Professional Services · National HR & Benefits Consultancy
Identity becomes the front door
A national consultancy's Okta deployment was generating friction instead of security — MFA optional where it should be enforced, adaptive policies misfiring, and a legacy authentication agent past end-of-support. Across four engagements we assessed, remediated, migrated, and then operated their identity program.
5 high, 8 medium, 9 low — from a two-week implementation assessment
Agentless SSO via Kerberos across every forest
Assess → remediate → migrate → operate
The challenge
Where things stood
Okta was deployed but not delivering: users hit authentication problems across applications, multi-factor verification was optional in places it should have been mandatory, and adaptive-MFA behavior detection was tuned so tightly it generated constant false challenges.
Underneath sat structural debt — an eight-character password policy years behind guidance, Integrated Windows Authentication still in service after Okta had stopped investing in it, and Active Directory rather than Okta acting as the identity source of truth.
What we did
The engagement
Implementation assessment
A two-week technical evaluation of the Okta environment, its Microsoft 365 integration, and application integrations — interviews with security and networking teams included. Output: 22 prioritized findings, from unenforced MFA and weak password policy to missing TOR-network blocks and behavior-detection thresholds (geolocation, IP sensitivity) causing the adaptive-MFA pain.
Policy modernization
Password standards moved from 8-character-with-rotation to current 14-character-no-rotation guidance backed by enforced MFA; simple-PIN and common-password protections enabled; device trust and MDM integration recommended as mobile devices became authentication factors — expanding the attack surface deliberately and safely.
Retiring legacy authentication
Migration from Integrated Windows Authentication to Okta agentless Desktop SSO: Kerberos service principal names configured per forest, delegated authentication reconfigured, DNS validated, and browsers prepared via Group Policy across the Windows estate — removing an end-of-support dependency without disrupting sign-in.
Email posture, then an operating cadence
An O365 and on-prem Exchange posture assessment hardened the other front door — business-email-compromise resistance across both environments. A weekly embedded Okta engineer then carried the program forward: Okta-driven self-service password reset, user event reporting, O365 domain consolidation, and platform upgrades on schedule.
The outcome
Where things landed
- MFA moved from optional to enforced across the application estate, with adaptive policies retuned so security stopped costing daily friction.
- The unsupported IWA path was fully retired — modern agentless SSO across every forest.
- Self-service password reset returned helpdesk hours to the business, and identity gained a standing operational owner instead of episodic attention.
Client identity withheld by design — the same confidentiality we extend to every engagement. Scope, figures, and outcomes are drawn directly from the delivered statements of work.
Want an outcome like this one?
Every engagement starts with a 45-minute scoping call. Straight questions, no pitch deck.
Explore