last login | Created | Manager | Action | |
|---|---|---|---|---|---|---|
NP Nina Park | [email protected] | Never logged in | Never | 2024-11-01 | S. Lee | Open in Okta ↗ |
RG Robert Green | [email protected] | No login >365d | 2023-02-14 | 2019-06-20 | — | Open in Okta ↗ |
MF Maria Flores | [email protected] | No manager | Last week | 2022-03-08 | — | Open in Okta ↗ |
JK Jan Kowalski | [email protected] | Locked out | 3 days ago | 2021-09-14 | B. Nowak | Open in Okta ↗ |
Okta Super Admins
5
review regularly
Azure Global Admins
8
reduce recommended
Admins with MFA
13/13
100% coverage
Privileged role age
avg 387d
some roles >1 year
Okta admin roles
Read-only · manage in Okta Admin Console
| User | Role | MFA | Assigned |
|---|---|---|---|
TA Tiago Teixeira | Super Admin | On | 2021-01-10 |
JW James Wilson | Org Admin | On | 2022-03-15 |
SA Sara Ahmed | Read Only Admin | On | 2023-06-01 |
Azure AD privileged roles
P1 available · PIM requires P2
PIM just-in-time activation & role history requires Azure AD P2
| User | Role | MFA | Type |
|---|---|---|---|
TA Tiago Teixeira | Global Admin | On | Permanent |
AT Ana Torres | User Admin | On | Permanent |
BP Bob Peters | Security Reader | On | Permanent |
Access Reviews (automated certification campaigns) require Azure AD P2. This view shows a manual snapshot of current access for audit purposes.
Apps reviewed
247
last 90 days
Over-privileged users
84
access beyond role
Clean certifications
163
66% access justified
Access certification snapshot
Who has access to high-value apps · export for audit
| Application | Users assigned | High-privilege users | Last reviewed | Status |
|---|---|---|---|---|
| ServiceNow | 4,820 | 43 | 2025-01-15 | Reviewed |
| Workday | 9,100 | 12 | 2025-02-01 | Reviewed |
| SAP | 2,340 | 89 | 2024-09-10 | Overdue |
| Legacy Portal v1 | 0 | 0 | Never | Decommission |
Total SKUs
—
licence types in tenant
Total purchased
—
across all SKUs
Consumed
—
assigned to users
Available
—
unassigned seats
CA policies active
38
Azure AD P1
Users covered
99.1%
nearly full coverage
Policies in report-only
5
not yet enforced
CA blocks (7d)
1,247
policy working
Conditional Access policy management available with Azure AD P1 ✓ · Identity Protection (risk-based CA) requires P2
Conditional Access policies
Azure AD · 38 active policies
| Policy name | State | Users included | Conditions | Grant control |
|---|---|---|---|---|
| Require MFA for all users | Enabled | All users | Any location | Require MFA |
| Block legacy authentication | Enabled | All users | Legacy auth clients | Block |
| Require compliant device (Corp) | Enabled | Employees | Unmanaged device | Require compliant |
| Guests — MFA required | Report only | Guests | Any access | Not enforced yet |
| Admin MFA always | Enabled | Global Admins | All platforms | Require MFA |
Platform Guide
This platform provides real-time identity governance visibility across Okta and Microsoft Entra ID. Data is refreshed hourly via an automated pipeline. The sections below explain what each area shows and what data source it uses.
Overview
Live data
Dashboard
High-level summary of the identity estate — total users across both platforms, active applications, risk alerts, and trend charts. All counts come from the hourly pipeline snapshot stored in SharePoint.
Security Center
Compliance posture with a score based on MFA coverage, orphaned accounts, manager assignment, and AD provider coverage. The checklist highlights which controls are passing and which need attention.
Governance
Mixed — live + static
Orphaned & Stale
StaticAccounts that have never logged in, not authenticated in over 365 days, or have no manager assigned. Useful for identifying accounts that should be reviewed or deprovisioned.
Privileged Access
StaticLists Okta Super Admins and Azure Global Admins with their MFA status. Supports regular review of who holds elevated permissions across both platforms.
Access Certifications
StaticManual snapshot of who has access to high-value applications, for audit purposes. Automated access reviews require Azure AD P2 — this is a P1-compatible alternative.
Licence Optimisation
StaticIdentifies M365 licences assigned to inactive or disabled accounts, and flags E3 users eligible for F3 downgrade. Useful for cost reduction decisions.
Cross-platform Health
StaticHighlights discrepancies between Okta and Entra ID — accounts that exist in one platform but not the other, or where account status differs.
App Risk
StaticOkta apps assessed for security posture — MFA enforcement, sign-on method (SAML, OIDC, SWA), and last usage. SWA apps without MFA are flagged as high risk.
MFA & Password
StaticMFA enrolment rates and authenticator method breakdown across Okta users. Also shows password policy compliance — complexity, expiry, and AD provider coverage.
Guest & External
StaticAzure AD B2B guest accounts — external users with access to the tenant. Flags guests without MFA and those inactive for over 90 days. Risk scoring requires Azure AD P2.
Conditional Access
StaticLists active Conditional Access policies in Azure AD — what they enforce, who they cover, and whether enabled or report-only. Policy management requires Azure AD P1.
Secrets & Certificates
Live dataApp Registration client secrets and certificates in Azure AD with expiry dates. Expired and near-expiry credentials are flagged so they can be renewed before causing authentication failures. Refreshed hourly.
Okta Identity
Live data · hourly
User Directory
Full list of Okta users with status, department, country, and last login. Paginated at 50 per page with search. Source: okta_users.json written to SharePoint by the pipeline.
Groups & Memberships
All Okta groups broken down by type — Okta-managed vs AD-synced. Shows the most common naming prefixes. Source: okta_groups.json.
App Catalogue
All applications integrated with Okta, with sign-on method and active/inactive status. Provides an inventory of SSO-connected apps. Source: okta_apps.json.
Activity Feed
System log events from Okta — authentication attempts, account changes, policy violations, and admin actions. Okta retains logs for 90 days.
Microsoft Entra ID
Live data · hourly
User Directory
All Entra ID users with account status, licence assignment, guest flag, department, and last sign-in. Source: azure_users.json.
Groups & Memberships
All Entra ID groups — Microsoft 365, security, and dynamic membership groups. Shows naming patterns for governance. Source: azure_groups.json.
Enterprise Apps
App Registrations in the tenant — single-tenant vs multi-tenant, with creation dates. Includes Copilot Studio agents. Over 1,400 registered apps. Source: azure_apps.json.
Sign-in Activity
Azure AD sign-in and audit logs — successful sign-ins, risky sign-ins, MFA challenges, and Conditional Access outcomes. Retention is 30 days free tier, 90 days with P1/P2.
Data pipeline — All live data is collected by an Azure DevOps pipeline running on a self-hosted agent (Windows 11), scheduled hourly. It authenticates to Okta via API token and to Microsoft Graph via a service principal. Snapshots are written as JSON to SharePoint (IAM Governance / Identity Governance Platform / live/). The dashboard reads these files via Microsoft Graph API using your own delegated credentials — no separate backend or server is required.