Governance
IdP
Identity Architect

Review who controls your Okta and Entra IdP in 30 minutes without writing a single script

Summary: The identity provider is the highest-stakes surface in any enterprise identity environment — a compromised Okta Super Admin or Entra ID Global Administrator can rewrite policy, modify MFA, and grant access to anything. Oleria Trustfusion, an AI-native identity security platform, brings identity provider admin review into the standard governance program with Group Membership campaigns scoped to IdP groups — using the same three-signal evidence engine that powers every other Oleria review.

Why this is hard without Oleria

IdP access is the highest-stakes identity surface. A Global Admin in Entra can create accounts, change MFA, modify federation, grant themselves access to anything. An Okta Super Admin can rewrite policy. Native IdP review tooling exists but typically runs as a one-time export at quarter-end. By then, three months of admin grants, removes, and re-grants have happened.

Most environments treat IdP governance as a separate process from regular access reviews — a special spreadsheet, a special meeting, a special escalation path. The result: the highest-leverage population in identity gets the least standardized review treatment.

AT A GLANCE

IdP groups (Okta, Entra)
Scope
Group Membership campaign
Mechanism
Configurable per group
Cadence

Oleria AI

The same three-signal engine that powers every Oleria review applies to IdP reviews. Recommendations are conservative; the architect makes the call.

How it works

  1. Define IdP group scope — Per IdP (Okta or Entra), which  groups to review. Pre-built definitions; customer-extensible.
  2. Configure cadence and slicing — Schedule per group; slice further by group type and utilization when the group population is large.
  3. Architect runs the review — Per-user in group three-signal evidence; bulk-accept, examine outliers, override per line.
  4. Decisions execute — Users removed across IdP groups; downstream access cleaned up; audit pack updated.

What good looks like

IdP group reviews on a regular cadence Achieved

Inactive IdP group users surfaced Continuously via dormancy signal

IdP user sprawl Bounded

Audit findings on IdP groups governance Eliminated

Bring your IdP admins under the same governance rigor as everything else.

Entra ID Global Admins and Okta Super Admins are the most-leveraged identities in your environment — yet most organizations review them on spreadsheets, quarterly at best. Oleria makes IdP admin review a continuous, evidence-driven control. See how.

Book a Demo

Frequently Asked Questions

What about Active Directory group reviews?

AD group reviews live on D-17 (Active Directory Group Membership campaigns). AD does not expose dormancy at the access-review layer, so AD group reviews use peer match + HR change plus AD-specific group context (description, owner) pulled at campaign setup. Oleria's access graph unifies AD and cloud IdP visibility; the review feature splits by directory type.

How is the review actually run?

Each user appears as a line with three-signal evidence — dormant days (days since last login), peer match, HR change for the specific group in review. Reviewer assesses; bulk-accept the matches, examines outliers with an override per line. Removal flows back to the IdP and downstream apps.

What IdP groups count for this review?

Configurable per IdP based on group type, utilization and total users.

Related articles
This is some text inside of a div block.

Dry run leaver workflows to preview revocations before committing

Read more
This is some text inside of a div block.

Manually mark an employee as a leaver, with immediate access removal for emergency offboarding

Read more
This is some text inside of a div block.

Remediate access review decisions automatically, revoking at campaign close with ITSM ticket fallback

Read more