MicrosoftDocs
diff --git a/‎ATPDocs/alerts-xdr.md‎
Lines changed: 1 addition & 1 deletion b/‎ATPDocs/alerts-xdr.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎ATPDocs/media/okta-integration/connect-new-okta-single-sign-on-connector.png‎
49.4 KB b/‎ATPDocs/media/okta-integration/connect-new-okta-single-sign-on-connector.png‎
49.4 KB
diff --git a/‎ATPDocs/media/okta-integration/okta-connected.png‎
49.5 KB b/‎ATPDocs/media/okta-integration/okta-connected.png‎
49.5 KB
diff --git a/‎ATPDocs/media/okta-integration/review-okta-details.png‎
36.9 KB b/‎ATPDocs/media/okta-integration/review-okta-details.png‎
36.9 KB
diff --git a/‎ATPDocs/media/okta-integration/select-okta-single-sign-on.png‎
149 KB b/‎ATPDocs/media/okta-integration/select-okta-single-sign-on.png‎
149 KB
diff --git a/‎ATPDocs/media/okta-integration/select-product-defender-for-identity.png‎
34.8 KB b/‎ATPDocs/media/okta-integration/select-product-defender-for-identity.png‎
34.8 KB
diff --git a/‎ATPDocs/media/okta-integration/system-data-connector-catalog.png‎
83.7 KB b/‎ATPDocs/media/okta-integration/system-data-connector-catalog.png‎
83.7 KB
diff --git a/‎ATPDocs/okta-defender-for-identity-overview.md‎
Lines changed: 37 additions & 0 deletions b/‎ATPDocs/okta-defender-for-identity-overview.md‎
Lines changed: 37 additions & 0 deletions
diff --git a/‎ATPDocs/okta-integration.md‎
Lines changed: 61 additions & 31 deletions b/‎ATPDocs/okta-integration.md‎
Lines changed: 61 additions & 31 deletions
diff --git a/‎ATPDocs/toc.yml‎
Lines changed: 11 additions & 6 deletions b/‎ATPDocs/toc.yml‎
Lines changed: 11 additions & 6 deletions
@@ -8,7 +8,7 @@ ms.reviewer: rlitinsky
 
 # Microsoft Defender for Identity XDR alerts
 
-Microsoft Defender for Identity alerts can appear in the Microsoft Defender XDR portal in two different formats depending on if the alert originates from Defender for Identity or Defender XDR. All alerts are based on detections from Defender for Identity sensors. The differences in layout and information are part of an ongoing transition to a unified alerting experience across Microsoft Defender products. This article lists 
+Microsoft Defender for Identity alerts can appear in the Microsoft Defender XDR portal in two different formats depending on if the alert originates from Defender for Identity or Defender XDR. All alerts are based on detections from Defender for Identity sensors. The differences in layout and information are part of an ongoing transition to a unified alerting experience across Microsoft Defender products. 
 
 To learn more about how to understand the structure, and common components of all Defender for Identity security alerts, see [View and manage alerts](understanding-security-alerts.md).
 
