Migration tooling · Apache 2.0
okta-entra-config-diff
CLI that diffs Okta tenant config against Microsoft Entra ID tenant config — migration tooling for IAM teams.
About
Open-source CLI that connects to an Okta tenant and an Entra ID tenant via their respective management APIs, extracts the configurable state of both, normalizes the schemas, and produces a human-readable + machine-readable diff highlighting parity, mismatches, and unmappable configuration.
Designed for IAM teams running migrations or evaluating consolidation. Useful both directions — Okta → Entra and Entra → Okta. The diff identifies: applications configured in both tenants, sign-on policies with equivalent semantics, MFA factor coverage gaps, Conditional Access policy parity, group membership reconciliation, and application-attribute-mapping inconsistencies. Each diff line includes the equivalent operation in the target tenant's API, so the diff can be replayed as a migration script.
Features
- Okta + Entra ID tenant config extraction via management APIs
- Normalized schema mapping between Okta and Entra concepts
- Application coverage diff (configured in one but not the other)
- Sign-on policy / Conditional Access policy parity check
- MFA factor coverage gap identification
- Group membership reconciliation
- Attribute mapping diff per application
- Output formats: human-readable, JSON, CSV
- Optional replay-as-migration mode — generates Terraform / API call scripts for target tenant
Install
# Homebrew
brew install askmeidentity/tap/okta-entra-config-diff
# Go install
go install github.com/askmeidentity/okta-entra-config-diff@latest
# Docker
docker pull ghcr.io/askmeidentity/okta-entra-config-diff:latest
Usage
okta-entra-config-diff \
--okta-tenant acme.okta.com \
--okta-token $OKTA_TOKEN \
--entra-tenant-id 11111111-2222-... \
--entra-client-id ... \
--entra-client-secret $ENTRA_SECRET \
--output diff.json
Related resources