OktaToEntra โ Manage your Okta to EntraID Migration
Under Development - This tool is still under development and improvement. You can monitor status and progress at https://github.com/andrewhiz/OktaToEntra
๐ข Update (as of March 25, 2026): PowerShell module development is currently on hold while a web application is being developed. The PowerShell module remains fully functional with its current feature set.
TL;DR: Migrating applications from Okta to Microsoft Entra ID is a complex, multi-step process. I built OktaToEntra โ a PowerShell module that can be your companion tool for discovery, planning, and tracking so you can focus on the actual SSO configuration work.
The Problem
Organizations consolidating on Microsoft Entra ID from Okta face a daunting question: which apps do we have, who uses them, and what order do we migrate them in?
Doing this manually means:
- Exporting app lists from Okta and cross-referencing spreadsheets
- Guessing which apps are active vs. dormant
- Re-creating assignments by hand in Entra
- Losing track of where each app is in the migration lifecycle
The process is error-prone, time-consuming, and hard to hand off to other team members.
The Solution: OktaToEntra
OktaToEntra is a PowerShell module that handles the discovery, assessment, and lifecycle tracking phases of the migration โ giving you a structured, repeatable process.
What it does
| Capability | Details |
|---|---|
| App Discovery | Catalogs all Okta apps (SAML, OIDC, SWA, Bookmark) |
| Usage Analytics | Pulls 90-day sign-in history to identify active vs. dormant apps |
| Entra Provisioning | Creates App Registrations and Enterprise Apps via Microsoft Graph |
| Assignment Replication | Mirrors user and group assignments from Okta to Entra |
| Lifecycle Tracking | Tracks each app through six migration stages |
| Reporting | Exports CSV, HTML dashboards, and JSON config packs |
Note: The tool does not configure SAML/OIDC settings automatically โ that remains manual work. It does, however, generate JSON configuration templates to make that step easier.
Requirements
- PowerShell 7.2+ (Windows PowerShell is not supported)
- Okta API token with
okta.apps.read,okta.groups.read,okta.users.readscopes - Entra App Registration with the following Microsoft Graph application permissions (admin consent required):
Application.ReadWrite.AllAppRoleAssignment.ReadWrite.AllGroup.Read.AllOrganization.Read.All
Getting Started
1. Install
Clone the repo and run the setup script. It handles all dependencies (PSSQLite, SecretManagement, SecretStore) and places the module in your PowerShell Modules directory.
git clone https://github.com/andrewhiz/OktaToEntra.git
cd OktaToEntra
.\Install-OktaToEntra.ps1
2. Import and Launch
Import-Module OktaToEntra
Start-OktaToEntra # launches the interactive menu
3. Create a Project
New-OktaToEntraProject -Name "Migration2026" `
-OktaDomain "yourorg.okta.com" `
-OktaApiToken (Read-Host -AsSecureString) `
-EntraTenantId "your-tenant-id" `
-EntraClientId "your-client-id" `
-EntraClientSecret (Read-Host -AsSecureString)
Credentials are stored in the SecretStore vault โ never in plaintext on disk.
The Migration Workflow
Discovery
# Pull all apps from Okta
Sync-OktaApps
# Capture 90-day sign-in activity
Get-OktaAppUsage -All
# Review what was found
Get-MigrationStatus
Planning
# Set priority, assign owners, and advance status
Update-MigrationItem -AppId "..." -Priority High -Owner "[email protected]"
Applications move through six stages:
DISCOVERED โ READY โ STUB_CREATED โ IN_PROGRESS โ VALIDATED โ COMPLETE
Provisioning in Entra
# Create App Registrations
New-EntraAppStub -All
# Provision Enterprise Apps (Service Principals)
New-EntraServicePrincipal -All
# Replicate user and group assignments
Add-EntraAppAssignment -All
Reporting
# Generate an HTML dashboard
Export-MigrationReport -OpenHtml
# Export JSON config packs for SSO configuration
Export-AppConfigPack
Under the Hood
- Data storage: SQLite database at
%APPDATA%\OktaToEntra\<project-guid>\project.db - Credential storage: Windows-native encrypted SecretStore vault
- Data model: Projects > OktaApps > MigrationItems, with AppUsageStats, GroupMappings, and AuditLog tables
One thing worth knowing: group name matching is case-sensitive. If group names differ between Okta and Entra, use Set-AppGroupMapping to define explicit mappings before running assignments.
A Note on Safety
The tool is read-only against Okta (discovery only) and writes to Entra only when you explicitly run provisioning commands. Still โ review what each command will do before running anything in production.
Source Code
The full source is available on GitHub: https://github.com/andrewhiz/OktaToEntra
Issues, PRs, and feedback are welcome.