 
@@ -0,0 +1,37 @@
+---
+title: How Microsoft Defender for Identity protects your Okta accounts
+description: Learn how Microsoft Defender for Identity protect your Okta accounts and what the integration enables.
+ms.date: 08/07/2025
+ms.topic: overview
+ms.reviewer: himanch
+# customer-intent: As a security administrator, I want to understand what happens when I connect Okta to Microsoft Defender for Identity, so that I can decide whether to enable the integration.
+---
+
+# How Microsoft Defender for Identity protects your Okta accounts
+
+Okta is a cloud-based identity and access management (IAM) platform that helps organizations control how users and administrators sign in and access enterprise applications. Okta manages high-value identities, including privileged accounts and API tokens. As a result, it’s a frequent target for misuse or attack. Many organizations use Okta alongside on-premises systems like Active Directory and cloud services like Microsoft Entra ID. This hybrid model can make it harder to monitor identity activity and detect threats consistently across platforms.
+
+When you connect Okta to Microsoft Defender for Identity, you can extend your identity threat detection and investigation capabilities to include Okta-managed users. Defender for Identity ingests user and activity data from Okta and correlates it with identity data from Active Directory and Microsoft Entra ID. This integration gives you a centralized view of user activity, posture risks, and suspicious behavior across your identity infrastructure, and you can take the necessary remediation actions.
+
+
+> [!NOTE]
+> The **Identity details** page in the Microsoft Defender portal shows the **Okta user risk score** only if the **Identity Threat Protection with Okta AI** feature is enabled. For more information, see [Risk scoring (Okta Identity Engine)](https://help.okta.com/oie/en-us/content/topics/security/security_risk_scoring.htm).
+
+## What you can do after connecting Okta
+
+With Okta connected, Defender for Identity provides the following capabilities:
+
+
+|Capability  |Description  |
+|---------|---------|
+|View Okta accounts in the Identity Inventory    |  Defender for Identity adds Okta users to the identity inventory in the Microsoft Defender portal. These accounts correlate with matching identities from Active Directory or Microsoft Entra ID, to allow unified tracking across platforms.       |
+|Improve Okta security posture    |   Defender for Identity evaluates identity configuration in Okta and surfaces posture recommendations in Microsoft Secure Score. Example recommendations include: <br> - [Assign multifactor authentication to Okta privileged user accounts](assign-multi-factor-authentication-okta-privileged-user-accounts.md)  <br> - [Change password for Okta privileged user accounts](change-okta-password-privileged-user-accounts.md)  <br> - [High number of Okta accounts with privileged role assigned](high-number-of-okta-accounts-with-privileged-role-assigned.md)  <br> - [Highly privileged Okta API token](highly-privileged-okta-api-token.md)  <br> - [Limit the number of Okta Super Admin accounts](limit-number-okta-super-admin-accounts.md)  <br> - [Remove dormant Okta privileged accounts](remove-dormant-okta-privileged-accounts.md)      |
+|Get alerts on suspicious Okta activity   |  Defender for Identity alerts you when it detects high-risk behavior in Okta, including anonymous sign-ins, privileged role assignments, and token abuse. These alerts are available in Microsoft Defender XDR. When connected, Defender for Identity raises the following alerts based on Okta activity:  <br> - Okta anonymous user access  <br> - Privileged API token created  <br> - Privileged API token updated  <br> - Privileged Role assignment to Application  <br> - Suspicious privileged role assignment  <br> For a full list of supported alerts, see: [Defender for Identity XDR alerts](/defender-for-identity/alerts-xdr#initial-access-alerts).       |
+|Use advanced hunting to investigate Okta activity    |  Advanced hunting lets you investigate identity activity across different services including Okta, Active Directory, and Microsoft Entra ID. <br> The **IdentityInfo** table includes account metadata such as privilege level, group membership, and identity source. <br> The **IdentityEvents** table includes events related to those identities, such as sign-ins, authentication attempts, and identity-related alerts across supported identity providers.  <br> To explore the full schema and build your own queries, see:  <br> -  [IdentityInfo ](/defender-xdr/advanced-hunting-identityinfo-table)  <br> -  [IdentityEvents(Preview)](/defender-xdr/advanced-hunting-identityevents-table).       |
+|Take remediation actions      |  When Microsoft Defender for Identity identifies an identity as at risk, you can take the following remediation actions directly from the Defender portal to update the user's status in Okta.  <br> - Revoke all user's sessions  <br> - Deactivate user in Okta  <br> - Set user risk in Okta  <br> For more information, see: [Remediation actions in Microsoft Defender for Identity](remediation-actions.md#roles-and-permissions).       |
+
+
+## Next steps
+
+- [Connect Okta to Microsoft Defender for Identity](okta-integration.md)
+
@@ -1,44 +1,58 @@
 ---
-title: Microsoft Defender for Identity Okta integration | 
-description: Learn how about connecting your Okta app to Defender for Identity using the API connector.
-ms.date: 05/19/2025
+title: Connect Okta to Microsoft Defender for Identity (Preview)
+description: Learn how to connect your Okta app to Defender for Identity using the API connector.
+ms.date: 08/07/2025
 ms.topic: how-to
-ms. reviewer: izauer-bit 
+ms. reviewer: Himanch
 ---
 
-# Integrate Okta with Microsoft Defender for Identity (Preview)
+# Connect Okta to Microsoft Defender for Identity (Preview)
 
-Okta manages how users and customers sign in and get access to key systems. Since it plays a central role in identity and access management, any compromise whether accidental or intentional can lead to serious security risks. By integrating Microsoft Defender for Identity with Okta, you gain stronger identity protection. Defender for Identity monitors sign-in activity, detects unusual behavior, and highlights threats related to compromised or misused identities. It also identifies risks like suspicious role assignments or unused high-privilege accounts, using Okta data to deliver clear, actionable insights that help keep your organization secure.
+This page explains how to connect Microsoft Defender for Identity to your Okta account using the Unified Connectors experience. This connection provides visibility into Okta activity and enables shared data collection across Microsoft security products. The Unified Connectors experience allows Defender for Identity to collect Okta system logs once and share them with other supported Microsoft security products, such as Microsoft Sentinel. This reduces API usage, avoids duplicate data collection, and simplifies connector management. For more information, see [Unified connectors overview](/azure/sentinel/unified-connector).
+
+> [!NOTE]
+> If your Okta environment is already integrated with [Microsoft Defender for Cloud Apps](/defender-cloud-apps/protect-okta), connecting it to Microsoft Defender for Identity can cause duplicate Okta data, such as user activity, to appear in the Defender portal.
 
