Key Takeaways
-
MSPs can confidently deploy Okta for SMBs using ZeroTek’s field-tested 8-step implementation process.
-
ZeroTek enables rapid Okta org creation, offers MSP-friendly licensing, and simplifies user onboarding.
-
Early configuration of network zones, authenticators, and admin policies is essential to establishing a strong security foundation.
-
Using a combination of Okta Verify and FIDO2 WebAuthn ensures robust, phishing-resistant MFA without user friction.
- ZeroTek’s best practices help MSPs operationalize Okta IAM as a scalable, secure monthly service offering.
Key Takeaways
- MSPs can confidently deploy Okta for SMBs using ZeroTek’s field-tested 8-step implementation process.
- ZeroTek enables rapid Okta org creation, offers MSP-friendly licensing, and simplifies user onboarding.
- Early configuration of network zones, authenticators, and admin policies is essential to establishing a strong security foundation.
- Using a combination of Okta Verify and FIDO2 WebAuthn ensures robust, phishing-resistant MFA without user friction.
- ZeroTek’s best practices help MSPs operationalize Okta IAM as a scalable, secure monthly service offering.
Cyberattacks are hitting SMBs harder than ever—and identity is the new frontline.
Small and medium-sized businesses have become prime targets: valuable enough to attract attackers but often lacking the robust security resources of larger enterprises. That’s where MSPs come in. To truly protect SMB clients from evolving threats, MSPs need to lead with modern identity and access management (IAM). With ZeroTek, MSPs can deliver Okta for SMBs—offering enterprise-grade IAM that’s easy to deploy, simple to manage, and built to scale.
There are just eight steps to fully implementing Okta’s industry-leading IAM technology:
1. Conduct environment discovery.
2. Create a customer Okta org—in seconds.
3. Configure security foundations.
4. Secure privileged accounts.
5. Create and configure groups.
6. Import users.
7. Go live with Okta-secured identity and email.
8. Configure additional SSO app integrations.
In this post, we’ll walk through the first three steps to show how MSPs can confidently operationalize Okta for SMBs as a managed monthly service. With a streamlined approach powered by ZeroTek, MSPs can deliver robust, top-tier IAM faster—simultaneously creating new revenue opportunities and helping clients strengthen their security posture. Here’s how.
Step 1: Conduct environment discovery
Start with a discovery process for a successful Okta rollout. To ensure you address your customer’s needs and priorities, gather or confirm the following:
- Identity Source: Ask your client what system currently manages their digital user identities. Do they use Microsoft 365? Google Workspace? On-prem AD? This lets you know which directory integrations you need to focus on.
- On-Prem Systems and Access Methods: Find out if there are systems your customer wants to retain, migrate to the cloud, or replace. For example, are they using any Entra-joined machines or VPNs?
- App Inventory: What applications does your client currently use, and who needs access to each of them?
- Role-Based Access: Learn about the different user groups across your client’s organization. What are the correct app and access assignments for each?
- User Locations and Log-in Patterns: The increase of remote and global work means you never know where someone may be logging in from. Ask your clients about the geographic regions, remote access, and travel requirements of their team members.
Step 2: Create a customer Okta org
This next step takes only a few seconds. Spin up a customer Okta org in a few clicks from ZeroTek. No sales bottlenecks. No contracts to sign.
When you’re ready to add users, ZeroTek provides perpetual Okta licenses automatically when you add users and removes them when you delete users. No further action is required to purchase or return Okta user licenses. That means you never have to:
❌ Manually buy or return licenses.
❌ Manage license pools.
❌ Navigate renewals in process.
Step 3: Configure security foundations
Based on your findings from Step 1, configure network zones, authenticators, and policies for your client.
Network zones
Control access by location and block high-risk traffic. Start by creating a zone to define the country of operations (where your customer operates) and another for the region of operations (the state or province they work from). If they have a physical office with a static IP, create a zone for that network.
Then create your block zones to categorically prevent all access from Tor anonymizer proxies and high-risk countries or regions.
Authenticators
The strongest authenticators are biometric (like fingerprints or facial recognition) or possession-based (using something proven to belong to the user, like a phone).
Some types of authenticators have more than one factor ( method of authentication) available. For example, the Okta Verify authenticator has three different factors you can configure:
- Time-based one-time password (TOTP)
- Push notifications
- Okta FastPass (which is an advanced and highly secure passwordless option)
ZeroTek recommends MSPs use Okta Verify as the primary authenticator and FIDO2 WebAuthn as the secondary authenticator for most users, since both are highly phishing resistant. Okta Verify is bound to a user’s device, and so is possession-based, while FIDO2 WebAuthn leverages biometrics—facial and fingerprint recognition capabilities on a user’s device. Together they represent a strong MFA defense, and deliver an easy, passwordless access experience for the user.
To secure non-user service accounts with Okta MFA, ZeroTek provides specialized instructions for using Google Authenticator TOTP—an authenticator we recommend only for specific use cases. We provide comprehensive details our best practices, available to all our MSP Partners.
As for good old-fashioned passwords we generally recommend you reserve their use to authenticating legacy systems that require them, such as:
- RADIUS
- Domain-joined machines
Again, we provide more information about password—and passwordless—best practices for MSPs in our detailed guidance available to ZeroTek Partners.
Okta Security Settings
Okta’s powerful security settings provide organization-level protection against password-based attacks, user enumeration, and more. However, it’s often unclear (to even technically competent users) which settings are appropriate, and determining how various settings will interact with the Okta security policies configured later can be a challenge.
Fortunately, ZeroTek’s best practices for configuring Okta outline our specific recommendations and rationale for each setting, including contextual considerations and guidance.
MSPs should pay special attention to how they configure Okta ThreatInsight, a powerful tool which:
- Aggregates data across the Okta customer base.
- Uses detected threat levels to limit or block authentication requests from suspicious IP addresses.
- Reduces risks associated with malicious activity without blocking legitimate users’ access.
ZeroTek recommends that MSPs configure Okta ThreatInsight to log and enforce security based on threat level.
Default Policies
Two default authentication policies in Okta provide a basic level of security: one for the Okta Admin Console, and the other for all Okta users. ZeroTek recommends MSPs strengthen the security posture of each Okta org they manage by modifying these two policies according to our field-tested best practices.
Are you ready?
Ready to turn IAM into a competitive advantage, attract new customers, and bring your security services to the next level?
