Identity Health Score
Based on 4 key indicators
—
Calculating...
Azure MFA enrolment—
Active accounts—
Manager field coverage—
Secrets OK—
MFA Coverage
Authentication across both platforms
OKTA
—
— of — enrolled
AZURE AD
—
— of — registered
—
Enrolled
—
Not enrolled
—
Registered
—
Not registered
Conditional Access
Azure AD P1
—
of — policies
Enabled
—
Report only
—
Disabled
—
Identity trend
Okta total · active users
Total
Active
Sign-ins per day
Azure AD · Okta — daily events
Azure AD
Okta
Sign-in outcomes
Success · Failed · Interrupted
Success
Failed
Other
Governance
Click to navigate to each area
Orphaned & Stale
Identity hygiene
Privileged Access
Admin roles · Okta + Azure
Guest & External
External access risk
MFA & Password
Policy compliance
Licences
M365 waste analysis
Conditional Access
Policy coverage
Secrets & Certs
Loading...
Audit Logs
Activity & sign-ins
Total users
—
convatec.okta.com
Active
—
of total
Never logged in
—
action required
Locked out
—
action required
Status distribution
Current snapshot
Users by domain
Email domain breakdown
Okta — User Directory
Loading...
| User | Status | Dept | Country | Last login | |
|---|---|---|---|---|---|
| Loading users... | |||||
Total groups
—
convatec.okta.com
Okta-managed
—
native
AD-synced
—
from Azure AD
Group types
Okta-managed vs AD-synced
Top groups by name prefix
Most common naming patterns
Okta — Groups & Memberships
Loading...
| Group | Type | Description | Last updated |
|---|---|---|---|
| Loading groups... | |||
Total apps
—
convatec.okta.com
Active
—
in use
Inactive
—
review
Active vs Inactive
App status breakdown
Sign-on method
SAML, OIDC, SWA, etc.
Okta — App Catalogue
Loading...
| Application | Status | Sign-on | Created |
|---|---|---|---|
| Loading apps... | |||
Events today
—
last 24h
Failed logins
—
—
Policy violations
—
review
Success rate
—
healthy
Okta system logs
Real-time event stream · convatec.okta.com
Okta retains System Logs for 90 days. Events older than 90 days are not available via API.
6 events
Loading Okta logs...
Total users
—
Entra ID
Licensed
—
M365
Guests
—
external
Disabled
—
review
Account status
Enabled vs Disabled vs Guest
Users by domain
UPN domain breakdown
Microsoft Entra ID — User Directory
Loading...
| User | UPN | Status | Dept | Type | Last sign-in |
|---|---|---|---|---|---|
| Loading users... | |||||
Total groups
—
Entra ID
Security groups
—
access control
M365 groups
—
Teams/SharePoint
No owner
—
governance risk
Group types
Security vs M365 vs Distribution
Top name prefixes
Most common group naming patterns
Microsoft Entra ID — Groups & Memberships
Loading...
| Group | Type | Security | Mail-enabled | Created | Owner |
|---|---|---|---|---|---|
| Loading groups... | |||||
Total apps
—
registered
Multi-tenant
—
external access
Single-tenant
—
internal only
No owner
—
governance risk
Azure AD — Enterprise Applications
Loading from SharePoint...
| Application | App ID | Audience | Created | Owner |
|---|---|---|---|---|
| Loading Azure apps... | ||||
Expired
—
past expiry
Critical <30d
—
expiring soon
Warning <90d
—
plan rotation
Healthy >90d
—
no action needed
Status breakdown
Distribution of credential health
Credential type
Secrets vs certificates by status
Expired
—
immediate action
Critical <30 days
—
renew urgently
Warning <90 days
—
plan renewal
Healthy
—
no action needed
App Secrets & Certificates
Loading from SharePoint...
| Application | Type | Secret / Cert name | Expiry date | Days left | Status |
|---|---|---|---|---|---|
| Loading secrets... | |||||
Sign-ins today
—
last 24h
Risky sign-ins
—
—
CA compliance
—
healthy
MFA challenges
—
—
Azure AD activity logs
Audit & sign-in · Microsoft Graph API
Azure AD retains Sign-in logs for 30 days (free tier) · Audit logs 30 days. Upgrade to P1/P2 for 90 days.
5 events
Loading Azure logs...
Total guests
—
external users
Never signed in
—
action needed
Inactive >90d
—
review recommended
Enabled
—
active accounts
Guest domain distribution
External domains with most guest accounts
Risk breakdown
Activity status of guest accounts
Azure Registered
—
of total users
Not Registered
—
action required
MFA Capable
—
hardware/FIDO capable
Admins no MFA
—
critical risk
Microsoft Entra ID
azure_mfa_registrations.json
Registered ↓
—
of total
Not registered ↓
—
action needed
MFA capable ↓
—
can enroll
Admins no MFA ↓
—
critical risk
Registration trend
Loading...
