Okta Questionnaire

An Okta assessment questionnaire to capture an overall picture of the org

Users

• How many users are in the directory?
• How are users created?
• What attributes are populated for user profiles?
• Are different 'user types' in use?
• How many SVC accounts exist?
• How are SVC accounts identified?
• Are deactivated accounts eventually deleted?
• Are ‘linked objects’ used?

Groups

• How many groups exist?
• Are groups imported from apps and directories?
• What attributes are captured for groups?
• What are the group naming conventions?
• Are owners identified for each group?

Group Rules

• How many rules exist?
• What are the design principles for rules?
• What categories of rules exist?

Directory Integrations

• Is Active Directory integrated?
  • How many agents?
  • Are agents in auto-update mode?
  • Is AD a source of identities?
  • Is AD password sync enabled?
  • Is AD Integrated Windows Authentication in use?
• Is LDAP integrated?
• Are other directories integrated?
• If the Okta LDAP Interface in use, what is using it?

Applications

• Number of SAML applications:
• Number of OIDC apps:
• Number of apps which support SCIM:
• Number of SWA apps:
• Is self-serve allowed?
• What attributes are captured for each app?
• Are owners identified for each app?
• What's the process to request apps be integrated?
• Is there an assignment strategy documented for each app?
• Do any apps have app-specific login policies?
• Are there on-prem applications in scope?

Networks

• What networks are defined?
• What dynamic networks are defined?

Administrators

• How many administrators exist?
• Are admin permissions properly configured?
• Are admin permission reviewed periodically?

API Tokens

• How many tokens are in use?
• Are proper administrative permissions properly aligned to each token in use?
• How are keys used?
• Are owners known and documented?

Factors

• What factors are available to users?
• Are there different factors available to different groups of users?

Policies

• What Sign-On policies are defined?
• What Sign-On rules are enforced?
• What Password policies are defined?
• What Password rules are enforced?
• What Factor policies are defined?
• What Factor rules are enforced?

Okta Workflows

• Is Okta Workflows procured?
• What type of workflows are in production?
• Is there a roadmap of other workflows
• Are there any web hooks created and in use?

General

• Are the right contacts in place?
• Are emails templates configured?
• What EA features are enabled?
• Is ThreatInsight configured and complete?
• Is HealthInsight configured and complete?

Other

• Is the version of this Okta instance Okta Identity Engine (OIE) or Classic?
• What Okta Cell is your instance in?
• Do you have an Okta Preview instance?
• Do you have other Okta instances?
• Is Terraform-based Okta infrastructure in place?
• Is RADIUS configured?
• Is On-Premise Provisioning (OPP) used?
• Is Device Trust in use?
• Is Okta Access Gateway (OAG) used?
• Is Okta Advanced Server Access (ASA) used?

Okta Contract

• What is the timing of the contract?
• What SKUs are purchased?
• Are there opportunities for right-sizing the contract?

Cloud Infrastructure

What cloud infrastructure is integrated into Okta?

• AWS
• GCP
• Azure
• Snowflake
• Databricks
• Other cloud infrastructure?

Regulations/Audits

What regulations are in scope for the company?

• SOC2
• SOX
• PCI
• HIPAA
• HITRUST
• FedRAMP
• GDPR
• GLBA
• FISMA
• CCPA
• Others?