Identifying Who Deactivated an Okta Custom Authorization Server
Last Updated:
Okta Classic Engine
Okta Identity Engine
API Access Management
Overview
An Okta administrator can determine when a custom authorization server was deactivated and by whom by reviewing the Okta System Log and searching for the oauth2.as.deactivated event or the specific custom authorization server ID. Expanding the log event reveals the administrator (actor) who performed the action, the affected server or policy (target), and the exact timestamp of the modification.
Applies To
- Okta Classic Engine
- Okta Identity Engine (OIE)
- System Logs
- API Access Management
- Custom Authorization Servers
Cause
A custom authorization server or its associated policy/rule was deactivated due to an explicit administrator action or environment configuration change, necessitating an audit trail investigation.
Solution
What steps reveal the Okta administrator who deactivated a custom authorization server?
To identify the source of this change, review the Okta System Log for events related to configuration changes by following these steps:
- Log in to the Okta Admin Console.
- Navigate to Reports > System Log.
- In the search bar, search for:
eventType eq "oauth2.as.deactivated" - Alternatively, search directly using the affected custom authorization server ID.
- Expand the log event to review the specific details:
- The display name and type of the policy or rule that was deactivated.
- The Okta administrator who performed the action (including their display name and alternate ID).
- The timestamp and Universally Unique Identifier (UUID) of the event.
