4ldi6 (4ldi6) asked a question.
What are all the causes of an account status being changed to SUSPENDED?
Looking at the documentation (https://help.okta.com/oie/en-us/Content/Topics/users-groups-profiles/usgp-end-user-states.htm) it states "Accounts have a suspended status when an admin explicitly suspends them." However we are seeing accounts marked as suspended without any Okta Admin interaction. So I am looking for what other reasons accounts get marked this way that aren't documented.
e.g. something coming through the directory integration or maybe the user has exceeded the failed MFA count, or some other such cause.
Thank you
Hi! Few questions... do you source users from say, workday/AD/Salesforce, etc.? If so, please check the settings for that application under Profile Sources > Provisioning > To Okta
From here, look for "When a user is deactivated in the app " and see if it is set to "Suspend" or "Deactivate". Depending on how many places you source users from and how you have that configured, you may need to check multiple apps depending on the users that are experiencing this issue.
Do you have any workflows turned on and in place? That is another possibility.
Finally, I would take a look at the logs for the user id and "user.lifecycle.suspend" as the EventType and that should also provide you with at least context for the event and what came before/after the suspension leading to a better conclusion.
Please be sure to write back with any questions or concerns from the above. Thanks!
This just came up for us as well after adding some email MFA for our users. I'm seeing the Okta logs have a user.lifecycle.suspend event triggered by "system@okta.com" after just 5 user.authentication.auth_via_mfa reason INVALID_CREDENTIALS events plus system.email.challenge_factor_redeemed reason authfactor.challenge.soft_token.invalid_passcode events.
So it appears this is automatic. I want to figure out if this behavior is configurable anywhere.