Okta v6.1.0, Oct 29 25

Okta v6.1.0 published on Wednesday, Oct 29, 2025 by Pulumi

okta.PolicyPasswordDefault

Okta v6.1.0 published on Wednesday, Oct 29, 2025 by Pulumi

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as okta from "@pulumi/okta";

const _default = new okta.PolicyPasswordDefault("default", {});

import pulumi
import pulumi_okta as okta

default = okta.PolicyPasswordDefault("default")

package main

import (
	"github.com/pulumi/pulumi-okta/sdk/v6/go/okta"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := okta.NewPolicyPasswordDefault(ctx, "default", nil)
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Okta = Pulumi.Okta;

return await Deployment.RunAsync(() => 
{
    var @default = new Okta.PolicyPasswordDefault("default");

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.okta.PolicyPasswordDefault;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var default_ = new PolicyPasswordDefault("default");

    }
}

resources:
  default:
    type: okta:PolicyPasswordDefault

Create PolicyPasswordDefault Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new PolicyPasswordDefault(name: string, args?: PolicyPasswordDefaultArgs, opts?: CustomResourceOptions);

@overload
def PolicyPasswordDefault(resource_name: str,
                          args: Optional[PolicyPasswordDefaultArgs] = None,
                          opts: Optional[ResourceOptions] = None)

@overload
def PolicyPasswordDefault(resource_name: str,
                          opts: Optional[ResourceOptions] = None,
                          call_recovery: Optional[str] = None,
                          email_recovery: Optional[str] = None,
                          password_auto_unlock_minutes: Optional[int] = None,
                          password_dictionary_lookup: Optional[bool] = None,
                          password_exclude_first_name: Optional[bool] = None,
                          password_exclude_last_name: Optional[bool] = None,
                          password_exclude_username: Optional[bool] = None,
                          password_expire_warn_days: Optional[int] = None,
                          password_history_count: Optional[int] = None,
                          password_lockout_notification_channels: Optional[Sequence[str]] = None,
                          password_max_age_days: Optional[int] = None,
                          password_max_lockout_attempts: Optional[int] = None,
                          password_min_age_minutes: Optional[int] = None,
                          password_min_length: Optional[int] = None,
                          password_min_lowercase: Optional[int] = None,
                          password_min_number: Optional[int] = None,
                          password_min_symbol: Optional[int] = None,
                          password_min_uppercase: Optional[int] = None,
                          password_show_lockout_failures: Optional[bool] = None,
                          question_min_length: Optional[int] = None,
                          question_recovery: Optional[str] = None,
                          recovery_email_token: Optional[int] = None,
                          skip_unlock: Optional[bool] = None,
                          sms_recovery: Optional[str] = None)

func NewPolicyPasswordDefault(ctx *Context, name string, args *PolicyPasswordDefaultArgs, opts ...ResourceOption) (*PolicyPasswordDefault, error)

public PolicyPasswordDefault(string name, PolicyPasswordDefaultArgs? args = null, CustomResourceOptions? opts = null)

public PolicyPasswordDefault(String name, PolicyPasswordDefaultArgs args)
public PolicyPasswordDefault(String name, PolicyPasswordDefaultArgs args, CustomResourceOptions options)

type: okta:PolicyPasswordDefault
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args PolicyPasswordDefaultArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args PolicyPasswordDefaultArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args PolicyPasswordDefaultArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args PolicyPasswordDefaultArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args PolicyPasswordDefaultArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var policyPasswordDefaultResource = new Okta.PolicyPasswordDefault("policyPasswordDefaultResource", new()
{
    CallRecovery = "string",
    EmailRecovery = "string",
    PasswordAutoUnlockMinutes = 0,
    PasswordDictionaryLookup = false,
    PasswordExcludeFirstName = false,
    PasswordExcludeLastName = false,
    PasswordExcludeUsername = false,
    PasswordExpireWarnDays = 0,
    PasswordHistoryCount = 0,
    PasswordLockoutNotificationChannels = new[]
    {
        "string",
    },
    PasswordMaxAgeDays = 0,
    PasswordMaxLockoutAttempts = 0,
    PasswordMinAgeMinutes = 0,
    PasswordMinLength = 0,
    PasswordMinLowercase = 0,
    PasswordMinNumber = 0,
    PasswordMinSymbol = 0,
    PasswordMinUppercase = 0,
    PasswordShowLockoutFailures = false,
    QuestionMinLength = 0,
    QuestionRecovery = "string",
    RecoveryEmailToken = 0,
    SkipUnlock = false,
    SmsRecovery = "string",
});