 ## Prerequisites
 
 Before connecting your Okta account to Microsoft Defender for Identity, make sure the following prerequisites are met:
 
-1. Your Okta environment must have one of the following licenses:
+### Okta licenses
 
-    - Developer
+Your Okta environment must have one of the following licenses:
 
-    - Enterprise
+- Developer
 
-> [!NOTE]
-> The Super Admin role is required only to create the API token. Once the token is created, remove the role and assign the Read-Only Administrator and Defender for Identity custom roles for ongoing API access.
+- Enterprise
 
+### Okta roles 
+
+The Super Admin role is required only to create the API token. After you create the token, remove the role and assign the Read-Only Administrator and Defender for Identity custom roles for ongoing API access.
 
-> [!NOTE]
-> If your Okta environment is already integrated with [Microsoft Defender for Cloud Apps](/defender-cloud-apps/protect-okta), connecting it to Microsoft Defender for Identity might cause duplicate Okta data, such as user activity, to appear in the Defender portal.
 
+### Microsoft Entra and Defender XDR role-based access options
+To configure the Okta connector in Microsoft Defender for Identity, your account must have either of the following access configurations assigned:
+
+- **Microsoft Entra roles:**
+
+    - Security Operator
+    - Security Admin
+
+- **Defender XDR Unified RBAC permission:**
+
+    - Core security settings (manage)
 
 ### Connect Okta to Microsoft Defender for Identity
 
 This section provides instructions for connecting Microsoft Defender for Identity to your dedicated Okta account using the connector APIs. This connection gives you visibility into and control over Okta use.
 
 ### Create a dedicated Okta account
 
-1. Create a dedicated Okta account that is used only for Microsoft Defender for Identity.
+1. Create a dedicated Okta account for Microsoft Defender for Identity use only.
 1. Assign your Okta account as a Super Admin role.
 1. Verify your Okta account.
 1. Store the account credentials for later use.
-1. Sign in to your dedicated Okta account created in step 1 in order to create an API token. 
+1. Sign in to your dedicated Okta account created in step 1 to create an API token. 
 
 ### Create an API token
 
@@ -56,9 +70,9 @@ This section provides instructions for connecting Microsoft Defender for Identit
      :::image type="content" source="media/okta-integration/create-an-okta-token.png" alt-text="Screenshot of the Okta API Tokens tab with the Create token button highlighted.":::
 
 1. In the Create token pop-up:
-    1. Enter a name for your Defender for Identity token
-    2. Select Any IP
-    3. Select Create token.
+    1. Enter a name for your Defender for Identity token.
+    2. Select **Any IP**.
+    3. Select **Create token**.
 
     :::image type="content" source="media/okta-integration/enter-okta-token-details.png" alt-text="Screenshot of the Okta Create token form with fields for token name and IP restriction, and the Create token button highlighted.":::
 
@@ -91,9 +105,11 @@ This section provides instructions for connecting Microsoft Defender for Identit
 
 ### Create a custom Okta role
 
-To support ongoing API access, Read-Only Administrator role and the custom Defender for Identity role are required. 
+> [!NOTE]
+> To support ongoing API access, you must assign both the **Read-Only Administrator role** and the **custom Microsoft Defender for Identity role.** These roles are mandatory to successfully configure the Okta connector. Configuration fails if either role is missing.
 
-After assigning both roles, you can remove the Super Admin role. This ensures that only relevant permissions are assigned to your Okta account at all times. 
+
+After you assign both roles, you can remove the **Super Admin role**. This approach ensures that only relevant permissions are assigned to your Okta account at all times.
 
