Okta User Factor Report

This tool uses the Okta SDK to generate a CSV report on enrolled factor types for active or suspended users, helping IT and security admins quickly identify who has or hasn’t enrolled in MFA.

What is the use case?

I created this tool because regularly auditing your IdP is crucial for ensuring all users have at least one MFA factor enrolled. Rockstar and the built-in Okta admin console don’t offer a straightforward way to generate a report for this, making it harder to spot gaps that could lead to account takeovers. This tool bridges that gap by providing a clear, actionable report in just a few easy steps.

This tool is perfect if you're struggling to exceed Okta's API limit of 200 users—it pulls beyond 200 users with no limitations! 😎

Your API token and CSV data are never stored or transmitted to any servers. This tool runs entirely locally and only makes direct Okta API calls to Okta API endpoints—nothing leaves your machine. 🔒

Downloads

Don't be a fool—always verify the hashes before running anything. If the checksum doesn’t match, you might be downloading trouble. 🔥💀

OktaUserFactorReport_v1.1.0 for Linux and MacOS

SHA256sum: ff86a9e32a5cc60b98e80c570158ec29be22698b6960b3c4d49b88b8d23090f6

OktaUserFactorReport_v1.1.0 for Windows

SHA256sum: 3A048F97CBF28A9B106DD8B148B09570603D1399396137CA7D9172392AA81C19

Read me!

What you'll need:

  1. Know your Okta subdomain

  2. Have an Okta API Token (make sure it has the proper permissions)

If you're on Linux or macOS, fire up your terminal and run this command—just make sure to replace /path/to with the actual path to your binary. ⬇️

./path/to/OktaUserFactorReport_v1.1.0

If you're using Windows, just run the exe, and you'll see the CLI popup box.

If everything loads properly, this is what you'll see below. Answer the prompts, and the tool will work its magic!

Common mistakes that will lead to errors!

  • Incorrect Okta subdomain

  • Incorrect Okta API token value, or you pasted it incorrectly

  • The Okta account used to generate the API token lacks the necessary permissions to complete the task.

  • You were naughty and exceeded your Okta API limit!

Changelog

v1.1.0 - Minor Release (2025-02-15)

🚀 Added more details and updated data structuring

  • I added new columns to help admins see user enrollment factors more easily and restructured the CSV for better filtering. Users may appear multiple times since each of their factors is in its own row. See example CSV report below. I obfuscated some data for security, but your actual report will contain the real, unobfuscated data.

    • FIDO/webauthn are typically hardware security keys or passkeys

    • OKTA/signed_nonce are Okta Fastpass enrollments

v1.0.0 - Initial Release (2025-02-13)

🚀 New Features

  • Initial release of the project.

Packages Used

aenum==3.1.11
aiohappyeyeballs==2.4.6
aiohttp==3.11.12
aiosignal==1.3.2
attrs==25.1.0
cffi==1.17.1
colorama==0.4.6
cryptography==44.0.1
flatdict==4.0.1
frozenlist==1.5.0
idna==3.10
jwcrypto==1.5.6
multidict==6.1.0
okta==2.9.10
propcache==0.2.1
pycparser==2.22
pycryptodomex==3.21.0
pydash==8.0.5
PyJWT==2.10.1
PyYAML==6.0.2
tqdm==4.67.1
typing_extensions==4.12.2
xmltodict==0.14.2
yarl==1.18.3

PreviousOkta DeactivatorNextSecurity

Last updated