example, err := okta.NewPolicyPasswordDefault(ctx, "policyPasswordDefaultResource", &okta.PolicyPasswordDefaultArgs{
	CallRecovery:              pulumi.String("string"),
	EmailRecovery:             pulumi.String("string"),
	PasswordAutoUnlockMinutes: pulumi.Int(0),
	PasswordDictionaryLookup:  pulumi.Bool(false),
	PasswordExcludeFirstName:  pulumi.Bool(false),
	PasswordExcludeLastName:   pulumi.Bool(false),
	PasswordExcludeUsername:   pulumi.Bool(false),
	PasswordExpireWarnDays:    pulumi.Int(0),
	PasswordHistoryCount:      pulumi.Int(0),
	PasswordLockoutNotificationChannels: pulumi.StringArray{
		pulumi.String("string"),
	},
	PasswordMaxAgeDays:          pulumi.Int(0),
	PasswordMaxLockoutAttempts:  pulumi.Int(0),
	PasswordMinAgeMinutes:       pulumi.Int(0),
	PasswordMinLength:           pulumi.Int(0),
	PasswordMinLowercase:        pulumi.Int(0),
	PasswordMinNumber:           pulumi.Int(0),
	PasswordMinSymbol:           pulumi.Int(0),
	PasswordMinUppercase:        pulumi.Int(0),
	PasswordShowLockoutFailures: pulumi.Bool(false),
	QuestionMinLength:           pulumi.Int(0),
	QuestionRecovery:            pulumi.String("string"),
	RecoveryEmailToken:          pulumi.Int(0),
	SkipUnlock:                  pulumi.Bool(false),
	SmsRecovery:                 pulumi.String("string"),
})

var policyPasswordDefaultResource = new PolicyPasswordDefault("policyPasswordDefaultResource", PolicyPasswordDefaultArgs.builder()
    .callRecovery("string")
    .emailRecovery("string")
    .passwordAutoUnlockMinutes(0)
    .passwordDictionaryLookup(false)
    .passwordExcludeFirstName(false)
    .passwordExcludeLastName(false)
    .passwordExcludeUsername(false)
    .passwordExpireWarnDays(0)
    .passwordHistoryCount(0)
    .passwordLockoutNotificationChannels("string")
    .passwordMaxAgeDays(0)
    .passwordMaxLockoutAttempts(0)
    .passwordMinAgeMinutes(0)
    .passwordMinLength(0)
    .passwordMinLowercase(0)
    .passwordMinNumber(0)
    .passwordMinSymbol(0)
    .passwordMinUppercase(0)
    .passwordShowLockoutFailures(false)
    .questionMinLength(0)
    .questionRecovery("string")
    .recoveryEmailToken(0)
    .skipUnlock(false)
    .smsRecovery("string")
    .build());

policy_password_default_resource = okta.PolicyPasswordDefault("policyPasswordDefaultResource",
    call_recovery="string",
    email_recovery="string",
    password_auto_unlock_minutes=0,
    password_dictionary_lookup=False,
    password_exclude_first_name=False,
    password_exclude_last_name=False,
    password_exclude_username=False,
    password_expire_warn_days=0,
    password_history_count=0,
    password_lockout_notification_channels=["string"],
    password_max_age_days=0,
    password_max_lockout_attempts=0,
    password_min_age_minutes=0,
    password_min_length=0,
    password_min_lowercase=0,
    password_min_number=0,
    password_min_symbol=0,
    password_min_uppercase=0,
    password_show_lockout_failures=False,
    question_min_length=0,
    question_recovery="string",
    recovery_email_token=0,
    skip_unlock=False,
    sms_recovery="string")

const policyPasswordDefaultResource = new okta.PolicyPasswordDefault("policyPasswordDefaultResource", {
    callRecovery: "string",
    emailRecovery: "string",
    passwordAutoUnlockMinutes: 0,
    passwordDictionaryLookup: false,
    passwordExcludeFirstName: false,
    passwordExcludeLastName: false,
    passwordExcludeUsername: false,
    passwordExpireWarnDays: 0,
    passwordHistoryCount: 0,
    passwordLockoutNotificationChannels: ["string"],
    passwordMaxAgeDays: 0,
    passwordMaxLockoutAttempts: 0,
    passwordMinAgeMinutes: 0,
    passwordMinLength: 0,
    passwordMinLowercase: 0,
    passwordMinNumber: 0,
    passwordMinSymbol: 0,
    passwordMinUppercase: 0,
    passwordShowLockoutFailures: false,
    questionMinLength: 0,
    questionRecovery: "string",
    recoveryEmailToken: 0,
    skipUnlock: false,
    smsRecovery: "string",
});

