
Set-StrictMode -Version Latest

function Get-OktaPassswordPolicy {
    param (
        [string] $PolicyId,
        [switch] $WithRules, # returns max 20, if > 20 an error
        [string] $Type,
        [switch] $JSON

    process {
        if ($PolicyId) {
            $uri = "policies/$PolicyId"
            if ($WithRules) {
                $uri += '?expand=rules'
            Invoke-OktaApi -RelativeUri $uri -Json:$JSON
        } else {
            Invoke-OktaApi -RelativeUri "policies?type=$Type" -Json:$JSON

function Disable-OktaPolicy {
    param (
        [string] $PolicyId
    process {
        Invoke-OktaApi -RelativeUri "policies/$PolicyId/lifecycle/deactivate"

function Enable-OktaPolicy {
    param (
        [string] $PolicyId
    process {
        Invoke-OktaApi -RelativeUri "policies/$PolicyId/lifecycle/activate"

function New-OktaPasswordPolicy {
    param (
        [string] $Name,
        [string] $Description,
        [switch] $Inactive,
        [int] $Priority = 1,
        [int] $MinLength = 8,
        [int] $MinLowerCase = 1,
        [int] $MinUpperCase = 1,
        [int] $MinNumber = 1,
        [int] $MinSymbol = 0,
        [int] $MaxAgeDays = 60,
        [int] $ExpireWarnDays = 0,
        [int] $MinAgeMinutes = 0,
        [int] $HistoryCount = 5,
        [int] $MaxAttempts = 3,
        [int] $AutoUnlockMinutes = 5,
        [switch] $ExcludeUserName,
        [switch] $ExcludeDictionaryCommon,
        [string[]] $ExcludeAttributes = @(),
        [string[]] $IncludeGroups = @(),
        [string] $RecoveryQuestionStatus = "ACTIVE",
        [ValidateSet("OKTA","Active Directory")]
        [string] $Provider = "OKTA"
    Set-StrictMode -Version Latest

    $body = @{
        status = ternary $Inactive "INACTIVE" "ACTIVE"
        name = $Name
        description = ternary $Description $Description "Added by OktaPosh"
        priority = $Priority
        system = $false
        conditions = @{
            people = @{
                groups = @{
                    include = $IncludeGroups
            authProvider = @{
                provider = $Provider
        settings = @{
            password = @{
                complexity = @{
                    minLength = $MinLength
                    minLowerCase = $MinLowerCase
                    minUpperCase = $MinUpperCase
                    minNumber = $MinNumber
                    minSymbol = $MinSymbol
                    excludeUsername = [bool]$ExcludeUserName
                    dictionary = @{
                        common = @{
                            exclude = [bool]$ExcludeDictionaryCommon
                    excludeAttributes = $ExcludeAttributes
                age = @{
                    maxAgeDays = $MaxAgeDays
                    expireWarnDays = $ExpireWarnDays
                    minAgeMinutes = $MinAgeMinutes
                    historyCount = $HistoryCount
                lockout = @{
                    maxAttempts = $MaxAttempts
                    autoUnlockMinutes = $AutoUnlockMinutes
                    userLockoutNotificationChannels = @()
                    showLockoutFailures = $false
            recovery = @{
                factors = @{
                    recovery_question = @{
                        status = $RecoveryQuestionStatus
                        properties = @{
                            complexity = @{
                                minLength = 4
                    okta_email = @{
                        status = "ACTIVE"
                        properties = @{
                            recoveryToken = @{
                                tokenLifetimeMinutes = 60
                    okta_sms = @{
                        status = "INACTIVE"
                    okta_call = @{
                        status = "INACTIVE"
            delegation = @{
                options = @{
                    skipUnlock = $false
        type = "PASSWORD"

    if ($PSCmdlet.ShouldProcess($Name, "Add new Policy")) {
        Invoke-OktaApi -RelativeUri "policies" -Method POST -Body $body

function New-OktaPasswordPolicyRule {
    param (
        [string] $PolicyId,
        [string] $Name,
        [switch] $AllowPasswordChange,
        [switch] $AllowSelfServicePasswordReset,
        [switch] $AllowSelfServiceUnlock,
        [switch] $Inactive,
        [int] $Priority = 1

    $body = @{
        status = ternary $Inactive "INACTIVE" "ACTIVE"
        name = $Name
        priority = $Priority
        system = $false
        conditions = @{
            people = @{
                users = @{
                    exclude = @()
            network = @{
                connection = "ANYWHERE"
        actions = @{
            passwordChange = @{
                access = ternary $AllowPasswordChange "ALLOW" "DENY"
            selfServicePasswordReset = @{
                access = ternary $AllowSelfServicePasswordReset "ALLOW" "DENY"
            selfServiceUnlock = @{
                access = ternary $AllowSelfServiceUnlock "ALLOW" "DENY"
        type = "PASSWORD"

    if ($PSCmdlet.ShouldProcess("${PolicyId}:$Name", "Add new Policy Rule")) {
        Invoke-OktaApi -RelativeUri "policies/$PolicyId/rules" -Method POST -Body $body


function Get-OktaPolicyRule {
    param (
        [string] $PolicyId,
        [switch] $JSON

