The Okta Administration Manager (OAM) allows sys admins to perform REST API calls to Okta from the command line. It also has the ability to perform bulk operations by pulling information from a CSV.
- Users API
- Groups API
- Download oam.py, config.json, and requirements.txt
- Install required packages listed in requirements.txt
pip install -r requirements.txt
- Login to Okta as an Administrator with permissions to generate API keys. See full instructions here: Create an API Token
- Copy your token and paste it in the config.json file for "apiToken".
- Set the "orgURL", in config.json, to the URL for your okta domain (Example: "https://acme.okta.com").
- Save/close config.json
- Test your setup. Easiest way is to search for a user using the 'find' command.
python oam.py user [email protected] find
If you get the user's profile, as a json response, in the command window, then you're ready to rock-n-roll!
Syntax may be viewed using the help flag python oam.py -h
The main command has two, optional arguments:
--site [site_name]
Used to define which Okta instance to call. See Multi-Site configuration setup, below.
--csv [filename]
When the csv argument is used the program will pull in data from the indicated csv file based on the values prefaced with a ~ in your command.
Example Command:
python oam.py --csv test.csv user ~email update --profile primaryPhone ~phone mobilePhone ~cellphone
This command would loop through the test.csv file for each record in the file, and replace the ~email, ~phone, and ~cellphone variables with the values from the columns containing the same name.
Example CSV file:
userID,email,phone,cellphone
1,"[email protected]","111-111-1111","222-222-2222"
2,"[email protected]","333-333-3333","444-444-4444"
The user command will perform actions against a single user. The user command has two required, positional arguments:
- Username: Okta username of the target user
- Action: The command action you wish to perform. The following actions are currently supported:
- find - Returns the full user profile for Username as json in command window
- appLinks - Get Assigned App Links
- groups - Get Member Groups
- delete - Delete User
- clear_user_sessions - Clear User Sessions
- forgot_password - Forgot Password --sendEmail flag will return true and send the user a email notification
- reset_password - Reset Password --sendEmail flag will return true and send the user a email notification
- setTempPassword - Set Temporary Password Sends user temporary password via email
- deactivate - Deactivate User
- unlock - Unlock User
- expire_password - Expire Password Expires password and does NOT send the user a temporary password in email
- suspend - Suspend User
- reset_factors - Reset Factors
- unsuspend - Unsuspend User
- setPassword - Set User Password --password flag is used to provide password value
- setQuestion - Set Recovery Question & Answer --question and --answer flags are used to provide the desired question and answer values
- update - Update Profile --profile flag allows for sending attribute: value pairs. The attribute, as it is shown in okta, should be listed first, and the value you wish to send second. Example:
user foo.bar update --profile email [email protected] city Lawrence state KS
- create - Create User --firstName & --lastName are required and the Username value is used for the login attribute value. Optional arguments for the create action are:
--email
- Specify email address for the user. If not specified email is set to same as login value.--activate
- Activate the user after creation--password
- Specify a password for the new user--question
- Specify a security question for the new user--answer
- Specify a security answer for the new user
The group command will perform actions against a single group. The group command has two required, positional arguments:
- Group Name: Okta group name of the target group
- Action: The command action you wish to perform. The following actions are currently supported:
- create - Add Group --description is optional and provides the description value for the group
group NewGroup create --description "This is my new group"
- update - Update Group --description is optional and provides the description value for the group
- listUsers - List Group Members Returns list of users in the specified group as json in command window (limit of 10,000 users)
- addUser - Add User to Group --user is required and provides the login of the user you wish to add to the group
group MyGroup addUser --user [email protected]
- removeUser - Remove User from Group --user is required and provides the login of the user you wish to remove from the group
- delete - Remove Group Prompts for confirmation.
- create - Add Group --description is optional and provides the description value for the group
The config.json file can store multiple Okta sites and API tokens. Such as your key for okta and oktapreview sites. To setup multi-site:
- Set the MULTI_SITE variable in oam.py equal to 1.
- Update the config.json as follows:
{"prod":{"apiToken":"0987654321", "orgURL":"https://acme.okta.com"},"preview":{"apiToken":"1234567890", "orgURL":"https://acme.oktapreview.com"}}
the site names you specify (prod and preview in the above example) are then what you will need to provide the --site argument each time you perform a command. Example:python oam.py --site prod user foo.bar find