Boston Tech Advisors case study

Executive summary

Boston Tech Advisors (BTA), under the leadership of veteran IT executive Benjamin Katz, provides fractional CIO leadership together with hands-on technical execution. The firm is dedicated to simplifying, automating, and securing mid-market IT environments, enabling internal teams to operate them with confidence and efficiency.

Identity security is essential, and BTA needs it to be reliable, fast, and scalable. ZeroTek turned Okta’s industry-leading identity and access management (IAM) platform into a repeatable operating model that delivers strong baseline configurations, highly automated management, and hardened identity security for every client. The result: efficient rollouts, fewer tickets, and very satisfied customers.

A representative client (Boston area, ~500 users) before BTA got to work:

• Windows fleet: 150+ laptops bound to on-prem AD; 30+ unmanaged Macs
• Legacy core: On-prem Exchange and Active Directory
• Identity: Okta Classic Engine (licensed directly) used only for SSO, not yet updated to Okta Identity Engine (OIE), no MFA
• Provisioning: Manual, error-prone account setup and management across ~60 SaaS apps

Resulting issues, identified by Katz:

• Slow onboarding
• Inconsistent access
• License sprawl
• Weak offboarding hygiene
• Broad attack surface tied to legacy on-prem AD/Exchange

How Boston Tech Advisors modernized and simplified IT with ZeroTek | Okta

Working with ZeroTek’s Okta Certified Consultants and leveraging ZeroTek best practices for Okta wherever possible, here’s how BTA addressed the client’s IT problems.

1 – Optimized the Okta configuration and consolidated directories

• Upgraded the client’s Okta Classic to OIE, then secured Okta with policies that leverage passwordless MFA, geofencing, and threat detection.
• Consolidated on-prem AD under Okta to weed out orphaned and duplicate accounts, reduce Microsoft licensing costs, and simplify management.
• Integrated M365 with Okta to deliver easy, secure SSO access to the apps people use every day.
• Standardized Okta group-based access to SaaS apps and automated provisioning through SCIM wherever supported.
• Established birthright apps for all employees, then layered access for departments and teams via Okta groups.

2 – Automated device provisioning and patching

• Established a new system so that new hires log into a new device with their Okta password; the device builds itself and the apps they need arrive automatically.
  • Windows: Microsoft Intune + Autopilot for zero touch builds; Action1 for patching.
  • Mac: Kandji for zero-touch builds and patching.

3 – Closed the lifecycle loop

• Established routine HR sync: The team uses an HR CSV file daily to update Okta, which then pushes job title and manager attributes into M365. “It might sound trivial, but with hundreds of employees, it truly makes a difference that changes to job title or manager are reflected quickly and accurately in M365,” says Katz.
• Configured contractor close-out: Daily Okta inactivity emails; if they do not authenticate with Okta before the deadline, they are automatically deactivated and all access cut off.
• Created an Okta-Slack integration to notify of rogue, unintegrated apps: Slack notifies all client Admins for all user creation/deactivation events to prompt app owners until all systems sit behind Okta.
• Integrated SentinelOne: Suspicious activity can trigger rapid account deactivation in Okta.

4 – Shrunk attack surface by reducing AD reliance

• Reduced AD reliance to only a handful of AD-dependent legacy systems.
• Gated access for a small group of users, strongly secured with AD-specific Okta policies.
• Created plan for decommissioning AD and eliminating server costs once required legacy systems sunset.

5 – Initiated second phase

• Leveling-up passwordless authentication with full implementation of Okta FastPass.
• Tightening up device trust on sensitive apps using certificates/Intune signals and FastPass posture checks.
• Automating HR CSV updates to sync employee attributes, additions and terminations nightly to keep both Okta and M365 current.

“With Okta, everything is easier and better instantly, as soon as you roll it out—for the techs, for the end users,” observes Katz. “Nobody ever wants to go back to how things were.”

Katz says the key to a successful transformation is securing commitment and buy-in from both management and the IT team. With this client, the existing IT staff were eager to participate and played a central role in the outcome, involved in every step of the process including technical calls with ZeroTek. Okta is now in steady hands with the internal team, and Katz views this project as much their success as it is BTA’s.

What stood out:

• Diligent and safe execution. Changes were staged to avoid lockouts and user disruption.
• Responsive collaboration. BTA and ZeroTek moved the work forward in focused, two-hour working sessions with clear objectives.
• Documentation and repeatability. Katz adopted ZeroTek’s patterns for naming, grouping, and app onboarding to keep orgs consistent and streamline management for himself and his clients. Reference documentation has been “absolutely excellent”.

Looking ahead: passwordless by default

The future for Boston Tech Advisors undoubtedly involves protecting an ever-growing roster of clients with Okta. As Katz puts it:

“I’ve got a new client, staff of about 70, rapid growth, and the VP of Engineering knew they wanted Okta. And because I’ve partnered with ZeroTek, I was able to say to him, ‘Sure, I can turn that on for you tomorrow.’ That’s what ZeroTek makes possible. ZeroTek | Okta align perfectly with our whole approach, which is to move rapidly toward everything being passwordless, and to use the industry’s best tools to do it.”

Bottom line: together, ZeroTek | Okta give Boston Tech Advisors—and their clients—a clear, dependable path to a passwordless-by-default future.

Boston Tech Advisors on ZeroTek | Okta