Powershell CLI for communicating with the Okta API


Okta.PowerShell - The PowerShell module for the Okta Management API

This repository contains the Okta management PowerShell module. This PowerShell module can be used to easily interact with the Okta management API and:

Note: For more details about the APIs and models the SDK support, check out the API docs

Release status

This library uses semantic versioning and follows Okta's library version policy.

Version Status
2.x ✔️ Stable
1.x ⚠️ Retiring on Aug 21st 2025

The latest release can always be found on the releases page. For more information about our SDKs' lifecycle, check out our docs.

Need help?

If you run into problems using the Okta PowerShell module, you can

Getting started

This PowerShell module is automatically generated by the OpenAPI Generator project:

  • API version: 3.0.0
  • Build package: org.openapitools.codegen.languages.PowerShellClientCodegen For more information, please visit

The Okta PowerShell module is compatible with:

  • PowerShell 7.0 or later
  • Mac/Windows
  • OIE and Classic Okta orgs



To install the Okta.PowerShell module from PS Gallery run the following command:

Install-Module -Name Okta.PowerShell -RequiredVersion <MODULE_VERSION>

To verify the module was successfully installed, run Get-InstalledModule -Name 'okta.powershell' and verify that the module information is shown.

To uninstall the module, simply run:

Uninstall-Module -Name Okta.PowerShell


To install the Okta.PowerShell module from Chocolatey run the following command:

choco install okta.powershell --version=<MODULE_VERSION>

To verify the module was successfully installed, run choco list "okta.powershell" and verify that the module information is shown.

To uninstall the module, simply run:

choco uninstall okta.powershell


Note: Signed binary releases are posted to the okta-powershell-cli releases section in Github.

To install from the source, run the following command to build and install the PowerShell module locally:

Import-Module -Name '.\src\Okta.PowerShell' -Verbose

To avoid function name collision, one can use -Prefix, e.g. Import-Module -Name '.\src\Okta.PowerShell' -Prefix prefix

To uninstall the module, simply run:

Remove-Module -FullyQualifiedName @{ModuleName = "Okta.PowerShell"; ModuleVersion = "<MODULE_VERSION>"}


To install and run Pester, please execute the following commands in the terminal:

Install-module -name Pester -force


For troubleshooting, please run $DebugPreference = 'Continue' to turn on debugging and disable it with $DebugPreference = 'SilentlyContinue' when done with the troubleshooting.

Security recommendations

We recommend limiting the access permissions of your Okta.PowerShell scripts to only authorized users.

Add the appropriate users or groups and assign the necessary permissions to the OktaConfiguration.ps1 file (Full Control, Read & Execute, etc.), and remove any unnecessary users or groups from the list.

:Warning: The OktaConfiguration.ps1 file contains secrets, so we recommend using least privilege access to the configuration file.

Note: For more information about PowerShell script security, check out the official PowerShell security guide.

Usage guide


The PowerShell module uses the device authorization flow to obtain an access token, so it requires, at least, three configuration values. These are the values for the Okta Org domain, the client ID of the OIDC Native Application and the scope for the API grants you are going to need. For example, if you are going to get groups then you will need the grant configured in your scope. Make sure to assign the application to anyone that needs access to it.

non-admin users

Non-admin users will require to be granted specific permissions to perform certain tasks and access resources.

Check out the following resources to learn more:

Set your configuration and execute commands

  1. Set your configuration
$Configuration = Get-OktaConfiguration
$Configuration.BaseUrl = ''
$Configuration.ClientId = 'MY_CLIENT_ID'
$Configuration.Scope = "" # or ""
  1. Authorize your device

Note: You have to open the browser and navigate to the provided URL to complete the flow. Once the device is authorized, go back to the PowerShell terminal.

  1. Invoke commands

id                    : 00g9erf7s3ydK79IX5d7
created               : 5/5/23 1:45:05 PM
lastUpdated           : 5/5/23 1:45:05 PM
lastMembershipUpdated : 5/5/23 1:45:05 PM
objectClass           : {okta:user_group}
type                  : OKTA_GROUP
profile               : @{name=Sales; description=}
_links                : @{logo=System.Object[]; users=; apps=}

Note: For more details about commands, check out the documentation for API endpoints

Note: If you want to remove the access token from configuration you can execute Invoke-OktaRemoveAccessToken

Configure a proxy

$proxyUrl = ""
$webProxy = New-Object System.Net.WebProxy($proxyUrl)
$Configuration.Proxy = $webProxy
  1. Revoke your access token

Starting in Okta.PowerShell v2.x series, you can execute the following command to revoke your token:


Notice this will also remove the access token from your Okta configuration

Create objects

The Okta PowerShell Module supports two approaches for object creation:

