Microsoft Defender for Identity (MDI), Microsoft's ID threat detection solution, has extended its protection capabilities to Okta, as announced in the Microsoft Tech Community. While MDI is known as a protection solution for Active Directory, it has now expanded its coverage to include Okta.
I gave it a quick try and here are my notes.
This blog post is based on information available as of June 26, 2025. I've done some simple verification with an Okta Developer license, but I believe this kind of feature is best tested in a production environment. If anyone has tried this in a live environment, I'd love to hear about your positive experiences.
Configuration
It's extremely simple, so much so that I felt it wasn't necessary to write down the steps. For details, including licensing requirements, please see the Microsoft Learn page.
What Does This Integration Enable?
Display of Okta's Security Score
Okta has been added to the security score items. It detects vulnerable configurations, such as overly permissive API token scopes, and provides opportunities for improvement.
Incident Detection, Investigation, and Response (ITDR)
By ingesting Okta logs into MDI, you can now write detection rules for Okta compromises.
Furthermore, regarding investigations during a compromise, it was previously necessary to manually correlate information by individually checking the Okta admin console, AD logs, and various SaaS logs. While you can perform correlation analysis in a SIEM if you have one with integrated logs, this can now be done directly in the Defender portal's Advanced Hunting.
Since suspicious activities from Okta are displayed alongside AD's unusual behaviors on the Defender for Identity timeline, you can intuitively understand how an attacker is attempting to move laterally across on-premises and cloud environments.
When a compromise is detected, you can take immediate actions, such as disabling the compromised account, directly from the Defender portal.
What Was My Experience Using It?
SOC Members Might Not Need Okta Accounts Anymore
Members of the SOC (Security Operations Center) responsible for incident response can now investigate and act centrally from the Defender portal without needing individual Okta admin accounts. This is expected to reduce the burden of account management and speed up incident response.
This is particularly beneficial for a 24/7 SOC, which typically has a considerable number of members. Assigning Okta admin accounts to each of these members would be a hassle and, more importantly, a security risk. The ability to complete all tasks within the Defender portal is a very positive development.
The Integration Needs a Bit More Work
At present, it's hard to say that Okta and MDI are seamlessly integrated. For example, in the Advanced Hunting search results, there is an AccountObjectId column. However, clicking on it does not navigate to the user's entity page. The expected behavior would be to seamlessly go to the user page for any entity detected in Advanced Hunting, so I really hope this will be improved.
(It seems that Okta IDs are assigned a Cloud ID rather than an AccountObjectId.)
Organizations That Should Consider This Integration
We recommend that organizations meeting the following criteria consider testing this integration:
- Hold an Okta Enterprise license.
- Are using Microsoft Defender for Identity (e.g., via an E5 license).
- Require integrated security monitoring for on-premises AD and cloud identities.
- Are looking for centralized incident response within their SOC.
Conclusion
The Okta integration for Microsoft Defender for Identity is a major step forward for ID threat detection in hybrid environments. While there is still room for improvement in some features, it is an important step towards achieving truly integrated security monitoring.
For those fortunate organizations that have licenses for both products, I highly recommend giving it a try. I look forward to seeing future updates.
Comments
Post a Comment