User mastery is the strategy you use to designate a system as the single source of truth for user identity data — the authoritative system where users are created, modified, and deactivated.
With Okta, the mastery strategy you choose significantly impacts your team's efficiency and your customers' user experiences. The key questions to consider are:
Which available system or identity directory will perform best as the single source of truth?
Where will it be easiest and most secure to create, update, and deactivate users?
If there is a mismatch in user identity data, which system should be the authority?
In most cases, the answer to all three questions is Okta.
Mastery options
Okta-mastered — Users are created in Okta and pushed to other directories. This is ZeroTek's recommended approach for most deployments.
On-premises AD-mastered — Users are created in on-premises Active Directory and imported into Okta.
HR-mastered — Users are created in an HR system such as Workday, UltiPro, or BambooHR and imported into Okta. A good option when a customer has a compatible SaaS HR product.
M365-mastered — Not recommended. M365 mastery requires many ongoing manual processes and is less robust than Okta at handling provisioning. Note that integrating M365 with Okta in an Okta-mastered deployment produces an excellent user experience with secure SSO access to M365 apps. See the Okta-M365 integration guide.
Why ZeroTek recommends Okta mastery
The biggest payoff for MSPs comes when you make ZeroTek your single pane of glass for all your customers and Okta the single source of truth for customer user identities.
With an Okta-mastered deployment:
Almost all user management tasks — creating, modifying, and deactivating users — can be performed directly from ZeroTek. See managing users.
You can use ZeroTek to control which team members can perform user management tasks for each customer org. See role-based access and customers.
Identities and access for M365, AD, and all apps integrated with Okta sync directly from Okta.
User management is centralized in a browser-based tool rather than requiring connections to on-premises AD infrastructure.
Okta's system log provides superior auditing — visible and searchable in ZeroTek's Log Viewer — showing who did what, from what device, and from what location.
Okta requires MFA instead of RDP to a domain controller or member server, strengthening security.
Users can perform self-service password resets from a browser for all their accounts where Password Sync is enabled.
Okta's Lifecycle Management (LCM) enables automated provisioning, modification, and deprovisioning for M365 and 800+ apps with pre-built Okta connectors.
Okta mastery lays the groundwork to reduce dependence on on-premises AD and facilitates a transition away from it where feasible.
On-prem AD-mastered deployment
An AD-mastered deployment lets you use existing experience, permissions, and workflows for user creation, modification, and deactivation. However, AD identities and access must go through Okta to reach apps — and if M365 is not enabled and in use, they must also go through Entra Connect to reach M365. This flow is more prone to errors and offers less reliable synchronization than an Okta-mastered deployment.
If you need to switch an existing AD-mastered integration to Okta-mastered, see Switch an AD-mastered Okta integration to Okta-mastered.
HR-mastered deployment
For customers who have a SaaS HR product that can be integrated with Okta, we recommend using HR mastery.
Advantages:
Easy role assignment — most HR apps categorize users by department or division, which can be pulled into Okta to drive automatic provisioning
Easy onboarding and offboarding — HR teams are always the first to know when a user joins or leaves, and can trigger automatic access assignment or revocation
Disadvantages:
Dependence on HR system accuracy and uptime
HR systems may not manage external users such as contractors, freelancers, and vendors — requiring additional workflows
Incorrect HR data can lead to incorrect permissions