What it provides
- User sync — Active and deactivated users; feeds the access-review and provisioning controls
- Per-user MFA enrollment — Feeds the authentication control
- Group memberships and assigned applications — Feeds the least-privilege control
Setup
Sign in to your Okta admin console
Use a service-account user with a read-only admin role for least privilege.
Sync frequency
- Identity sync (users, MFA enrollment, group/app assignments) runs every 4 hours on the hour
- System log poll (sign-in events, factor activity) runs hourly at
:30— aligned with the Duo auth-log poll to spread load - Manual sync can be triggered at any time from the integration card
Frequently asked questions
What permissions does the API token need?
What permissions does the API token need?
Read-only is enough. Okta API tokens inherit the role of the user that created them. Best practice: create the token from a service-account user with a read-only admin role (e.g. Read-only administrator), so the token can never modify users, MFA factors, or apps even if it leaks.
Tokens expire — what happens?
Tokens expire — what happens?
Okta API tokens are valid until used at least once every 30 days, or rotated by an admin. Regentra polls daily, so tokens stay alive automatically. If you rotate manually, paste the new token; the old one stops working immediately.
Should I use Okta API tokens or OAuth?
Should I use Okta API tokens or OAuth?
API token for now. OAuth-based service-to-service is on the roadmap but not required for evidence sync.