TSA Okta identity separation is the work of carving the Newco's users, applications, and lifecycle automation out of the seller's Okta tenant. Identity is the keystone of every other system in scope. The Newco's TSA exit strategy has to put Okta near the front of the wave order because every application that depends on single sign on, every SCIM provisioning flow, and every joiner and leaver workflow runs through identity. The buyer that stages a clean tenant cutover keeps the workforce productive. The buyer that does not finds users locked out of email on the morning after Day One.
An Okta tenant holds users, groups, applications, authentication policies, multifactor enrolment, and lifecycle automation. Each application is wired in through SAML, OpenID Connect, or SCIM, with rules for who can authenticate and what attributes flow through. The seller's tenant typically integrates a hundred to several hundred applications across finance, sales, engineering, and operations. Some integrations serve only the carved-out business. Others serve the seller's retained business jointly.
The carve-out has to address each application individually. A direct SAML application that points only at Newco users can be reconfigured to point at the Newco's destination tenant on cutover. A SCIM provisioned application requires more care because user lifecycle events flow from the identity provider into the downstream system. Switching the provider switches the source of truth. Mishandled, the destination application loses provisioning and either over provisions or under provisions accounts.
A pre-signing inventory of every application, the integration type, the downstream owner, and the dependency on Okta is the first deliverable. Without it the cutover wave order is a guess. The pattern overlaps with the broader carve-out Active Directory migration playbook because identity in the cloud and identity on premises are usually federated.
The user list moves first. Every Newco employee, contractor, and service account in the seller's Okta has to be exported and recreated in the Newco's destination tenant. The export is straightforward. The discipline sits in deciding which users belong to the Newco and which do not. Joint hires, recently transferred employees, and shared service contractors all require a decision before the export. A user the seller still considers theirs is a user the Newco cannot provision in the destination.
The directory of record is the second decision. Most Newcos source identity from the HR system. Workday, BambooHR, ADP, or SuccessFactors typically holds the master record of who is an employee. The carve-out has to confirm the source of truth in the Newco environment and configure Okta to consume from it. Where the seller's HR system stays in scope under the TSA the integration repoints to the Newco tenant on cutover.
Group structure is the third decision. Application access is usually granted by group membership. The Newco's groups have to be recreated in the destination tenant with the same names or with a clear mapping. Where the seller's groups encode policies that no longer apply, the carve-out is the moment to clean the structure rather than to recreate the legacy.
SAML applications need a new identity provider configuration on the destination tenant and a corresponding update on the application side. The application's metadata changes. The certificate fingerprint changes. The login URL changes. Each application owner has to coordinate the change with the application vendor or the internal application team. The work is not difficult per application. It is the volume that creates the schedule risk.
SCIM provisioned applications need additional care. The destination tenant has to be configured to provision into the application before the seller's tenant deprovisions. A short overlap window is usually safer than a hard cut. The Newco discontinues the seller's provisioning only when the destination provisioning has run a full cycle without errors. Where the application uses just in time provisioning, the cutover is simpler. Where the application uses scheduled SCIM sync, the timing has to be planned with the application owner.
Multifactor enrolment is a special case. Users typically have to re enrol their factors against the destination tenant. The Newco should run a clear communication, a self service enrolment window, and a fallback for users who lose access. The pattern overlaps with the broader Day One cybersecurity playbook.
The seller's Okta tenant typically runs a set of lifecycle workflows. New hires from the HR system trigger account creation, group membership, and downstream provisioning. Internal moves trigger group changes. Leavers trigger account suspension and access removal. The Newco's destination tenant has to recreate every workflow. A missed workflow produces either over provisioned access for new joiners or under provisioned access for movers.
The discipline is to inventory every workflow, document the trigger and the action, recreate the workflow on the destination tenant, and validate against a test population before cutover. Where the seller has built complex workflow logic over years, the temptation to rebuild from scratch is real. The cutover is rarely the right moment for rebuild. The Newco recreates the existing logic and reserves rebuild for the post-close period.
Audit logs deserve specific attention. The seller's tenant holds the historical access record for the Newco. The carve-out exit has to address how that history is preserved. Most Newcos take an export of the relevant audit data into the destination tenant or a separate retention store before the seller decommissions Newco access.
Okta is licensed by user and by feature tier. The seller typically holds an enterprise contract that covers the combined business at a discount. During the TSA the seller allocates a share of the user count and the feature cost to the Newco. The allocation methodology needs to be transparent. Buyers that accept an opaque allocation often pay for a feature mix that does not reflect their consumption.
The Newco's own Okta contract or destination identity platform is procured during the TSA period. Some Newcos stay on Okta in their own tenant. Some move to alternatives such as Microsoft Entra ID, Azure AD B2C, or a vendor with stronger fit for the Newco's industry. The choice depends on the existing application integrations, the value creation plan around identity, and the level of customisation already in place.
When the cutover completes the seller's invoice should drop to zero on the identity line. The pattern overlaps with the broader TSA invoice validation process playbook.
A clean Okta exit closes three records. The seller's tenant retains no active Newco users, no active Newco applications, and no active provisioning into Newco systems. The Newco's destination tenant authenticates every user against the Newco's directory of record. The cutover documentation supports the broader TSA exit certificate and the audit committee can rely on a single identity perimeter.
Open items, typically a small set of long tail applications no one currently owns, are tracked under a short post-close services agreement with a hard end date. Those applications are either migrated, deprecated, or moved to a third-party identity bridge. The decision is made application by application with the business owner in the room.
Specialist support across the identity workstream is part of the TSA Exit Acceleration service when the milestone is at risk. The work coordinates with the Newco's CISO, CIO, the seller's identity administrators, and the application owners on both sides.
How buyers carve out Entra ID tenants and downstream applications during a TSA.
Read the article →How buyers carve out endpoint security and EDR tenants during a TSA.
Read the article →How buyers stand up a clean directory perimeter on Day One and beyond.
Read the article →The 90-day governance, IT, finance, HR and procurement separation plan we run on live carve-outs. Get the playbook plus the bi-weekly Day One Letter — short, signal-heavy, buyer-side.
No spam. Unsubscribe in one click. · Read the overview first →

Fixed-fee proposal in 48 hours. Senior team on day one. The first conversation is always free.
Seven buyer-side moves to exit a Transition Services Agreement on time and below budget. The mark-up, the extension-fee curve, exit sequencing, and the 11-month calendar.
Stand up a clean identity tenant first — every application cutover and every security control depends on it, and the seller holds the keys until you do.
One tactic, one benchmark, or one pattern from a recent buyer-side engagement. Short. Signal heavy. Free.
Subscribe to The Day One Letter →