    Invoke-OktaApi -RelativeUri "policies/$PolicyId/rules" -Json:$JSON

# function New-OktaPolicyTask {
    # [CmdletBinding()]
# param (
# [Parameter(Mandatory)]
# [string] $PolicyId,
# [Parameter(Mandatory)]
# [System.DateTimeOffset] $DateTime,
# [Parameter(Mandatory)]
# [ValidateSet('Daily','Once')]
# [string] $Frequency
# )
# [string] $Type = 'SCHEDULED'
# [string] $Status = 'ACTIVE'
# $task = @{
# action = @{
# policy = @{
# id = $PolicyId
# }
# }
# schedule = @{}
# type = $Type
# status = $Status
# }
# if ($Frequency -eq 'Daily') {
# $task.schedule = @{
# cron = @{
# expression = "$min $hr * * *"
# }
# }
# } else {
# $task.schedule = @{
# runOnce = @{
# runTime = "$($DateTime.ToUniversalTime().ToString('s'))$($DateTime.ToString('%K'))"
# }
# }
# }

# Invoke-OktaApi -RelativeUri 'tasks' -Method Post -Body $task
# }
# function Remove-OktaPolicyTask {
# [CmdletBinding(SupportsShouldProcess, ConfirmImpact = "High")]
# param(
# [Parameter(Mandatory,ValueFromPipeline,ValueFromPipelineByPropertyName)]
# [Alias('Id')]
# [string] $PolicyId
# )

# begin {
# $tasks = Get-OktaTask
# }

# process {
# $task = @($tasks | Where-Object { $_.action.type -eq 'EXECUTE_POLICY' -and $ -eq $PolicyId })
# foreach ($task in $tasks ) {
# Remove-OktaTask -TaskId $
# }
# }
# }

# function Remove-OktaTask {
# [CmdletBinding(SupportsShouldProcess, ConfirmImpact = "High")]
# param(
# [Parameter(Mandatory,ValueFromPipeline,ValueFromPipelineByPropertyName)]
# [Alias('Id')]
# [string] $TaskId
# )

# process {
# Set-StrictMode -Version Latest

# $Task = Get-OktaTask -TaskId $TaskId
# if ($Task) {
# if ($PSCmdlet.ShouldProcess($TaskId,"Remove Task")) {
# Invoke-OktaApi -RelativeUri "tasks/$TaskId" -Method DELETE
# }
# } else {
# Write-Warning "Task with id '$TaskId' not found"
# }
# }
# }

# function New-OktaAutomation {
    # [CmdletBinding()]
# param (
# [string] $Name,
# [ValidateSet('InactiveUser','PasswordWillExpireIn')]
# [string] $Type,
# [System.DateTimeOffset] $DateTime,
# [ValidateSet('Daily','Once')]
# [string] $Frequency,
# [int] $Days,
# [string] $ChangeTo,
# [string[]] $GroupIds,
# [switch] $Activate,
# [int] $Priority = 2
# )

# $automationPolicy = @{
# status = ternary $Activate 'ACTIVE' 'INACTIVE'
# name = $Name
# priority = $Priority
# conditions = @{
# people = @{
# users = @{}
# }
# groups = @{
# include = $GroupIds
# }
# }
# }
# if ($Type -eq 'PasswordWillExpireIn') {
# $automationPolicy.conditions.people.users = @{
# passwordExpiration = @{
# unit = "DAYS"
# number = $Days
# }
# }
# } else {
# $automationPolicy.conditions.people.users = @{
# inactivity = @{
# unit = "DAYS"
# number = $Days
# }
# }
# }
# $policy = Invoke-OktaApi -RelativeUri 'policies' -Method POST -Body $automationPolicy
# if ($policy -and $ {
# New-OktaPolicyTask -PolicyId $ -DateTime $DateTime -Frequency $Frequency
# }
# $policy
# }

# function New-OktaPolicyRule {
    # [CmdletBinding()]
# param (
# [Parameter(Mandatory)]
# [string] $PolicyId,
# [Parameter(Mandatory)]
# [string] $Type,
# [Parameter(Mandatory)]
# [string] $Name,
# [switch] $Activate,
# [int] $Priority = 2
# )

# Set-StrictMode -Version Latest

# $policyRule = @{
# name = $Name
# system = $false
# type = $Type
# conditions = $null
# status = (ternary $Activate 'ACTIVE' 'INACTIVE')
# priority = $Priority
# actions = @{
# updateUserLifecycle= @{
# targetStatus = "INACTIVE"
# quietPeriod = @{
# number = 0
# unit = "DAYS"
# }
# }
# }
# }
# Invoke-OktaApi -RelativeUri "policies/$policyId/rules" -Method POST -Body $policyRule
# }

function Set-OktaPasswordPolicy {
        [PSCustomObject] $Policy

    if ($PSCmdlet.ShouldProcess($, "Update Policy")) {
        Invoke-OktaApi -RelativeUri "policies/$($Policy.Id)" -Method PUT -Body $Policy

function Remove-OktaPasswordPolicy {
    [CmdletBinding(SupportsShouldProcess, ConfirmImpact = "High")]
        [string] $PolicyId

    process {
        Set-StrictMode -Version Latest

        $Policy = Get-OktaPolicy -PolicyId $PolicyId
        if ($Policy) {
            if ($PSCmdlet.ShouldProcess($, "Remove Policy")) {
                Invoke-OktaApi -RelativeUri "policies/$PolicyId" -Method DELETE
        } else {
            Write-Warning "Policy with id '$PolicyId' not found"

function Remove-OktaPolicyRule {
    [CmdletBinding(SupportsShouldProcess, ConfirmImpact = "High")]
        [string] $PolicyId,
        [string] $RuleId

    process {
        Set-StrictMode -Version Latest

        $Rule = Get-OktaPolicyRule -PolicyId $PolicyId -RuleId $RuleId
        if ($Rule) {
            if ($PSCmdlet.ShouldProcess($, "Remove Policy Rule")) {
                Invoke-OktaApi -RelativeUri "policies/$PolicyId/rules/$RuleId" -Method DELETE
        } else {
            Write-Warning "Policy rule for policy with id '$PolicyId' and id '$RuleId' not found"