type: okta:PolicyPasswordDefault
properties:
    callRecovery: string
    emailRecovery: string
    passwordAutoUnlockMinutes: 0
    passwordDictionaryLookup: false
    passwordExcludeFirstName: false
    passwordExcludeLastName: false
    passwordExcludeUsername: false
    passwordExpireWarnDays: 0
    passwordHistoryCount: 0
    passwordLockoutNotificationChannels:
        - string
    passwordMaxAgeDays: 0
    passwordMaxLockoutAttempts: 0
    passwordMinAgeMinutes: 0
    passwordMinLength: 0
    passwordMinLowercase: 0
    passwordMinNumber: 0
    passwordMinSymbol: 0
    passwordMinUppercase: 0
    passwordShowLockoutFailures: false
    questionMinLength: 0
    questionRecovery: string
    recoveryEmailToken: 0
    skipUnlock: false
    smsRecovery: string

PolicyPasswordDefault Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The PolicyPasswordDefault resource accepts the following input properties:

CallRecovery string: Enable or disable voice call recovery: ACTIVE or INACTIVE. Default: INACTIVE
EmailRecovery string: Enable or disable email password recovery: ACTIVE or INACTIVE. Default: ACTIVE
PasswordAutoUnlockMinutes int: Number of minutes before a locked account is unlocked: 0 = no limit. Default: 0
PasswordDictionaryLookup bool: Check Passwords Against Common Password Dictionary. Default: false
PasswordExcludeFirstName bool: User firstName attribute must be excluded from the password
PasswordExcludeLastName bool: User lastName attribute must be excluded from the password
PasswordExcludeUsername bool: If the user name must be excluded from the password. Default: true
PasswordExpireWarnDays int: Length in days a user will be warned before password expiry: 0 = no warning. Default: 0
PasswordHistoryCount int: Number of distinct passwords that must be created before they can be reused: 0 = none. Default: 4
PasswordLockoutNotificationChannels List<string>: Notification channels to use to notify a user when their account has been locked.
PasswordMaxAgeDays int: Length in days a password is valid before expiry: 0 = no limit. Default: 0
PasswordMaxLockoutAttempts int: Number of unsuccessful login attempts allowed before lockout: 0 = no limit. Default: 10
PasswordMinAgeMinutes int: Minimum time interval in minutes between password changes: 0 = no limit. Default: 0
PasswordMinLength int: Minimum password length. Default is 8.
PasswordMinLowercase int: If a password must contain at least one lower case letter: 0 = no, 1 = yes. Default = 1
PasswordMinNumber int: If a password must contain at least one number: 0 = no, 1 = yes. Default = 1
PasswordMinSymbol int: If a password must contain at least one symbol (!@#$%^&*): 0 = no, 1 = yes. Default = 0
PasswordMinUppercase int: If a password must contain at least one upper case letter: 0 = no, 1 = yes. Default = 1
PasswordShowLockoutFailures bool: If a user should be informed when their account is locked. Default: false
QuestionMinLength int: Min length of the password recovery question answer. Default: 4
QuestionRecovery string: Enable or disable security question password recovery: ACTIVE or INACTIVE. Default: ACTIVE
RecoveryEmailToken int: Lifetime in minutes of the recovery email token. Default: 60
SkipUnlock bool: When an Active Directory user is locked out of Okta, the Okta unlock operation should also attempt to unlock the user's Windows account. Default: false
SmsRecovery string: Enable or disable SMS password recovery: ACTIVE or INACTIVE. Default: INACTIVE

