Hello @vb8u6 (vb8u6)​ , thank you for contacting Okta Community.

I've brought your question to our engineers' attention. Your goal could be achieved using Workflows. You can read more about it here:

Okta Workflows page

Okta Workflows documentation - main page

The data input should be similar to the one discussed in this post:

Query about automatically deactivate app users if inactive for more than 90 days

However, it would need to be more complex than this since you intend to deprovision one app at a time, without deactivating the account. If you have a paid account and an Okta Account Executive, you may want to ask them about our Professional Services. They are our experts in custom-made solutions and design-fitted implementations. They are your best bet if you are looking for something highly personalized to your environment and your company's goals.

If you do not have a paid account but are interested in upgrading, you can contact our Sales team. 

Regards. 

--

Help others in the community by liking or hitting Select as Best if this response helped you.

Collect them all. Learn a new skill and earn a new Okta Learning badge.

@vb8u6 (vb8u6)​  -- This question isn't simple to answer. Workflows is an API client that communicates with external API endpoints (Okta included) to CRUD data or can receive Event/Webhook data from remote sources to process. For your use case there would need to be some sort of datapoint available that would be able to identify your criteria for removal. If one doesn't exist you would need to create it.

In a scenario where one doesn't exist and you need to create it "if" the specific eventType exists in the Okta System log && is Event-Hook-Eligible you could leverage Okta Event Hooks (with event-hook-filtering) to deliver payloads where the event result was successful to a processor (Such as Okta Workflows) to update a custom profile attribute on a user.

Event Hooks (eligible section)

https://developer.okta.com/docs/concepts/event-hooks/

So for example in a System Log event I logged a user into a specific application. It contains the eventType user.authentication.sso which is event-hook-eligible. This means with the EA feature "Event Hook Filtering" enabled I could create an Event Hook for the user signon to application. Then in the filtering ONLY fire on payloads that are result=SUCCESS && have a target.id of the appinstance value you want to record logins for.

{

 "actor": {

  "id": "00urg743sJrqMGi4H5d6",

 "eventType": "user.authentication.sso",

 "outcome": {

  "result": "SUCCESS",

  "reason": null

 "target": [

  {

   "id": "0oarlz64f4arakcLp5d6",

   "type": "AppInstance",

   "alternateId": "Google Workspace",

This could deliver to an Okta Workflows API endpoint to be processed since it also includes the details of the actor you can use this ID to update their successful login attribute with a new ISO 8601 date stamp.

Then you could have another series of flows running on a schedule that "Lists Users with Search" looking for date rangers "older than" X days ago and all found users could have an action applied against them.