Okta_User

Overview

User objects (AKA People) represent individuals who have access to the Okta organization. Each user has a unique identifier, username in the email address format, and various attributes such as email, first name, last name, and status. Users are represented as Okta_User nodes in BloodHound.

Edges

The tables below list edges defined by the Okta extension only. Additional edges to or from this node may be created by other extensions.

Inbound Edges

Edge Type	Source Node Types	Traversable
Okta_ApiTokenFor	Okta_ApiToken	✅
Okta_Contains	Okta_Organization	✅
Okta_DeviceOf	Okta_Device	❌
Okta_GroupAdmin	Okta_User, Okta_Group, Okta_Application	✅
Okta_HelpDeskAdmin	Okta_User, Okta_Group, Okta_Application	✅
Okta_IdentityProviderFor	Okta_IdentityProvider	✅
Okta_InboundSSO	AZUser	✅
Okta_ManagerOf	Okta_User	❌
Okta_OrgAdmin	Okta_User, Okta_Group, Okta_Application	✅
Okta_OutboundSSO	Okta_User	✅
Okta_PasswordSync	User, Okta_User	✅
Okta_ReadPasswordUpdates	Okta_Application	✅
Okta_RealmContains	Okta_Realm	✅
Okta_ResetFactors	Okta_User, Okta_Group, Okta_Application	✅
Okta_ResetPassword	Okta_User, Okta_Group, Okta_Application	✅
Okta_ResourceSetContains	Okta_ResourceSet	✅
Okta_ScopedTo	Okta_RoleAssignment	❌
Okta_UserPull	Okta_Application	❌
Okta_UserSync	User, Okta_User, SNOW_User	❌

Outbound Edges

Edge Type	Destination Node Types	Traversable
Okta_AddMember	Okta_Group	✅
Okta_AppAdmin	Okta_Application, Okta_ApiServiceIntegration	✅
Okta_AppAssignment	Okta_Application	❌
Okta_CreatorOf	Okta_ApiServiceIntegration	❌
Okta_GroupAdmin	Okta_User, Okta_Group	✅
Okta_GroupMembershipAdmin	Okta_Group	✅
Okta_HasRole	Okta_Role, Okta_CustomRole	❌
Okta_HasRoleAssignment	Okta_RoleAssignment	❌
Okta_HelpDeskAdmin	Okta_User	✅
Okta_ManageApp	Okta_Application	✅
Okta_ManagerOf	Okta_User	❌
Okta_MemberOf	Okta_Group	✅
Okta_MobileAdmin	Okta_Device	✅
Okta_OrgAdmin	Okta_User, Okta_Group, Okta_Device	✅
Okta_OutboundSSO	AZUser, GH_User, jamf_Account, SNOW_User, Okta_User	✅
Okta_PasswordSync	Okta_User, User	✅
Okta_ReadClientSecret	Okta_ClientSecret	✅
Okta_ResetFactors	Okta_User	✅
Okta_ResetPassword	Okta_User	✅
Okta_SuperAdmin	Okta_Organization	✅
Okta_SWA	GH_User, jamf_Account, OP_User, SNOW_User	❌
Okta_UserPush	Okta_Application	❌
Okta_UserSync	Okta_User, User, AZUser, OP_User, SNOW_User	❌