  1. The "Initialize-Object" command
  2. Using PowerShell's native PSCustomObject for creating objects

Create the object manually using PowerShell's native PSCustomObject and the API reference

You can check out the API reference to explore what the payload structure should look like for the operation you want to perform. For example, if you want to create a group, check out the Add Group API reference and look for the request sample. For this particular operation, you will see that the payload should look like the following:

    "profile": {
        "description": "All users West of The Rockies",
        "name": "West Coast users"

Then you can recreate the same payload using PSCustomObject:

$Group = [PSCustomObject]@{ 
            profile = [PSCustomObject]@{
                description = "All users West of the Rockies"
                name = "West Coast users"}

$NewGroup = New-OktaGroup -Group $Group

⚠️ If you follow this approach, you have to ensure the casing is correct. Notice that for this particular operation, all the properties of the group payload are in lowercase.

Create the object using "Initialize-Object" command

The Okta PowerShell Module provides an "Initialize-Object" command that simplifies the creation and initialization of most of the objects. Each object represents a distinct entity supported by the Okta PowerShell Module, and this command provides a standardized approach to create and configure these objects.

Following the same "Create group" example as in the previous step, you can create a group object by executing the corresponding "Initialize-Object" commands:

$GroupProfile = Initialize-OktaGroupProfile -Name "West Coast users" -Description "All users West of the Rockies"
$Group = Initialize-OktaGroup -VarProfile $GroupProfile
$NewGroup = New-OktaGroup -Group $Group

Notice that for objects that have nested properties, each nested property may itself be an object that needs to be initialized separately. In such cases make sure to:

  1. Initialize each nested property individually.
  2. Pass the nested object(s) as part of the -Property parameter when initializing the parent object.

Always verify the required structure and types for nested properties by consulting the API reference.

Get a user

$User = Get-OktaUser -UserId "foo"

Create a user

$UserProfile = [PSCustomObject]@{
                firstName = 'John'
                lastName = 'Doe'
                login = '[email protected]'
                email = '[email protected]'

$CreateUserRequest = Initialize-OktaCreateUserRequest -VarProfile $UserProfile -GroupIds 'foo'
$TestResult = New-OktaUser -Body $CreateUserRequest

Note: If you initialize objects using PSCustomObject, ensure the casing is correct.

Create a user with password

$UserProfile = [PSCustomObject]@{
                firstName = 'John'
                lastName = 'Doe'
                login = '[email protected]'
                email = '[email protected]'

$UserCredentials = [PSCustomObject]@{ 
                    password = [PSCustomObject]@{ value = 'Hell0W0rld'} 

$CreateUserRequest = Initialize-OktaCreateUserRequest -VarProfile $UserProfile -Credentials $UserCredentials
$TestResult = New-OktaUser -Body $CreateUserRequest

Note: If you initialize objects using PSCustomObject, ensure the casing is correct.

Alternatively, you can use the Initialize commands to create the user payload:

$UserProfile = Initialize-OktaUserProfile -Email "[email protected]" -Login "[email protected]" -FirstName "Joe" -LastName "Doe"
$UserCredentials = Initialize-OktaUserCredentials -Password "Hell0W0rld!"

$CreateUserRequest = Initialize-OktaCreateUserRequest -VarProfile $UserProfile -Credentials $UserCredentials
$TestResult = New-OktaUser -Body $CreateUserRequest

List users with pagination

$Users  = Invoke-OktaListUsers -Limit 10 

Utilize the -withHttpInfo flag to retrieve additional response properties, including NextPageUri for accessing the subsequent page of results. Additionally, you can seamlessly access all response headers through the Headers property.

To paginate results, use Uri param, which allows passing absolute URIs:

$UsersResponse  = Invoke-OktaListUsers -Limit 10 -withHttpInfo

While ($UsersResponse.NextPageUri)
    $UsersResponse = Invoke-OktaListUsers -Uri $UsersResponse.NextPageUri  -withHttpInfo #This time you can pass the absolute Uri with already contains query params such as "limit" or/and "after"
    $UsersList =  $UsersResponse.Response

Create an application

$OAuthClient = [PSCustomObject]@{
                client_uri = ""
                logo_uri = ""
                response_types = @("token", "id_token", "code")
                redirect_uris = @("", "myapp://callback")
                post_logout_redirect_uris = @("", "myapp://postlogoutcallback")
                grant_types = @("implicit", "authorization_code")
                application_type = "native"
                tos_uri = ""
                policy_uri = ""
# a simple test to create an object
$Settings = Initialize-OktaOpenIdConnectApplicationSettings -OauthClient $OAuthClient

$NewApp = Initialize-OktaOpenIdConnectApplication -Label "New App" -SignOnMode "OPENID_CONNECT" -Settings $Settings

Note: If you initialize objects using PSCustomObject, ensure the casing is correct.

