MicrosoftDocs
diff --git a/‎ATPDocs/alerts-xdr.md‎
Lines changed: 1 addition & 1 deletion b/‎ATPDocs/alerts-xdr.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎ATPDocs/change-password-krbtgt-account.md‎
Lines changed: 3 additions & 1 deletion b/‎ATPDocs/change-password-krbtgt-account.md‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎ATPDocs/dashboard.md‎
Lines changed: 1 addition & 1 deletion b/‎ATPDocs/dashboard.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎ATPDocs/media/okta-integration/connect-new-okta-single-sign-on-connector.png‎
49.4 KB b/‎ATPDocs/media/okta-integration/connect-new-okta-single-sign-on-connector.png‎
49.4 KB
diff --git a/‎ATPDocs/media/okta-integration/okta-connected.png‎
49.5 KB b/‎ATPDocs/media/okta-integration/okta-connected.png‎
49.5 KB
diff --git a/‎ATPDocs/media/okta-integration/review-okta-details.png‎
36.9 KB b/‎ATPDocs/media/okta-integration/review-okta-details.png‎
36.9 KB
diff --git a/‎ATPDocs/media/okta-integration/select-okta-single-sign-on.png‎
149 KB b/‎ATPDocs/media/okta-integration/select-okta-single-sign-on.png‎
149 KB
diff --git a/‎ATPDocs/media/okta-integration/select-product-defender-for-identity.png‎
34.8 KB b/‎ATPDocs/media/okta-integration/select-product-defender-for-identity.png‎
34.8 KB
diff --git a/‎ATPDocs/media/okta-integration/system-data-connector-catalog.png‎
83.7 KB b/‎ATPDocs/media/okta-integration/system-data-connector-catalog.png‎
83.7 KB
diff --git a/‎ATPDocs/okta-defender-for-identity-overview.md‎
Lines changed: 37 additions & 0 deletions b/‎ATPDocs/okta-defender-for-identity-overview.md‎
Lines changed: 37 additions & 0 deletions
@@ -8,7 +8,7 @@ ms.reviewer: rlitinsky
 
 # Microsoft Defender for Identity XDR alerts
 
-Microsoft Defender for Identity alerts can appear in the Microsoft Defender XDR portal in two different formats depending on if the alert originates from Defender for Identity or Defender XDR. All alerts are based on detections from Defender for Identity sensors. The differences in layout and information are part of an ongoing transition to a unified alerting experience across Microsoft Defender products. This article lists 
+Microsoft Defender for Identity alerts can appear in the Microsoft Defender XDR portal in two different formats depending on if the alert originates from Defender for Identity or Defender XDR. All alerts are based on detections from Defender for Identity sensors. The differences in layout and information are part of an ongoing transition to a unified alerting experience across Microsoft Defender products. 
 
 To learn more about how to understand the structure, and common components of all Defender for Identity security alerts, see [View and manage alerts](understanding-security-alerts.md).
 
 
@@ -29,7 +29,9 @@ If the KRBTGT account's password is compromised, an attacker can use its hash to
 1. Take appropriate action on those accounts by resetting their password **twice** to invalidate the Golden Ticket attack. 
 
 > [!NOTE]
-> The krbtgt Kerberos account in all Active Directory domains supports key storage in all Kerberos Key Distribution Centers (KDC). To renew the Kerberos keys for TGT encryption, periodically change the krbtgt account password. It is recommended to use the [Microsoft-provided script.](https://github.com/microsoft/New-KrbtgtKeys.ps1)
+> The krbtgt Kerberos account in all Active Directory domains supports key storage in all Kerberos Key Distribution Centers (KDC). To renew the Kerberos keys for TGT encryption, periodically change the krbtgt account password. It is recommended to use the [Microsoft-provided script.](https://github.com/microsoft/New-KrbtgtKeys.ps1)  
+> When resetting the password twice, wait at least 10 hours between resets to avoid Kerberos authentication issues. This wait time is enforced by the script and aligns with best practices.
+
 ### Next steps
 
 [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score)
 
@@ -45,7 +45,7 @@ Select links in the cards to just to more details, such as documentation, relate
 |**Identities overview (shield widget)** |Provides a quick overview of the number of users in hybrid, cloud, and on-premises environments (AD and Microsoft Entra ID). This feature includes direct links to the Advanced Hunting platform, offering detailed user information at your fingertips.|
 |**Top insights** /<br>**Users identified in a risky lateral movement path** | Indicates any sensitive accounts with risky lateral movement paths, which are windows of opportunity for attackers and can expose risks.  <br><br>We recommend that you take action on any sensitive accounts found with risky lateral movement paths to minimize your risk. <br><br>For more information, see [Understand and investigate Lateral Movement Paths (LMPs) with Microsoft Defender for Identity](understand-lateral-movement-paths.md).|
 |**Top insights** /<br>**Dormant Active Directory users who should be removed from sensitive groups** | Lists accounts that have been left unused for at least 180 days. <br><br>An easy and quiet path deep into your organization is through inactive accounts that are a part of sensitive groups, therefore we recommend removing those users from sensitive groups. <br><br>For more information, see [Security assessment: Riskiest lateral movement paths (LMP)](security-assessment-riskiest-lmp.md).|
-|**ITDR deployment health**     |  Lists any sensor deployment progress, any health alerts, and license availability.     |
+|**ITDR deployment health**     |  Lists any sensor deployment progress, any health alerts, and license availability derived from Defender for Identity data and Device Inventory, which relies on Defender for Endpoint coverage.  |
 |**Identity posture (Secure score)** | The score shown represents your organization's security posture with a focus on the *identity* score, reflecting the collective security state of your identities. The score is automatically updated in real-time to reflect the data shown in graphs and recommended actions. <br><br>Microsoft Secure Score updates daily with system data with new points for each recommended action take.<br><br> For more information, see [Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score). |
 | **Highly privileged entities** | Lists a summary of the sensitive accounts in your organization, including Entra ID security administrators and Global admin users. |
 | **Identity related incidents** | Lists alerts from both Defender for Identity and [Microsoft Entra ID Protection](/azure/active-directory/identity-protection/overview-identity-protection), and any corresponding, relevant incidents from the last 30 days. |
 
