Counting aMAUs from System Logs

Okta CIAM 2 Minutes

Okta’s Workforce Identity Cloud Customer Identity Solution (CIS) leverages the somewhat confusing named Annual Monthly Active Users (aMAU) metric to measure Customer Identity Access Management usage. This is distinct from Workforce Identity usage which is measured in a per user per month basis.

aMAU is the cumulative annual measure of active users in any given month. That is unique active users are counted each month and then added together to arrive at the aMAU number. Okta counts the aMAUs in alignment with the signed contract i.e. the aMAU is yearly aMAU is calculated on the anniversary of the signed contract. Let’s go through some examples to clarify this.

  • A user logs in once per year. This one is simple it is counted as one aMAU
  • A user logs in once a month for a year. They are active in every month and therefore are counted as 12 aMAUs
  • A user logs in every day of the year. This is the same as above, they are active in every month and therefore counted as 12 aMAUs.

Now that we have a better idea of this pricing model we can see that it is great for use cases where a customer perhaps only interacts with a business a few times a year.

What Counts as an Active User?

A user that has one of the following statuses:

  • ACTIVE
  • RECOVERY
  • LOCKED_OUT
  • PASSWORD_EXPIRED
  • SUSPENDED

Authenticates to Okta and gets a valid Okta Session OR has a token generated for then.

What System Log events are counted?

The following events count as login or token generation events.

SSO MAU Events

  • app.oauth2.as.authorize.implicit.id_token
  • app.oauth2.as.token.grant.id_token
  • app.oauth2.as.token.grant.refresh_token
  • app.oauth2.authorize.implicit.id_token
  • app.oauth2.authorize.implicit.access_token
  • app.oauth2.token.grant.access_token
  • app.oauth2.token.grant.id_token
  • app.oauth2.token.grant.refresh_token

API Access Management Events:

  • app.oauth2.as.authorize.implicit.access_token
  • app.oauth2.as.token.grant.access_token

Thus if you which to count the number of active users from your system logs you can leverage a query like the below and then count the number of unique user IDs in a given month that have successfully completed a log in.

WHERE
EVENT_TYPE IN ('user.authentication.sso',
'user.session.start',
'app.oauth2.as.authorize.implicit.id_token',
'app.oauth2.as.token.grant.id_token',
'app.oauth2.as.token.grant.refresh_token',
'app.oauth2.authorize.implicit.id_token',
'app.oauth2.authorize.implicit.access_token',
'app.oauth2.token.grant.access_token',
'app.oauth2.token.grant.id_token',
'app.oauth2.token.grant.refresh_token',
'app.oauth2.as.authorize.implicit.access_token',
'app.oauth2.as.token.grant.access_token')
AND RESULT='SUCCESS'
AND (GRANT_TYPE<>'client_credentials' OR GRANT_TYPE IS NULL);

If you wish to dive deeper into understanding the Okta Systems logs and what can be measured I recommend reviewing the following blog from our security team “User Sign-in and Recovery Events in the Okta System Log” as well as the System Log and Reports documentation.

Published by Toby Allen

Toby Allen is a Solutions Engineer at Okta focussed on enabling simple secure access to technology everywhere powered by Identity. While working in the communications space for 15 years he developed a keen interest in security, particularly in his 5 years working with communications APIs at Twilio and is a CISSP and CCSP. In 2022 he transitioned fulling into the security space at Okta with Identity as the core enabler of Zero trust and secure access. Holding both an MBA and multiple technical certifications he is able to bridge the gap between executives and technical teams to deliver value to his customers.

Published

Leave a Reply