Mondoo
Docs
SaaS

Assess Okta Security with cnspec

Secure and enforce policy for Okta

Rely on cnspec to ensure your Okta domain follows security best practices, such as verifying that access policy rules are active, auditing application sign-on modes, reviewing user account status and credential providers, checking group and policy configurations, and validating ThreatInsight settings.

Before you begin

Before you start, install cnspec.

Give cnspec access using an Okta API token

To scan your Okta environment, cnspec needs access through the Okta API. You create an API token and then provide it when running cnspec commands.

Create an Okta API token. The token must be created by a user with the Super Administrator or Read-Only Administrator role. Carefully record the API token and your Okta domain.

Okta API tokens have a fixed expiration period of 30 days. Want a place to experiment? Sign up for a free developer account at developer.okta.com/signup.

If your domain includes -admin, remove it when specifying the organization. For example, if your Okta URL is dev-22556123-admin.okta.com, specify dev-22556123.okta.com.

To test access, open a cnspec shell and verify the connection:

cnspec shell okta --organization dev-22556123.okta.com --token YOUR_API_TOKEN
cnspec> okta.organization
okta.organization: {
  subdomain: "dev-22556123"
  companyName: "okta-dev-22556123"
  status: "ACTIVE"
}

You can also set the OKTA_CLIENT_TOKEN environment variable to omit the --token flag:

export OKTA_CLIENT_TOKEN='YOUR_API_TOKEN'
cnspec shell okta --organization dev-22556123.okta.com

Scan Okta

To scan your Okta organization:

cnspec scan okta --organization dev-22556123.okta.com --token YOUR_API_TOKEN

Understand scan output

When a scan completes, cnspec prints a summary of all the checks it ran, grouped by policy. Each check shows a pass or fail result. For example:

✓ Pass:  Ensure all access policy rules are active
✕ Fail:  Ensure ThreatInsight action is set to block
✓ Pass:  Ensure all domains are verified

At the end of the output, cnspec shows a risk score from 0 (no risk) to 100 (highest risk). Failed checks include remediation guidance to help you fix issues.

Scan with the Mondoo Okta Organization Security policy

Mondoo maintains an out of the box Okta Organization Security policy that checks access policies, sign-on settings, application configurations, ThreatInsight, and more.

Mondoo Platform users: Enable the policy in your space. In the Mondoo Console, go to Findings > Policies, search for "Okta", and add the policy. All future scans of your Okta organization automatically evaluate against it. To learn more, read Manage Policies.

Open source users: Pass the policy bundle URL directly to cnspec:

cnspec scan okta --organization dev-22556123.okta.com --token YOUR_API_TOKEN \
  --policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-okta-organization-security.mql.yaml

You can also create your own policies to meet your specific requirements.

Explore your Okta environment

Run cnspec shell okta --organization dev-22556123.okta.com --token YOUR_API_TOKEN to open the interactive shell.

Query user profiles and credentials

cnspec> okta.users { profile status lastUpdated credentials['provider']['name'] }
okta.users: [
  0: {
    status: "PROVISIONED"
    profile: {email: "suki@lunalectric.com", firstName: "Suki", lastName: "Mbeze", login: "suki@lunalectric.com"}
    lastUpdated: 2023-01-20 23:49:58 +0000 UTC
    credentials[provider][name]: "OKTA"
  }
  ...
]

Audit applications

cnspec> okta.applications { status name label signOnMode }
okta.applications: [
  0: {
    status: "ACTIVE"
    name: "saasure"
    label: "Okta Admin Console"
    signOnMode: "OPENID_CONNECT"
  }
  1: {
    status: "ACTIVE"
    name: "dev-22556257_pagerduty_1"
    label: "PagerDuty"
    signOnMode: "AUTO_LOGIN"
  }
  ...
]

Example security checks

Ensure all access policy rules are active

cnspec> okta.policies {
    accessPolicy {
        name
        rules { status == "ACTIVE" }
    }
}

Ensure ThreatInsight is set to block threats

cnspec> okta.organization.threatInsightSettings.action == "block"
[ok] value: "block"

Ensure all domains are verified

cnspec> okta.domains { domain validationStatus == "COMPLETED" }

Check for suspended users

cnspec> okta.users.where( status == "SUSPENDED" ) { profile['email'] status }

Continuously scan your fleet

To move beyond one-off scans, set up an Okta integration in Mondoo Platform. You get continuous monitoring across your Okta environment, a dashboard to track security posture over time, and integration with ticketing systems to manage remediation.

Learn more

Microsoft 365

Use cnspec to assess Microsoft 365 for security misconfigurations

Slack

Secure and enforce policy for your Slack workspaces

On this page

Before you beginGive cnspec access using an Okta API tokenScan OktaUnderstand scan outputScan with the Mondoo Okta Organization Security policyExplore your Okta environmentQuery user profiles and credentialsAudit applicationsExample security checksEnsure all access policy rules are activeEnsure ThreatInsight is set to block threatsEnsure all domains are verifiedCheck for suspended usersContinuously scan your fleetLearn more