Identity Provider Users With Old Password

Remediation

Okta Admin Console (Asset-Level)

1. Open the affected user(s) from the finding details.
2. Apply the control-specific fix:

• Inactive users: suspend/deactivate users no longer needed.
• Excess super administrators: remove unnecessary Super Admin role assignments.
• Old password risk: enforce stricter password policy and rotation settings.

1. Save changes and confirm user status/role/policy updates.

Okta API (Asset-Level)

Use an API token with least privilege:

export OKTA_ORG="https://<your-org>.okta.com"
export OKTA_TOKEN="<api-token>"

Deactivate a user:

curl -s -X POST "$OKTA_ORG/api/v1/users/<user-id>/lifecycle/deactivate" \
  -H "Authorization: SSWS $OKTA_TOKEN" \
  -H "Accept: application/json"

List a user's assigned admin roles:

curl -s "$OKTA_ORG/api/v1/users/<user-id>/roles" \
  -H "Authorization: SSWS $OKTA_TOKEN" \
  -H "Accept: application/json"

Validation

• Re-run the control and confirm findings are cleared.
• Track approved exceptions with owner and expiry date.

Multiple Remediation Paths

SERVICE-WIDE (RECOMMENDED when many resources are affected): Apply organization/tenant-level guardrails and baseline policies for the entire platform.

ASSET-LEVEL: Fix only the affected resources identified by this control.

PREVENTIVE: Add preventive policy checks to CI/CD and periodic posture scans.

References for Service-Wide Patterns

• Platform policy/governance and preventive control patterns should be applied tenant-wide where supported.