 1. Navigate to **Security > Administrator**.
 1. Select the **Roles** tab.
@@ -134,25 +150,39 @@ To complete the configuration in Okta, assign the custom role and resource set t
 
 1. When you're done, remove the Super Admin role from the account.
 
-### Connect Okta to Defender for Identity
+### Connect Okta to Microsoft Defender for Identity
+
+1. Navigate to the Microsoft Defender Portal.
+1. Select **System** > **Data management** > **Data connectors** > **Catalog**
 
-1.  Navigate to the Microsoft Defender Portal
-1. Select **Settings** > **Identities** > **Okta integration**
+    :::image type="content" source="media/okta-integration/system-data-connector-catalog.png" alt-text="Screenshot showing where to find the Okta connector in the Defender portal." lightbox="media/okta-integration/system-data-connector-catalog.png":::
 
-    :::image type="content" source="media/okta-integration/select-settings-okta-integration.png" alt-text="Screenshot showing the Microsoft Defender for Identity settings page with the Okta Integration option highlighted.":::
+1. Select **Okta Single Sign-On** > **Connect a connector**.
 
-1. Select **+Connect Okta instance**.
-1. Enter your Okta domain (for example, acme.okta.com).
+    :::image type="content" source="media/okta-integration/select-okta-single-sign-on.png" alt-text="Screenshot that shows the connector option for Okta single sign-on." lightbox="media/okta-integration/select-okta-single-sign-on.png":::
+1. Enter a name for your connector.
+1. Enter your Okta domain (for example, my.project.okta.com).
 1. Paste the API token you copied from your Okta account.
-1. Select **Save**.
+1. Select **Next**.
+
+    :::image type="content" source="media/okta-integration/connect-new-okta-single-sign-on-connector.png" alt-text="Screenshot that shows where to add the connector name, domain, and API key.":::
+
+1. **Select products > Microsoft Defender for Identity**
+1. Select **Next**
 
-    :::image type="content" source="media/okta-integration/connect-okta-instance.png" alt-text="Screenshot that shows how to connect your Okta instance.":::
+    :::image type="content" source="media/okta-integration/select-product-defender-for-identity.png" alt-text="Screenshot that shows the product page for connecting Okta to Microsoft Defender for Identity." lightbox="media/okta-integration/select-product-defender-for-identity.png":::
 
+1. Review Okta details, and select **Connect**.
+
+    :::image type="content" source="media/okta-integration/review-okta-details.png" alt-text="Screenshot that shows the Okta connector details." lightbox="media/okta-integration/review-okta-details.png":::
 1. Verify that your Okta environment appears in the table as enabled.
 
-    :::image type="content" source="media/okta-integration/new-okta-domain.png" alt-text="Screenshot that shows the Okta environment has been added and is enabled.":::
+    :::image type="content" source="media/okta-integration/okta-connected.png" alt-text="Screenshot that shows the Okta single sign-on connector was successfully connected.":::
+
+
+> [!NOTE]
+> Connecting the Okta connector can take up to 15 minutes.
 
 ## Related articles
 
-- [Defender for Identity VPN integration in Microsoft Defender XDR](vpn-integration.md)
-- [Microsoft Defender for Identity extends ITDR capabilities to Okta identities](https://techcommunity.microsoft.com/blog/MicrosoftThreatProtectionBlog/microsoft-defender-for-identity-extends-itdr-capabilities-to-okta-identities/4418955)
+- [How Defender for Identity helps protect your Okta environment](okta-defender-for-identity-overview.md).
@@ -85,12 +85,16 @@ items:
         href: deploy/event-collection-overview.md
       - name: Configure audit policies for Windows event logs
         href: deploy/configure-windows-event-collection.md
-  - name: Integrate with identity services
-    items:
+- name: Integrate with identity services
+  items:
+    - name: Microsoft Defender for Identity and Okta
+      items:
+      - name: Overview
+        href: okta-defender-for-identity-overview.md
+      - name: Connect Okta to Microsoft Defender for Identity (Preview)
+        href: okta-integration.md
     - name: Integrate Defender for Identity with PAM services
       href: integrate-microsoft-and-pam-services.md
-    - name: Integrate Defender for Identity with Okta (Preview)
-      href: okta-integration.md
 - name: Manage
   items:
   - name: View the ITDR dashboard
@@ -162,6 +166,8 @@ items:
       href: remediation-actions.md
   - name: Security posture
     items:
+     - name: Identity security initiative (Preview)
+       href: identity-security-initiative.md
      - name: Overview
        href: security-assessment.md
      - name: Hybrid security
@@ -277,8 +283,7 @@ items:
          href: limit-number-okta-super-admin-accounts.md
        - name: Remove dormant Okta privileged accounts
          href: remove-dormant-okta-privileged-accounts.md
-     - name: Identity security initiative (Preview)
-       href: identity-security-initiative.md
+   
 - name: Reference
   items:
   - name: Operations guide