The Dashboard is your first stop after signing in. The goal is the 30-second glance: is the tenant healthy, anything urgent, what's been happening.
Six tiles, top to bottom and left to right.
KPI strip
Section titled “KPI strip”The top row, four numbers: sign-ins (24h), sign-in failures (24h), active users (now), new users (24h). Each tile shows the absolute number plus a delta versus the previous 24 hours, with a small sparkline showing the hour-by-hour shape.
Two patterns to recognise:
- Failures spike but sign-ins also spike. Probably a campaign / release / time-of-day pattern. Not concerning.
- Failures spike with flat sign-ins. Concerning. Could be a brute-force, a misconfigured client app, or a downstream IdP outage. Click into Audit and filter on
user.sign_in_failed.
MFA distribution donut
Section titled “MFA distribution donut”What fraction of your active users have enrolled an MFA factor, broken down by kind: WebAuthn / TOTP / SMS / no MFA. The donut is at-a-glance; click it for the detailed breakdown.
If your tenant has MFA-required policy, the "no MFA" slice should be near zero (corresponds to users who haven't completed first-time enrolment yet). A growing "no MFA" slice means new users are getting in but not finishing enrolment — check the enrolment policy in authentication settings.
Threat intelligence strip
Section titled “Threat intelligence strip”A short summary of any threat-intel hits in the last 24 hours: IPs that matched a configured feed, sign-in attempts from Tor exit nodes, brute-force triggers. Each row click jumps to the relevant audit slice.
When this is empty, your tenant has had a quiet day on the security front. When it isn't, the Threat overview is where you go to act.
Alerts
Section titled “Alerts”The platform's curated "you should look at this" list. Examples:
- A breach-incident match — one of your users' emails appeared in a public credential dump.
- A misconfigured application — a SAML connection's IdP certificate is about to expire.
- A custom Action's failure rate crossed a threshold.
Alerts are dismissible (the dismissal is audit-logged); a dismissed alert won't re-appear for the same trigger within 24 hours unless conditions worsen.
Recent activity
Section titled “Recent activity”A live feed of the last ~20 audit events filtered to the human-interesting ones: admin operations, MFA factor changes, application creates / edits, security events. The full audit log lives in Audit — this strip is your quick-glance.
Pipeline / flow health
Section titled “Pipeline / flow health”Counts of custom-Action runs in the last 24 hours, broken down by Flow (login / registration / etc.) and outcome (continue / block / error). When an Action your team wrote starts erroring, this tile flips colour.
If you have no custom Actions, this tile is empty (the normal state for new tenants).
The whole Dashboard auto-refreshes — see Auto-refresh cadence for the dropdown.
What it deliberately doesn't show:
- Tenant-level KPIs across orgs. Each tenant is its own surface. Cross-tenant rollups live in the IntelliAuth admin console.
- Per-user activity. Users → click into a user's detail page for that.
- Per-application traffic. Applications → click into the app for that.
The Dashboard is for "the tenant overall". Drilling in is one click away.