These are my lab notes from the Okta Professional Certification hands-on track. This is a very exam-relevant area because Okta Professional expects you to understand user state behavior — not just click buttons.
Maps to exam: Part II — Attribute Mapping and Offboarding (20%) · See the full lab map on the Okta Professional Cert Study Map or the official study guide.
The exam-relevant distinction:
Active. Suspended. Password Reset. Deactivated.
Lab Setup
Test user: [email protected]
Step 1 — Baseline Verification
Directory → People → cert.contractor1
Confirm the user is Active. Verify before changing anything:
- User can log in
- User can access assigned apps
- User can launch the real SAML app if assigned
Test login once before changing anything.
Step 2 — Suspend the User
Directory → People → cert.contractor1 → More Actions → Suspend
Confirm. Expected status: Suspended.
Step 3 — Test Suspended Behavior
Open an incognito window and try to log in as cert.contractor1.
Expected: authentication blocked.
Important nuance:
| Item | Suspended User |
|---|---|
| User object exists | Yes |
| Assignments remain | Usually yes |
| Profile remains | Yes |
| Authentication allowed | No |
This is a temporary operational block.
Step 4 — Unsuspend the User
Directory → People → cert.contractor1 → Unsuspend
Test login again. Expected: user can authenticate.
Step 5 — Force Password Reset
Directory → People → cert.contractor1 → More Actions → Reset Password
Choose Require password change at next login.
Step 6 — Test Password Reset Behavior
Log in again as cert.contractor1.
Expected:
User CAN authenticate
BUT must change passwordImportant distinction:
| State | User Can Login? |
|---|---|
| Suspended | No |
| Password Reset | Yes, but forced remediation |
| Deactivated | No |
Step 7 — Deactivate User
Directory → People → cert.contractor1 → Deactivate
Expected status: Deactivated.
Step 8 — Test Deactivated Behavior
Attempt login. Expected: authentication fails completely.
Now compare:
| State | Reversible? | Access? |
|---|---|---|
| Suspended | Yes | Blocked |
| Password Reset | Yes | Allowed after reset |
| Deactivated | Usually final operational offboarding | Blocked |
Step 9 — System Log Analysis
Reports → System Log → search cert.contractor1
Look for:
user.lifecycle.suspend
user.lifecycle.unsuspend
user.account.reset_password
user.lifecycle.deactivate
user.authentication.failedThis is huge exam preparation.
Break/Fix Drill
Run this sequence:
Suspend
→ Unsuspend
→ Reset password
→ Test login
→ Deactivate
→ Test loginThen explain aloud:
What changed operationally at each step?That explanation matters more than memorizing labels.
Success Criteria
You’re done when:
- You can explain Active vs Suspended vs Password Reset vs Deactivated.
- You verified authentication behavior changes at each state.
- You observed lifecycle events in the System Log.
- You understand assignment persistence vs access state.
Exam Sentence
Suspension temporarily blocks authentication while preserving the user object and assignments. Password reset forces credential remediation but allows authentication. Deactivation prevents authentication and is used for offboarding.