Skip to main content

Okta Integration Guide (User Access Review)

Connect Okta as an user access review (UAR) connection type

Updated yesterday

The Okta integration enables security, IT, and compliance teams to automate user access reviews and gain visibility into workforce identity management. It connects Drata to your Okta tenant to sync users and groups, centralize identity evidence, and support access review workflows across your organization.

Key Capabilities

  • User & Group Sync: Imports users, groups, and role assignments from Okta into Drata.

  • De-provisioning Evidence: Tracks suspended or deactivated accounts to support off-boarding controls.

  • Audit Visibility: Collects identity metadata and logs for audit-ready reporting.

This integration is used to automate tests such as User Access Review and User Account Management, helping prove compliance with Access Control and Identity Management policies.

Prerequisites & Data Access

Before setting up the Okta integration for user access review:

  • Connect Okta as an identity provider first.

    • This connection is required before enabling the User Access Review integration. Refer to Okta IdP integration before continuing.

  • An Okta API token is required to connect Drata to Okta.

    • The token must follow least privilege security practices and should not come from a personal or Super Admin account.

  • To securely generate the API token, you must first create a Custom Admin Role.

    • A Super Admin account is required to create the custom admin role in Okta.

Additional notes

  • Verify which apps Okta can provision or connect to. Some applications do not expose user data even when integrated with Okta, refer to Okta integration network.

  • Okta provides user attributes based on how SSO provisioning is configured. Some apps may not appear if provisioning is not fully managed through Okta.

  • If your IT team provisions user access outside of Okta (for example, assigning access directly in a SaaS app), visibility will be limited. You can upload user lists manually or use Drata direct integrations when available.

Permissions & Data Table

Permission / Scope

Why It’s Needed

Data Accessed (Read Only)

For custom administrator role: View roles, resources, and admin assignments

Required to retrieve role metadata for user access review

Role metadata and assignments

For resource set: Identity and Access ManagementAll Identity and Access Management resources.

Limits Drata to directory-related data only, following least privilege

Access to identity directory data (users & groups) within scope

Step-by-Step Setup

Step 1: Create custom administrator role

A Super Admin is required for this step. You will NOT use a Super Admin API token. Drata uses a custom admin role following the principle of least privilege.

  1. Log in to Okta as a Super Administrator.

  2. Navigate to Security > Administrators > Roles.

  3. Click Create new role.

  4. Enter a role name (e.g., drata_custom) and description.

  5. Click Add Permissions.

  6. Select View roles, resources, and admin assignments.

  7. Click Save Role.

Step 2: Create a resource set

Okta requires custom roles to be assigned to a resource set.

  1. Navigate to Security > Administrators > Resource Sets.

  2. Click Create new resource set.

  3. Enter a name (e.g., drata_resource) and description.

  4. Click Add Resource.

  5. Select Identity and Access ManagementAll Identity and Access Management resources.

  6. Click Save Resource Set.

This grants read access only to identity-related resources.

Step 3: Create account to assign role

  1. Create a service account in Okta for Drata (e.g., [email protected]).

  2. Assign to it:

    • Read-Only Administrator role (drata_custom)

    • Resource Set (drata_resource)

Step 4: Create the API token

  1. Log in as the service account user.

  2. Navigate to Security > API > Tokens.

  3. Click Create Token and name it Drata.

  4. Copy and securely store the token (you cannot view it again later).

Step 5: Complete the Connection

When connecting, enter the following values from Okta:

Drata Field

Okta Value

API Token

Generated in Step 3 via service account

Okta Domain URL

Your Okta tenant domain (e.g., https://company.okta.com)

Service Account Email

Email of the Okta service account used for generating token

For steps on accessing and using the Connections page in Drata, refer to The Connections Page in Drata.

Step 6: Verify

  1. Go to the Connections page in Drata and locate the Okta tile.

  2. Select Manage Accounts.

  3. Confirm that users are successfully syncing from Okta.

Important Notes

  • Use API tokens from a dedicated service account only.

  • Nested groups in Okta may sync differently depending on your organization’s setup.

  • Okta attribute mappings may impact role visibility and access review completeness.

  • If some users or apps do not appear, verify whether those are managed outside of Okta.

Related Articles
Google Workspace Connection for Identity management
GCP Integration Guide (Script Setup)
Okta Connection for Identity management
Segment Connection
Google Workspace Connection for User Access Reviews (UAR)
Did this answer your question?