Okta Certified Professional - Study Notes: Creating & Managing Users

Okta Certified Professional — Study Notes: Creating & Managing Users

1. Okta Universal Directory (UD) Overview

UD centralizes user identity data across all sources.

Identity Sources

Source Type

Description

Okta-Sourced

Create users manually or via CSV import.

Directory-Sourced

Integrate AD/LDAP; users sync into Okta.

HR-Sourced

Integrate HR systems (Workday, SuccessFactors).

Anything-as-a-Source

Any custom source (CSV-as-a-Source, API).

2. User Accounts in Okta

A user account enables authentication into Okta.

Account Components

  • Applications — Assigning apps allows user access via the Okta Dashboard.

  • Groups — User inherits:

    • App assignments

    • Admin roles

    • Security policies

  • Profile — Identity attributes (username, name fields, custom attributes).

  • Devices — Okta Verify-enrolled devices appear in user record.

  • Admin Roles — Grant specific administrative capabilities.

  • Pre-Enrolled Authenticators — Admin can pre-configure Okta Verify for new hires.

User ID

  • Created automatically when user is saved.

  • Shown at the end of the URL in the browser.

  • Retrievable via API.

3. Creating Users

Manual Creation

  • From Directory → People → Add person.

CSV Import

  • People → More actions → Import users from CSV

  • Default status: Staged

  • Option: Automatically activate → sets status to Pending user action and sends activation email.

4. User Account Statuses (Exam-Critical!)

Initial statuses:

  • Staged

    • User created but cannot sign in.

    • Used for setup/configuration before activation.

  • Pending user action

    • Waiting for activation email.

  • Active

    • Fully functional; user can sign in and access apps.

Statuses triggered by events/conditions:

  • Password reset

    • User/admin initiated password reset.

  • Password expired

    • Password lifetime exceeded.

  • Locked out

    • User exceeded allowed sign-in attempts (password policy).

  • Suspended

    • Admin initiated.

    • User cannot sign in; app assignments remain.

    • Used for: security concerns, LOA, pre-deactivation step, vacation, bypass. (Suspension is reversible and ideal for temporary access loss)

  • Deactivated

    • Admin initiated offboarding step.

    • Removes all app assignments, password, and triggers deprovisioning downstream. Deactivation is non-reversible without admin action AND has a larger impact than suspension.

Statuses that consume an Okta license:

  • Active

  • Password reset

  • Password expired

  • Locked out

  • Suspended

(Deactivated and Staged do NOT consume licenses.)

5. Troubleshooting Sign-In Issues (System Log)

Scenario: Jun Pak cannot sign in after several attempts.

Step 1 — Filter System Log

Go to Reports → System Log → User account activity.

Step 2 — Refine the search

Use:

  • Date/Time filter

    • Narrow to when issue occurred (e.g., 5:05 PM).

  • Search bar / Advanced filters

    • actor.alternateId eq "jun.pak@oktaice.com"

Step 3 — Identify the issue

Look at latest event:

  • EventType: user.account.lock

  • DisplayMessage: “Maximum number of sign-in attempts exceeded.”

Meaning:

  • Even correct password won’t work while locked out.

Step 4 — Fix the issue

  1. Unlock the user account

  2. Have user attempt sign-in again.

  3. If still failing → reset password and send temporary password.

6. Key Exam Tips

  • Locked out ≠ Suspended
    Locked out = triggered by too many attempts.
    Suspended = admin action; app assignments remain.

  • Deactivating a user triggers downstream deprovisioning — exam loves this.

  • CSV import defaults to Staged unless auto-activate is selected.

  • Admin roles are inherited through groups — this appears often in scenario questions.

  • Staged users cannot authenticate until activated.