Edit

Share via

Connect Okta to Microsoft Defender for Identity (Preview)

This page explains how to connect Microsoft Defender for Identity to your Okta account using the Unified Connectors experience. This connection provides visibility into Okta activity and enables shared data collection across Microsoft security products. The Unified Connectors experience allows Defender for Identity to collect Okta system logs once and share them with other supported Microsoft security products, such as Microsoft Sentinel. This reduces API usage, avoids duplicate data collection, and simplifies connector management. For more information, see Unified connectors overview.

Note

If your Okta environment is already integrated with Microsoft Defender for Cloud Apps, connecting it to Microsoft Defender for Identity can cause duplicate Okta data, such as user activity, to appear in the Defender portal.

Prerequisites

Before connecting your Okta account to Microsoft Defender for Identity, make sure the following prerequisites are met:

Okta licenses

Your Okta environment must have one of the following licenses:

  • Developer

  • Enterprise

Okta roles

The Super Admin role is required only to create the API token. After you create the token, remove the role and assign the Read-Only Administrator and Defender for Identity custom roles for ongoing API access.

Microsoft Entra and Defender XDR role-based access options

To configure the Okta connector in Microsoft Defender for Identity, your account must have either of the following access configurations assigned:

  • Microsoft Entra roles:

    • Security Operator
    • Security Admin

  • Defender XDR Unified RBAC permission:

    • Core security settings (manage)

Connect Okta to Microsoft Defender for Identity

This section provides instructions for connecting Microsoft Defender for Identity to your dedicated Okta account using the connector APIs. This connection gives you visibility into and control over Okta use.

Create a dedicated Okta account

  1. Create a dedicated Okta account for Microsoft Defender for Identity use only.
  2. Assign your Okta account as a Super Admin role.
  3. Verify your Okta account.
  4. Store the account credentials for later use.
  5. Sign in to your dedicated Okta account created in step 1 to create an API token.

Create an API token

  1. In the Okta console, select Admin.

    Screenshot that shows how to access the Admin button in the Okta console.

  2. Select Security > API.

    Screenshot of the Okta admin console navigation menu with Security and API options highlighted in the left pane.

  3. Select Tokens

  4. Select Create Token.

    Screenshot of the Okta API Tokens tab with the Create token button highlighted.

  5. In the Create token pop-up:

    1. Enter a name for your Defender for Identity token.
    2. Select Any IP.
    3. Select Create token.

    Screenshot of the Okta Create token form with fields for token name and IP restriction, and the Create token button highlighted.

  6. In the Token created successfully pop-up, copy the Token value and store it securely. This token is used to connect Okta to Defender for Identity.

    Screenshot of the Okta token creation success message.

Add Custom user attributes

  1. Select Directory > Profile Editor.

  2. Select User (default).

  3. Select Add Attributes.

    1. Set Data type to String.
    2. Enter the Display name.
    3. Enter the Variable name.
    4. Set User permission to Read Only.

  4. Enter the following attributes:

    Display Name Variable Name
    ObjectSid ObjectSid
    ObjectGuid ObjectGuid
    DistinguishedName DistinguishedName

  5. Select Save.

  6. Verify that the three custom attributes you added are displayed correctly.

    Screenshot of the Okta Attributes page. Three attributes are shown: ObjectGuid, DistinguishedName, and ObjectSid.

Create a custom Okta role

Note

To support ongoing API access, you must assign both the Read-Only Administrator role and the custom Microsoft Defender for Identity role. These roles are mandatory to successfully configure the Okta connector. Configuration fails if either role is missing.

After you assign both roles, you can remove the Super Admin role. This approach ensures that only relevant permissions are assigned to your Okta account at all times.

  1. Navigate to Security > Administrator.
  2. Select the Roles tab.
  3. Select Create new role.
  4. Set the role name to Microsoft Defender for Identity.
  5. Select the permissions you want to assign to this role. Include the following permissions:
    • Edit user's lifecycle states
    • Edit user's authenticator operations
    • View roles, resources, and admin assignments
  6. Select Save role.

Screenshot showing a list of Okta permissions that need to be assigned when adding a custom role.

Create a resource set

  1. Select the Resources tab.

  2. Select Create new resource set.

  3. Name the resource set Microsoft Defender for Identity.

  4. Add the following resources:

    • All users
    • All Identity and Access Management resources

    Screenshot that shows the resource set name is Microsoft Defender for Identity.

  5. Select Save selection.

Assign the custom role and resource set

To complete the configuration in Okta, assign the custom role and resource set to the dedicated account.

  1. Assign the following roles to the dedicated Okta account:

    • Read-Only Administrator.

    • The custom Microsoft Defender for Identity role

  2. Assign the Microsoft Defender for Identity resource set to the dedicated Okta account.

  3. When you're done, remove the Super Admin role from the account.

Connect Okta to Microsoft Defender for Identity

  1. Navigate to the Microsoft Defender Portal.

  2. Select System > Data management > Data connectors > Catalog

    Screenshot showing where to find the Okta connector in the Defender portal.

  3. Select Okta Single Sign-On > Connect a connector.

    Screenshot that shows the connector option for Okta single sign-on.

  4. Enter a name for your connector.

  5. Enter your Okta ___domain (for example, my.project.okta.com).

  6. Paste the API token you copied from your Okta account.

  7. Select Next.

    Screenshot that shows where to add the connector name, ___domain, and API key.

  8. Select products > Microsoft Defender for Identity

  9. Select Next

    Screenshot that shows the product page for connecting Okta to Microsoft Defender for Identity.

  10. Review Okta details, and select Connect.

    Screenshot that shows the Okta connector details.

  11. Verify that your Okta environment appears in the table as enabled.

    Screenshot that shows the Okta single sign-on connector was successfully connected.

Note

Connecting the Okta connector can take up to 15 minutes.