How to Audit and Manage Overprivileged Service Accounts Without Okta Visibility?

Yeah, this kind of situation is common in older environments. What worked for us was manually auditing each account and mapping out where they were used. From there, we categorized them into three groups: actively used, unknown, and probably dead. For unknown ones, we disabled them and monitored for issues. If nothing broke, we removed them later. For overprivileged accounts, we rotated credentials and limited access based on the system instead of using broad permissions.

We faced a similar situation and had to disable any unknown service accounts first. Then we traced their usage using logs. We mandated a regulated provisioning process to tag owners and enforce least privilege access, so we didn't end up with the same chaotic mess again.

For the mystery accounts, we quickly analyze authentication logs to sort by the last successful authentication date. If anything hasn't authenticated in 90 days, we disable it right away without discussion. For accounts that are still active, we trace the source IP and context from the logs to see what's really using them. This helps in cleaning up ghost accounts while ensuring nothing critical gets missed since someone will notify you if an account is actually needed.

If you have an InfoSec team, just send them the list of service accounts and grab a coffee while they deal with it! Seriously though, it might be a good idea to involve them right from the start.

We shifted our environment from chaos to control by requiring all accounts to be managed. I’m not expert with Okta, but I suggest creating a project to manage all current accounts. If there's no clear owner for an account, consider disabling it. Making sure to periodically confirm account necessity with owners helps too! And definitely get management support to back up your efforts.