Lists all integrated applications with optional filter and expand. Returns SAML, OIDC, and WS-Fed apps. Pagination via limit and after.
Generate MCP URLOverview: Lists all integrated applications with optional filter and expand. Returns SAML, OIDC, and WS-Fed apps. Pagination via limit and after through Okta.
Benefits:
Common Use Cases:
With Adopt AI, your agents can tap into Okta's full identity management capabilities. Here are five ways teams use the Okta MCP integration:
1. Automated User Provisioning & Deprovisioning
AI agents monitor HR systems and automatically create, update, or deactivate Okta user accounts based on employee lifecycle events.
2. Access Review & Compliance Auditing
AI agents pull user access data from Okta to generate compliance reports, flag excessive permissions, and streamline periodic access reviews.
3. Security Incident Response
Automatically detect suspicious login patterns in Okta, trigger MFA challenges, and lock compromised accounts while notifying security teams.
4. Application Assignment Automation
AI agents assign and revoke Okta application access based on role changes, department transfers, or project assignments across your organization.
5. SSO & MFA Policy Management
AI agents monitor authentication policies in Okta, recommend security improvements, and generate reports on MFA adoption rates across the organization.
Creates an event hook with _rawBody (name, events, channel). Returns hook for verification flow.
Deactivates an application; blocks new SSO while preserving config. Returns app.
Returns failed authentication log events via filter for outcome result FAILURE. Use for brute-force or lockout analysis. Pagination via limit and after.
Gets application configuration by id. Returns settings, credentials metadata, and policy references.
Returns organization metadata (company name, subdomain) for the authenticated token. Useful for connectivity checks beyond validateCredentials.
Gets a single session by id including user binding and status. Use for validating a session token reference.
Changes password when admin supplies old and new in _rawBody per credentials.change_password schema. Returns result. Prefer user self-service where possible.
Lists applications assigned to a group. Returns app assignments. Useful for understanding group-based SSO access.
Deletes a session by id, ending the user browser session. Use for forced logout of a specific session.
Lists groups assigned to an application. Returns group assignment records with pagination.
Lists log events for a specific actor or target user via filter on actor.id or target.id. Pass userId and optional window. Returns audit trail focused on one principal.
Deletes an application integration. Removes assignments; confirm with stakeholders before calling.
Gets one event hook configuration including verification and event subscriptions.
Removes an enrolled MFA factor from a user. Irreversible; user may need to re-enroll.
Gets a trusted origin by id for CORS policy review.
Activates a verified event hook so events are delivered.
Lists Okta directory users with optional search (q), filter expression, and sort. Returns user profiles and ids. Use for discovery before OKTA_GET_USER or lifecycle actions. Supports pagination via limit and after.
Deletes a network zone; policies referencing it may need updates.
Lists policies with optional type filter (e.g. OKTA_SIGN_ON, PASSWORD). Returns policy summaries with pagination.
Deletes a policy. Ensure no apps depend on it; may fail if referenced.
Deletes an Okta-managed group. Irreversible for pure Okta groups. Verify memberships with OKTA_LIST_GROUP_MEMBERS first.
Updates group profile via PUT. Returns updated group. Cannot change certain app-group types; check Okta errors.
Removes suspension from a user so they can authenticate again. Returns user. Pair with OKTA_SUSPEND_USER workflows.
Activates a device lifecycle state when suspended or staged per Okta Devices API.
Creates a network zone from _rawBody (name, type, gateways). Used for geo/IP policy conditions.
Submits OTP or activation for factor enrollment verification. POST _rawBody with passCode or other vendor fields.
Activates a deactivated application so users can access it again. Returns app status.
Lists all groups with optional query and filter. Returns group catalog. Supports pagination via limit and after. Use OKTA_GET_GROUP for details.
Lists configured event hooks for outbound event streaming. Returns hook ids and status. Pagination supported.
Fetches authentication-related system log events using a pre-scoped filter for eventType auth* successes and failures. Returns same schema as OKTA_LIST_SYSTEM_LOGS. Use when troubleshooting login issues.
Suspends a device for policy violations; blocks trust signals from that device.
Forces password expiration on next login for the user. Returns user. Use for security remediation requiring password change.
Gets details for one enrolled factor including vendor metadata. Use when troubleshooting MFA for a user.
Creates a new user with profile, credentials, and optional group assignments via _rawBody Okta User object. Returns created user. Use OKTA_ACTIVATE_USER separately if you need immediate activation. Prefer explicit body over flattened fields for complex profiles.
Creates an application from _rawBody (name, signOnMode, settings). Returns new app. Complex templates should mirror Okta Admin JSON.
Gets network zone detail including gateways and locations.
Deactivates a policy without deleting configuration; rules stop applying.
Updates zone membership or metadata with PUT _rawBody.
Deactivates a device so it cannot be used for device trust until reactivated.
Searches sessions with q query parameter per Okta Sessions API. Returns active session metadata. Use before OKTA_CLEAR_SESSION.
Extends session lifetime via lifecycle refresh when permitted by policy. Returns updated session. Use sparingly per security policy.
