Okta’s Workforce Identity Cloud leverages the somewhat confusing named Annual Monthly Active Users (aMAU) metric to measure Customer Identity Access Management usage. This is distinct from Workforce Identity usage which is measured in a per user per month basis.
aMAU is the cumulative annual measure of active users in any given month. That is unique active users are counted each month and then added together to arrive at the aMAU number. Okta counts the aMAUs in alignment with the signed contract i.e. the aMAU is yearly aMAU is calculated on the anniversary of the signed contract. Let’s go through some examples to clarify this.
- A user logs in once per year. This one is simple it is counted as one aMAU
- A user logs in once a month for a year. They are active in every month and therefore are counted as 12 aMAUs
- A user logs in every day of the year. This is the same as above, they are active in every month and therefore counted as 12 aMAUs.
Now that we have a better idea of this pricing model we can see that it is great for use cases where a customer perhaps only interacts with a business a few times a year.
What Counts as an Active User?
A user that has one of the following statuses:
Authenticates to Okta and gets a valid Okta Session OR has a token generated for then.
What System Log events are counted?
The following events count as login or token generation events.
SSO MAU Events
API Access Management Events:
Thus if you which to count the number of active users from your system logs you can leverage a query like the below and then count the number of unique user IDs in a given month that have successfully completed a log in.
WHERE EVENT_TYPE IN ('user.authentication.sso', 'user.session.start', 'app.oauth2.as.authorize.implicit.id_token', 'app.oauth2.as.token.grant.id_token', 'app.oauth2.as.token.grant.refresh_token', 'app.oauth2.authorize.implicit.id_token', 'app.oauth2.authorize.implicit.access_token', 'app.oauth2.token.grant.access_token', 'app.oauth2.token.grant.id_token', 'app.oauth2.token.grant.refresh_token', 'app.oauth2.as.authorize.implicit.access_token', 'app.oauth2.as.token.grant.access_token') AND RESULT='SUCCESS' AND (GRANT_TYPE<>'client_credentials' OR GRANT_TYPE IS NULL);
If you wish to dive deeper into understanding the Okta Systems logs and what can be measured I recommend reviewing the following blog from our security team “User Sign-in and Recovery Events in the Okta System Log” as well as the System Log and Reports documentation.