Coverage % over time
Methods used
Count per authentication method
Okta Identity
okta_mfa_summary.json
Okta MFA data not yet available
pipeline_mfa.py must complete first
Never logged in
—
— of total
No login over 365 days
—
— of total
Workforce missing manager
—
missing at source or unsynced
Locked out
—
require unlock
Manager ownership analysis
Okta is the source of manager data — Entra receives sync downstream
Okta — Stale & Orphaned
Active Okta accounts flagged by last-login, manager, or status
Manager analysis
Inactivity aging
Review triage
— of — likely workforce accounts
Review now
—
Complex cases
—
Likely exception
—
Stale + no manager
—
Dormant accounts
—
Stale & orphaned accounts
Accounts with no activity or missing attributes · Read-only view
| User | Type | Issue | Last login | Created | Manager | Action | |
|---|---|---|---|---|---|---|---|
| Loading stale accounts... | |||||||
Signal hierarchy — Headline KPIs: activity flags · Manager analytics: source vs downstream · Triage: enabled+active / compound risk / dormant · Population chart: issue distribution by account type
·
Manager model — Okta = source (Workday HR sync). Propagation gap: Okta has manager, Entra empty — check AD sync. Missing in both: Entra record found, both empty — HR data gap. AAD unresolved: no Entra match at all. Compound risk: stale + manager issue together.
·
Account type is pattern-derived from login/name — heuristic only, not authoritative. Technical = svc/app/system/noreply patterns or missing first+last name. Shared = mailbox/generic/team prefix patterns. Workforce = all others.
Review candidates only — not automatic actions
Total privileged accounts
—
Azure AD + Okta
Without MFA
—
critical risk
Stale privileged accounts
—
no sign-in over 90 days
Disabled with active role
—
review required
Platform breakdown
Coverage may be partial — see methodology
Privilege risk alerts
Accounts requiring immediate attention
Loading...
Review triage
— accounts require action
Critical — no MFA
—
Stale admins
—
Guest privileged
—
Disabled with role
—
Azure AD privileged roles
azure_privileged.json · permanent role assignments · full coverage
| User | Role | Type | MFA | Last sign-in | Enabled |
|---|---|---|---|---|---|
| Loading... | |||||
Okta admin roles
okta_privileged.json · coverage depends on API token scope — see methodology
| User | Role | MFA | Status |
|---|---|---|---|
| Loading... | |||
What counts as privileged — Azure AD permanent role assignments (Global Admin, User Admin, Exchange Admin, etc.) + Okta admin roles (Super Admin, Org Admin, etc.)
·
Okta coverage — may be partial: Okta admin role visibility requires a specific API token scope. If the token lacks
okta.roles.read, the Okta count will be 0 or incomplete.
·
Stale — no sign-in in over 90 days (Azure AD only; Okta last sign-in not available in current data).
·
MFA — from azure_mfa_registrations.json. Partial for Okta users whose UPN differs from their Okta login.
·
Guest / external — UPN contains #EXT#.
·
PIM / just-in-time — not covered. This view shows permanent assignments only. Azure AD P2 required for activation history.
Access Certifications not available
Automated certification campaigns require Azure AD P2. No data source is currently configured for this section.
SKUs Active
—
M365 subscriptions
Total Purchased
—
seats purchased
Consumed
—
seats assigned
Available
—
unassigned seats
Total SKUs
—
licence types in tenant
Total purchased
—
across all SKUs
Consumed
—
assigned to users
Available
—
unassigned seats
Licence consumption trend
Loading snapshots...
Available seats trend
Unassigned licences over time
CA policies active
—
Azure AD P1
Policies enabled
—
—
Report-only
—
not yet enforced
Disabled policies
—
inactive
Conditional Access policy management available with Azure AD P1 ✓ · Identity Protection (risk-based CA) requires P2
Conditional Access policies
Azure AD · loading...
| Policy name | State | Users included | Conditions | Grant control |
|---|---|---|---|---|
| Loading policies... | ||||
Total events
—
all time
Reports generated
—
all time
Unique users
—
accessed platform
Generate Identity Governance Report
Export a full snapshot of your identity posture across Okta + Microsoft Entra ID
Report type
📊
Executive
KPIs & summary only
🔧
Operational
KPIs + full tables
🔍
Audit
Full detail + metadata
Time range
or custom:
→
Include sections
Platform Guide
This platform provides real-time identity governance visibility across Okta and Microsoft Entra ID. Data is refreshed hourly via an automated pipeline. The sections below explain what each area shows and what data source it uses.
Overview
Live data
Dashboard
High-level summary of the identity estate — total users across both platforms, active applications, risk alerts, and trend charts. All counts come from the hourly pipeline snapshot stored in SharePoint.
Security Center
Compliance posture with a score based on MFA coverage, orphaned accounts, manager assignment, and AD provider coverage. The checklist highlights which controls are passing and which need attention.
Governance
Mixed — live + static
Orphaned & Stale
StaticAccounts that have never logged in, not authenticated in over 365 days, or have no manager assigned. Useful for identifying accounts that should be reviewed or deprovisioned.
Privileged Access
StaticLists Okta Super Admins and Azure Global Admins with their MFA status. Supports regular review of who holds elevated permissions across both platforms.
Access Certifications
StaticManual snapshot of who has access to high-value applications, for audit purposes. Automated access reviews require Azure AD P2 — this is a P1-compatible alternative.
Licences
Static—