Properties

Name	Source	Type	Description
`id`	`user.id`	`string`	Unique user identifier.
`name`	`user.profile.login`	`string`	Okta username/login.
`displayName`	`user.profile.displayName`	`string`	User display name.
`oktaDomain`	Collector context (non-API)	`string`	Okta organization domain where the user exists.
`login`	`user.profile.login`	`string`	User login/UPN value.
`email`	`user.profile.email`	`string`	Primary email address.
`firstName`	`user.profile.firstName`	`string`	User first/given name.
`lastName`	`user.profile.lastName`	`string`	User last/family name.
`title`	`user.profile.title`	`string`	Job title from user profile when present.
`department`	`user.profile.department`	`string`	Department value from user profile when present.
`city`	`user.profile.city`	`string`	City/location value from user profile when present.
`state`	`user.profile.state`	`string`	State/region value from user profile when present.
`countryCode`	`user.profile.countryCode`	`string`	ISO-like country code from user profile when present.
`status`	`user.status`	`string`	User lifecycle status.
`enabled`	`IsEnabled(user.status)`	`bool`	Boolean status projection used by BloodHound.
`hasRoleAssignments`	Calculated	`bool`	Indicates whether the user is assigned any administrative roles.
`credentialProviderName`	`user.credentials.provider.name`	`string`	Authentication provider name for this user.
`credentialProviderType`	`user.credentials.provider.type`	`string`	Authentication provider type for this user.
`managerId`	`user.profile.managerId`	`string`	Manager identifier from user profile synchronization.
`activated`	`user.activated`	`datetime`	Timestamp when the user account was activated.
`created`	`user.created`	`datetime`	User creation timestamp.
`passwordChanged`	`user.passwordChanged`	`datetime`	Timestamp when the password was last changed.
`lastLogin`	`user.lastLogin`	`datetime`	Timestamp of the most recent successful login.
`lastUpdated`	`user.lastUpdated`	`datetime`	Last profile/update timestamp.

Sample Property Values

id: 00uw2sodn4ZPJJQyx697
name: john.doe@contoso.com
displayName: John Doe
oktaDomain: contoso.okta.com
login: john.doe@contoso.com
email: john.doe@contoso.com
firstName: John
lastName: Doe
title: Senior Identity Engineer
department: Security Engineering
city: Seattle
state: WA
countryCode: US
status: ACTIVE
enabled: true
hasRoleAssignments: false
credentialProviderName: OKTA
credentialProviderType: OKTA
managerId: joe.smith@contoso.com
created: 2025-10-03T18:45:57+00:00
activated: 2025-10-03T19:02:11+00:00
passwordChanged: 2026-01-12T14:27:03+00:00
lastLogin: 2026-02-20T09:41:55+00:00
lastUpdated: 2025-10-29T11:09:47+00:00

User Status

User status can have multiple values, as illustrated below: Okta user status

To simplify analysis in BloodHound, the collector maps the Status attribute to the virtual boolean Enabled attribute as follows:

Okta User Status	Enabled	Explanation
ACTIVE	✅	User can authenticate.
PASSWORD_EXPIRED	✅	User’s password has expired but can still authenticate.
LOCKED_OUT	✅	User is locked out but can still authenticate after unlocking.
PROVISIONED	✅	User is provisioned but cannot authenticate yet.
RECOVERY	✅	User is in recovery mode and cannot authenticate.
SUSPENDED	❌	User is suspended and cannot authenticate.
STAGED	❌	User is staged and cannot authenticate yet.
DEPROVISIONED	❌	User is deprovisioned and cannot authenticate.

This mapping is a simplification and may not cover all edge cases. Always refer to the actual Status attribute for precise user state information.

Authentication Factors

Okta supports various authentication factors for multi-factor authentication (MFA), such as SMS, email, push notifications, and hardware tokens. In case of mobile and desktop applications, these authentication factors are associated with the Device entities. Other authentication factors, such as YubiKeys and Google Authenticator, are not represented as separate nodes in BloodHound, but the number of enrolled factors is stored in the authenticationFactors attribute of the Okta_User nodes.

Synchronization with External Directories

Users can be synchronized from external directories such as Active Directory (AD) or LDAP. When synchronized, certain attributes may be mapped from the external directory to the Okta user profile.

Get Started with BloodHound

Install a Data Collector

Collect Data

OpenGraph

OpenHound

Analyze Attack Path Data

Manage BloodHound

API & Integrations

Resources

Overview

Edges

Inbound Edges

Outbound Edges

Properties

Sample Property Values

User Status

Authentication Factors

Synchronization with External Directories

Get Started with BloodHound

Install a Data Collector

Collect Data

OpenGraph

OpenHound

Analyze Attack Path Data

Manage BloodHound

API & Integrations

Resources

Documentation Index

​Overview

​Edges

​Inbound Edges

​Outbound Edges

​Properties

​Sample Property Values

​User Status

​Authentication Factors

​Synchronization with External Directories

Overview

Edges

Inbound Edges

Outbound Edges

Properties

Sample Property Values

User Status

Authentication Factors

Synchronization with External Directories