Note: Null values are removed from the payload by default. If you want to include null values you have to include the -IncludeNullValues flag.

Note: For more API samples checkout our tests

List resources that match a filter criteria

Certain Okta APIs allow you to list a subset of resources that match a supported filter expression, query, or search criteria. For example, the Groups API enables you to provide filter criteria via query parameters to return a subset of groups. These query parameters require URL encoding, which is handled internally by the Okta.PowerShell module. This ensures that your queries are correctly formatted and processed by the Okta API without any additional effort on your part.

List groups using the search parameter

  • Search groups that are of the type OKTA_GROUP:
Invoke-OktaListGroups -Search 'type eq "OKTA_GROUP"'

Internally, the Okta.PowerShell module will encode the search criteria as /api/v1/groups?search=type+eq+%22OKTA_GROUP%22.

  • Search groups which name is equals to IAM Team:
Invoke-OktaListGroups -Search ' eq "IAM Team"'

Internally, the Okta.PowerShell module will encode the search criteria as /api/v1/groups?

List groups using the filter parameter

  • Filter groups that are of the type OKTA_GROUP with profile updated after 11/11/2015
Invoke-OktaListGroups -Filter 'type eq "OKTA_GROUP" and lastUpdated gt "2016-11-11T00:00:00.000Z"'

Internally, the Okta.PowerShell module will encode the filter criteria as /api/v1/groups?filter=lastUpdated+gt+%222015-10-05T00%3a00%3a00.000Z%22.

  • Filter groups by ID
$GroupId = "00g6hmia52o0aTHx35d7"
Invoke-OktaListGroups -Filter "id eq `"$GroupId`""

Note: Notice $GroupId is enclosed in double quotes.

Internally, the Okta.PowerShell module will encode the filter criteria as /api/v1/groups?filter=id+eq+%2200g6hmia52o0aTHx35d7%22.

List groups using the q parameter

Finds a group that matches the name property

Invoke-OktaListGroups -Q "everyone"

Get logs

Since the System Log API requires since and until query params to be ISO 8601 compliant timestamp, make sure to format dates accordingly:

$since = (Get-Date).AddMonths(-6).ToString("yyyy-MM-ddTHH:mm:ssZ")
$until = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ssZ")
Get-OktaLogs -since $since -until $until

Error Handling

Starting in Okta.PowerShell 2.x series we introduced a new exception called OktaApiException which is thrown when requests to the Okta API result in 4xx/5xx errors. You can catch an OktaApiException and access the Okta API error details. For example, if the API returns a 429 response with the following content: {"errorCode":"E0000047","errorSummary":"API call exceeded rate limit due to too many requests.","errorLink":"E0000047","errorId":"oae6dB62BdhRFCF_9ltxiklFQ","errorCauses":[]}, you can access these details from the exception:

        $Result = Invoke-OktaListApplications
        $_.Exception.StatusCode.Value__ | Should -Be 429;
        $_.Exception.ErrorCode | Should -Be "E0000047"
        $_.Exception.ErrorSummary | Should -Be "API call exceeded rate limit due to too many requests."
        $_.Exception.ErrorLink | Should -Be "E0000047"
        $_.Exception.ErrorId | Should -Be "oae6dB62BdhRFCF_9ltxiklFQ"
        $_.Exception.ErrorCauses | Should -BeNullOrEmpty
        $_.Exception.Headers | Should -Not -Be $null

Rate Limiting

The Okta API will return 429 responses if too many requests are made within a given time. Please see Rate Limiting at Okta for a complete list of which endpoints are rate limited. When a 429 error is received, the X-Rate-Limit-Reset header will tell you the time at which you can retry. This section discusses methods for handling rate limiting with this SDK.

Built-In Retry

The Okta.PowerShell module uses a built-in retry strategy to automatically retry on 429 errors.

You can configure the following options when using the built-in retry strategy:

Configuration Option Description
RequestTimeout The waiting time in milliseconds for a request to be resolved by the client. Less than or equal to 0 means "no timeout". The default value is $null (None).
MaxRetries The number of times to retry.

If the request still fails with a 429 status code after retrying it the specified number of times or if the Okta API returns an Http error other than 429 after retying a request, an OktaApiException will be ultimately thrown.


$Config = Get-OktaConfiguration
$Config.MaxRetries = 2
$Config.RequestTimeout = 6000 

# Invoke your commands as usual
$Result = Invoke-OktaListApplications 

Note: We're happy to accept contributions and PRs! Please see the contribution guide to understand how to structure a contribution.