Mondoo
Docs
SaaS

Assess Okta Security with cnspec

Secure and enforce policy for Okta

Rely on cnspec to ensure your Okta domain follows security best practices, such as verifying that access policy rules are active, auditing application sign-on modes, reviewing user account status and credential providers, checking group and policy configurations, and validating ThreatInsight settings.

Before you begin

Before you start, install cnspec.

Give cnspec access using an Okta API token

To scan your Okta environment, cnspec needs access through the Okta API. You create an API token and then provide it when running cnspec commands.

Create an Okta API token. The token must be created by a user with the Super Administrator or Read-Only Administrator role. Carefully record the API token and your Okta domain.

If your domain includes -admin, remove it when specifying the organization. For example, if your Okta URL is dev-22556123-admin.okta.com, specify dev-22556123.okta.com.

To test access, open a cnspec shell and verify the connection:

cnspec shell okta --organization dev-22556123.okta.com --token YOUR_API_TOKEN
cnspec> okta.organization
okta.organization: {
  subdomain: "dev-22556123"
  companyName: "okta-dev-22556123"
  status: "ACTIVE"
}

You can also set the OKTA_CLIENT_TOKEN environment variable to omit the --token flag:

export OKTA_CLIENT_TOKEN='YOUR_API_TOKEN'
cnspec shell okta --organization dev-22556123.okta.com

Scan Okta

To scan your Okta organization:

cnspec scan okta --organization dev-22556123.okta.com --token YOUR_API_TOKEN

Understand scan output

When a scan completes, cnspec prints a summary of all the checks it ran, grouped by policy. Each check shows a pass or fail result. For example:

✓ Pass:  Ensure all access policy rules are active
✕ Fail:  Ensure ThreatInsight action is set to block
✓ Pass:  Ensure all domains are verified

At the end of the output, cnspec shows a risk score from 0 (no risk) to 100 (highest risk). Failed checks include remediation guidance to help you fix issues.

By default, cnspec applies the Mondoo Okta Security policy, which covers access policies, sign-on settings, application configurations, ThreatInsight, and more. You can also create your own policies or specify a particular policy bundle with --policy-bundle.

Example checks

Run cnspec shell okta --organization dev-22556123.okta.com --token YOUR_API_TOKEN to open the cnspec interactive shell. From there you can make checks like the examples below.

Query user status and credentials

cnspec> okta.users { profile status credentials['provider']['name'] }

Audit application sign-on modes

cnspec> okta.applications { name label signOnMode status }

Ensure all access policy rules are active

cnspec> okta.policies {
    accessPolicy {
        name
        rules { status == "ACTIVE" }
    }
}

Ensure ThreatInsight is set to block threats

cnspec> okta.organization.threatInsightSettings.action == "block"
[ok] value: "block"

Ensure all domains are verified

cnspec> okta.domains { domain validationStatus == "COMPLETED" }

Check for suspended users

cnspec> okta.users.where( status == "SUSPENDED" ) { profile['email'] status }

Continuously scan your fleet

To move beyond one-off scans, set up an Okta integration in Mondoo Platform. You get continuous monitoring across your Okta environment, a dashboard to track security posture over time, and integration with ticketing systems to manage remediation.

Learn more

Microsoft 365

Use cnspec to assess Microsoft 365 for security misconfigurations

Slack

Secure and enforce policy for your Slack workspaces

On this page

Before you beginGive cnspec access using an Okta API tokenScan OktaUnderstand scan outputExample checksQuery user status and credentialsAudit application sign-on modesEnsure all access policy rules are activeEnsure ThreatInsight is set to block threatsEnsure all domains are verifiedCheck for suspended usersContinuously scan your fleetLearn more