Activates a staged or deactivated user when policy allows. Returns user. Use after OKTA_CREATE_USER without activate flag or after manual remediation.
Updates an existing user via PUT with partial-safe patterns in _rawBody. Returns updated user. Use for profile changes, not password rotation (see OKTA_CHANGE_PASSWORD_USER). Requires userId path.
Activates an inactive policy so rules apply to targeted resources.
Adds a user to a group by PUT on membership resource. Returns nothing on success. Use OKTA_REMOVE_USER_FROM_GROUP to revoke.
Reads Okta System Log (GET /api/v1/logs) with since, until, filter, q, and limit. Returns security and lifecycle events. Primary tool for SIEM-style investigation; combine with multiplied filters for common cases.
Deletes a device record from Okta inventory. Use when device is retired.
Lists group memberships for a user. Returns group ids and types. Use before OKTA_ADD_USER_TO_GROUP or for RBAC audits.
Deletes an event hook and stops delivery to your endpoint.
Lists application links assigned to a user (SSO apps). Returns app metadata and assignment state. Use for access reviews; for group-based access see OKTA_LIST_USER_GROUPS.
Deactivates a user (lifecycle). User cannot sign in until reactivated. Returns updated user. Use for offboarding; compare with OKTA_SUSPEND_USER for temporary holds.
Lists CORS trusted origins for admin and embedded flows. Returns origin URLs and scopes.
Updates policy definition with PUT _rawBody. Returns updated policy. Validate with OKTA_GET_POLICY first.
Lists users assigned to an application with pagination. Returns assignment and credential state.
Assigns a group to an application using POST with group id in _rawBody. Propagates access to all members.
Updates app settings with PUT and full or partial body in _rawBody. Returns updated app.
Unassigns a user from an application by DELETE on the assignment resource.
Updates trusted origin settings with PUT _rawBody.
Creates trusted origin from _rawBody with name and origin string.
Assigns a user to an application via POST with _rawBody assignment object (id, credentials if needed).
Removes suspension from a device after remediation.
Fetches a single user by id or login. Returns full profile, status, and credentials metadata. Use when you already have userId from list or logs. For bulk discovery prefer OKTA_LIST_USERS with filter.
Revokes all sessions for a user via DELETE on user sessions collection. Use for account compromise response.
Updates event hook settings via PUT _rawBody.
Lists managed devices with optional search and filter. Returns device inventory for Zero Trust reviews. Pagination via limit and after.
Gets one device record by id including compliance and user association.
Removes a user from a group. Use to revoke role bundles tied to group membership.
Lists enrolled MFA factors for a user. Returns factor types and status. Use before OKTA_VERIFY_FACTOR or OKTA_DELETE_FACTOR.
Deletes a trusted origin; may affect Admin SPA or embedded widget access.
Lists IP network zones used in policies. Returns zone definitions with pagination.
Enrolls a new factor for a user via POST _rawBody (factorType, provider). Returns factor enrollment state. Follow with verify challenge if required.
Lists inline hooks (token, import, SAML, etc.). Returns hook metadata with pagination.
Suspends an active user; blocks authentication until unsuspended. Returns user. Prefer for temporary access removal vs full deactivation.
Triggers Okta password reset email or temp password flow per org policy. Send _rawBody for provider options. Use for self-service reset initiation by admin.
Unlocks a user locked out by password policy after failed attempts. Returns user. Use when helpdesk clears lockouts.
Retrieves one group by id including profile and type. Use after OKTA_LIST_GROUPS when you need exact metadata.
Lists users in a group with pagination. Returns user summaries. Use for access certification and roster exports.
Creates a new Okta group; supply profile.name in _rawBody. Returns created group. For AD-mastered groups use appropriate source.
Creates a policy from _rawBody including type and name. Returns new policy. Complex rules may require follow-up PUT.
Retrieves full policy document including rules. Use when editing or cloning policy settings.
Pauses event hook delivery without deleting configuration.
Gets inline hook configuration including channel and version.
Do I need my own developer credentials to use Okta MCP with Adopt AI?
No, you can get started immediately using Adopt AI's built-in Okta integration. For production use, we recommend configuring your own API credentials for greater control and security.
Can I connect Okta with other apps through Adopt AI?
Yes! Adopt AI supports multi-app workflows, so your AI agents can seamlessly move data between Okta and CRMs, spreadsheets, messaging platforms, and more.
Is Adopt AI secure?
Absolutely. Adopt AI is SOC 2 Type 2 certified and ISO/IEC 27001 compliant, and adheres to EU GDPR, CCPA, and HIPAA standards. All data is encrypted in transit and at rest, ensuring the confidentiality, integrity, and availability of your data. Learn more here.
What happens if the Okta API changes?
Adopt AI maintains and updates all integrations automatically, so your agents always work with the latest API versions, no manual maintenance required.
Do I need coding skills to set up the Okta integration?
Not at all. Adopt AI's zero-shot API discovery means your agents understand Okta's schema on first contact. Setup takes minutes with no code required.
How do I set up custom Okta MCP in Adopt AI?
For a step-by-step guide on creating and configuring your own Okta API credentials with Adopt AI, see here.
