This guide walks you through setting up a new Okta org optimized for security and scalability according to ZeroTek's field-tested MSP best practices.
If you are a ZeroTek Partner already familiar with this process, use this guide as a checklist to ensure you are always following our latest recommendations. We update best practices as the ZeroTek | Okta platform evolves.
IMPORTANT
Complete all procedures in the order listed. Each procedure builds on the last.
Before you begin
You can accelerate the majority of this configuration using a ZeroConfig pre-built template, which automates most of the steps below in seconds. However, there are real benefits to completing this process manually a few times — both to build familiarity with the ZeroTek platform and to prepare for the Okta Certified Professional (OCP) exam.
1️⃣ Start in ZeroTek
Complete the following four procedures from ZeroTek. This phase provisions the Okta org itself and prepares the foundational elements — groups, network zones, and authenticators — that all subsequent security policy configurations depend on.
Create an Okta group from ZeroTek (repeat for both the Deep Link group and the Service/Shared Admin Accounts group)
2️⃣ Configure general security settings
Access the new org and configure Okta's general security settings before any policies are created. You will use the MSP-Okta Integration account as a temporary access method at this stage — this account will be properly secured later in the process.
3️⃣ Configure Deep Link policies and complete Deep Link setup
Configure security policies specifically scoped to the Deep Link group before creating the Deep Link account itself. The account must be added to a secured group at the moment of creation — creating the account before the policies are in place would leave it temporarily unprotected.
4️⃣ Secure the MSP-Okta Integration account
Now that the new org is configured, return to the MSP-Okta Integration account you used in Phase 2 and secure it properly. This involves resetting its authenticator, moving it into the correct group, and enrolling Google Authenticator TOTP via ZeroTek.
5️⃣ Configure strong baseline security for all staff/personnel accounts
Create a group for all staff and personnel accounts and secure it with a full set of policies. This phase uses Okta Expression Language to configure a group rule that automatically captures the right users — specifically, anyone who is not the Deep Link account and not a member of the service/shared admin accounts group.
6️⃣ Strengthen default authentication policies
As a final step, harden the two default Okta authentication policies that apply broadly across the org.
What's next?
Once you have completed all phases above, the org has a solid, MSP-aligned security baseline. The following steps are typically performed next:
Manage ZeroTek user assignments — Assign ZeroTek Technicians and Help Desk users access to the new org.
Configure branding and customizations — If you plan to use a vanity URL, this must be done before integrating identity directories or importing users. Learn more: Okta Help Center - Branding.
Set up redundant access (optional) — Consider creating an additional break glass account for redundancy.
Understand when and how to bypass MFA (optional) — If temporary MFA bypass may be needed, follow our MFA Bypass Setup guide to do this without weakening the org's security posture.
Need help? ZeroTek Partners can contact ZeroTek Support ([email protected]) and our team will be happy to assist.