<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D5KZ000019uGUh0AMOkta Classic EngineInsights and ReportingAnswered2025-11-06T09:00:19.000Z2025-08-06T19:12:22.000Z2025-08-29T14:58:47.000Z

nkt8m (nkt8m) asked a question.

August 6, 2025 at 7:12 PM
getting a log of all the okta applications when deprovisioning a user

Hello, I'm working on a project using Okta in tandem with Workday and Zendesk. Currently we have it that once in workday that a user is listed as deactivated / terminated / offboarding they immediately are removed from groups within Okta. We are currently using additional Bookmark apps to list people of their access within programs that while not directly using Okta we use as a way to monitor their access even if its not using SSO.

 

My specific inquiry is if there is a way that we are able to get a log of all of the applications groups a user is in before they are deprovisioned and able to acquire that list for someone to manually be able to deprovision the non Okta apps.

 

Currently, once someone is set to be deactivated they are automatically removed from all the apps and unable to monitor which ones they had access to.

  • 3 answers
  • 444 views
oixbg likes this.

  • HarryL.05482 (Anthropic Identity)

    You could write a workflow for this. However you would need a "trigger" for when this would occur that wouldn't avoid making it manual. I'd recommend when you know that a user is going to be deactivated, add an attribute to their Okta profile that says "staged for deactivation" or something like that. That could be updated by Workday right before they're deactivated. Once that attribute/boolean gets updated, trigger a workflow that pulls all the user groups, and then you could clean up that API response so it's a simple list, and send that response to an email list. That's my off the cuff solution 🙂

     

    Hope that helps!

    Expand Post
    Selected as Best

  • HarryL.05482 (Anthropic Identity)

    You could write a workflow for this. However you would need a "trigger" for when this would occur that wouldn't avoid making it manual. I'd recommend when you know that a user is going to be deactivated, add an attribute to their Okta profile that says "staged for deactivation" or something like that. That could be updated by Workday right before they're deactivated. Once that attribute/boolean gets updated, trigger a workflow that pulls all the user groups, and then you could clean up that API response so it's a simple list, and send that response to an email list. That's my off the cuff solution 🙂

     

    Hope that helps!

    Expand Post
    Selected as Best

  • KathyT.73511 (Anthropic Identity)

    I agree with Harry, but you will need to have the Workflow run completely before you deactivate your user. Okta Workflows won't recognize the user if they are deactivated.

  • BrandonB.06003 (Customer)

    Are you currently using an okta workflow for offboarding? If so then in that workflow call this API: https://help.okta.com/wf/en-us/content/topics/workflows/connector-reference/okta/actions/listapplicationsassignedtouser.htm

     

    and then you can take action on that prior to the "deactivate card" in your workflow

     

    If not, you'll have to re-work your offboarding so that workday import "suspends" the account instead of deactivate and then you have a workflow that triggers of of "suspend". It may be quite a heavy lift to do this initially but then you'll have a lot more customization on offboarding going forward

    Expand Post

Loading
getting a log of all the okta applications when deprovisioning a user