@@ -0,0 +1,37 @@
+---
+title: How Microsoft Defender for Identity protects your Okta accounts
+description: Learn how Microsoft Defender for Identity protect your Okta accounts and what the integration enables.
+ms.date: 08/07/2025
+ms.topic: overview
+ms.reviewer: himanch
+# customer-intent: As a security administrator, I want to understand what happens when I connect Okta to Microsoft Defender for Identity, so that I can decide whether to enable the integration.
+---
+
+# How Microsoft Defender for Identity protects your Okta accounts
+
+Okta is a cloud-based identity and access management (IAM) platform that helps organizations control how users and administrators sign in and access enterprise applications. Okta manages high-value identities, including privileged accounts and API tokens. As a result, it’s a frequent target for misuse or attack. Many organizations use Okta alongside on-premises systems like Active Directory and cloud services like Microsoft Entra ID. This hybrid model can make it harder to monitor identity activity and detect threats consistently across platforms.
+
+When you connect Okta to Microsoft Defender for Identity, you can extend your identity threat detection and investigation capabilities to include Okta-managed users. Defender for Identity ingests user and activity data from Okta and correlates it with identity data from Active Directory and Microsoft Entra ID. This integration gives you a centralized view of user activity, posture risks, and suspicious behavior across your identity infrastructure, and you can take the necessary remediation actions.
+
+
+> [!NOTE]
+> The **Identity details** page in the Microsoft Defender portal shows the **Okta user risk score** only if the **Identity Threat Protection with Okta AI** feature is enabled. For more information, see [Risk scoring (Okta Identity Engine)](https://help.okta.com/oie/en-us/content/topics/security/security_risk_scoring.htm).
+
+## What you can do after connecting Okta
+
+With Okta connected, Defender for Identity provides the following capabilities:
+
+
+|Capability  |Description  |
+|---------|---------|
+|View Okta accounts in the Identity Inventory    |  Defender for Identity adds Okta users to the identity inventory in the Microsoft Defender portal. These accounts correlate with matching identities from Active Directory or Microsoft Entra ID, to allow unified tracking across platforms.       |
+|Improve Okta security posture    |   Defender for Identity evaluates identity configuration in Okta and surfaces posture recommendations in Microsoft Secure Score. Example recommendations include: <br> - [Assign multifactor authentication to Okta privileged user accounts](assign-multi-factor-authentication-okta-privileged-user-accounts.md)  <br> - [Change password for Okta privileged user accounts](change-okta-password-privileged-user-accounts.md)  <br> - [High number of Okta accounts with privileged role assigned](high-number-of-okta-accounts-with-privileged-role-assigned.md)  <br> - [Highly privileged Okta API token](highly-privileged-okta-api-token.md)  <br> - [Limit the number of Okta Super Admin accounts](limit-number-okta-super-admin-accounts.md)  <br> - [Remove dormant Okta privileged accounts](remove-dormant-okta-privileged-accounts.md)      |
+|Get alerts on suspicious Okta activity   |  Defender for Identity alerts you when it detects high-risk behavior in Okta, including anonymous sign-ins, privileged role assignments, and token abuse. These alerts are available in Microsoft Defender XDR. When connected, Defender for Identity raises the following alerts based on Okta activity:  <br> - Okta anonymous user access  <br> - Privileged API token created  <br> - Privileged API token updated  <br> - Privileged Role assignment to Application  <br> - Suspicious privileged role assignment  <br> For a full list of supported alerts, see: [Defender for Identity XDR alerts](/defender-for-identity/alerts-xdr#initial-access-alerts).       |
+|Use advanced hunting to investigate Okta activity    |  Advanced hunting lets you investigate identity activity across different services including Okta, Active Directory, and Microsoft Entra ID. <br> The **IdentityInfo** table includes account metadata such as privilege level, group membership, and identity source. <br> The **IdentityEvents** table includes events related to those identities, such as sign-ins, authentication attempts, and identity-related alerts across supported identity providers.  <br> To explore the full schema and build your own queries, see:  <br> -  [IdentityInfo ](/defender-xdr/advanced-hunting-identityinfo-table)  <br> -  [IdentityEvents(Preview)](/defender-xdr/advanced-hunting-identityevents-table).       |
+|Take remediation actions      |  When Microsoft Defender for Identity identifies an identity as at risk, you can take the following remediation actions directly from the Defender portal to update the user's status in Okta.  <br> - Revoke all user's sessions  <br> - Deactivate user in Okta  <br> - Set user risk in Okta  <br> For more information, see: [Remediation actions in Microsoft Defender for Identity](remediation-actions.md#roles-and-permissions).       |
+
+
+## Next steps
+
+- [Connect Okta to Microsoft Defender for Identity](okta-integration.md)
+