There may be some concerns surrounding the application's user_membership.restore event type seen in Okta's System Logs and why it is being triggered. This article provides more insight into the event.
- Event Types
- System Logs
This particular event is triggered when the following conditions are met:
- One or more Okta users are deactivated and then later reactivated. Alternatively, one or more Okta users are unassigned and reassigned to an application.
- These Okta users were assigned to applications with an associated stored credential, such as a SWA app password or an application with password synchronization enabled. This also applies to Microsoft Office 365 federated users.
If the above conditions are met, the default behavior will be to place the AppUser profile into a suspended status for these applications instead of deactivating the individual AppUser profile when the app unassignment occurs, such as when the User is deactivated. When the Okta user is later reactivated, the suspended AppUser profiles will also be reactivated. The user will also be individually assigned to the application. This event causes the application.user_membership.restore event to occur.
This logic helps prevent the loss of passwords on AppUser profiles when a user is unassigned from the application. However, as many organizations move to follow best practices, SWA apps are becoming less common in favor of SAML/OIDC sign-on.
For other applications that do not have a credential associated with the AppUser profile, AppUser assignments can be added back as normal, such as through assignment through API or group app assignment, which results in an application.user_membership.add event because a completely new AppUser profile is created for each assignment.
To prevent AppUsers from being suspended in the Okta org and limit future application.user_membership.restore events, the Early Access feature Deactivate App Assignments can be enabled, which is found in Settings > Features > Early Access.
NOTE: When enabling this feature:
- Unassigning and reassigning a user to a Secure Web Authentication (SWA) application (even briefly or inadvertently) may require the user to re-enter their username and password when the assignment is restored.
- The feature change results in only the AppUser unassignments going forward from being placed in the Suspended status and is not a retroactive change.
- The suspended status only refers to the AppUser profile (the assignment profile), which is unrelated to the Okta User profile (for example, this setting does not affect Okta User lifecycle management).