CallRecovery string: Enable or disable voice call recovery: ACTIVE or INACTIVE. Default: INACTIVE
EmailRecovery string: Enable or disable email password recovery: ACTIVE or INACTIVE. Default: ACTIVE
PasswordAutoUnlockMinutes int: Number of minutes before a locked account is unlocked: 0 = no limit. Default: 0
PasswordDictionaryLookup bool: Check Passwords Against Common Password Dictionary. Default: false
PasswordExcludeFirstName bool: User firstName attribute must be excluded from the password
PasswordExcludeLastName bool: User lastName attribute must be excluded from the password
PasswordExcludeUsername bool: If the user name must be excluded from the password. Default: true
PasswordExpireWarnDays int: Length in days a user will be warned before password expiry: 0 = no warning. Default: 0
PasswordHistoryCount int: Number of distinct passwords that must be created before they can be reused: 0 = none. Default: 4
PasswordLockoutNotificationChannels []string: Notification channels to use to notify a user when their account has been locked.
PasswordMaxAgeDays int: Length in days a password is valid before expiry: 0 = no limit. Default: 0
PasswordMaxLockoutAttempts int: Number of unsuccessful login attempts allowed before lockout: 0 = no limit. Default: 10
PasswordMinAgeMinutes int: Minimum time interval in minutes between password changes: 0 = no limit. Default: 0
PasswordMinLength int: Minimum password length. Default is 8.
PasswordMinLowercase int: If a password must contain at least one lower case letter: 0 = no, 1 = yes. Default = 1
PasswordMinNumber int: If a password must contain at least one number: 0 = no, 1 = yes. Default = 1
PasswordMinSymbol int: If a password must contain at least one symbol (!@#$%^&*): 0 = no, 1 = yes. Default = 0
PasswordMinUppercase int: If a password must contain at least one upper case letter: 0 = no, 1 = yes. Default = 1
PasswordShowLockoutFailures bool: If a user should be informed when their account is locked. Default: false
QuestionMinLength int: Min length of the password recovery question answer. Default: 4
QuestionRecovery string: Enable or disable security question password recovery: ACTIVE or INACTIVE. Default: ACTIVE
RecoveryEmailToken int: Lifetime in minutes of the recovery email token. Default: 60
SkipUnlock bool: When an Active Directory user is locked out of Okta, the Okta unlock operation should also attempt to unlock the user's Windows account. Default: false
SmsRecovery string: Enable or disable SMS password recovery: ACTIVE or INACTIVE. Default: INACTIVE

callRecovery String: Enable or disable voice call recovery: ACTIVE or INACTIVE. Default: INACTIVE
emailRecovery String: Enable or disable email password recovery: ACTIVE or INACTIVE. Default: ACTIVE
passwordAutoUnlockMinutes Integer: Number of minutes before a locked account is unlocked: 0 = no limit. Default: 0
passwordDictionaryLookup Boolean: Check Passwords Against Common Password Dictionary. Default: false
passwordExcludeFirstName Boolean: User firstName attribute must be excluded from the password
passwordExcludeLastName Boolean: User lastName attribute must be excluded from the password
passwordExcludeUsername Boolean: If the user name must be excluded from the password. Default: true
passwordExpireWarnDays Integer: Length in days a user will be warned before password expiry: 0 = no warning. Default: 0
passwordHistoryCount Integer: Number of distinct passwords that must be created before they can be reused: 0 = none. Default: 4
passwordLockoutNotificationChannels List<String>: Notification channels to use to notify a user when their account has been locked.
passwordMaxAgeDays Integer: Length in days a password is valid before expiry: 0 = no limit. Default: 0
passwordMaxLockoutAttempts Integer: Number of unsuccessful login attempts allowed before lockout: 0 = no limit. Default: 10
passwordMinAgeMinutes Integer: Minimum time interval in minutes between password changes: 0 = no limit. Default: 0
passwordMinLength Integer: Minimum password length. Default is 8.
passwordMinLowercase Integer: If a password must contain at least one lower case letter: 0 = no, 1 = yes. Default = 1
passwordMinNumber Integer: If a password must contain at least one number: 0 = no, 1 = yes. Default = 1
passwordMinSymbol Integer: If a password must contain at least one symbol (!@#$%^&*): 0 = no, 1 = yes. Default = 0
passwordMinUppercase Integer: If a password must contain at least one upper case letter: 0 = no, 1 = yes. Default = 1
passwordShowLockoutFailures Boolean: If a user should be informed when their account is locked. Default: false
questionMinLength Integer: Min length of the password recovery question answer. Default: 4
questionRecovery String: Enable or disable security question password recovery: ACTIVE or INACTIVE. Default: ACTIVE
recoveryEmailToken Integer: Lifetime in minutes of the recovery email token. Default: 60
skipUnlock Boolean: When an Active Directory user is locked out of Okta, the Okta unlock operation should also attempt to unlock the user's Windows account. Default: false
smsRecovery String: Enable or disable SMS password recovery: ACTIVE or INACTIVE. Default: INACTIVE

callRecovery string: Enable or disable voice call recovery: ACTIVE or INACTIVE. Default: INACTIVE
emailRecovery string: Enable or disable email password recovery: ACTIVE or INACTIVE. Default: ACTIVE
passwordAutoUnlockMinutes number: Number of minutes before a locked account is unlocked: 0 = no limit. Default: 0
passwordDictionaryLookup boolean: Check Passwords Against Common Password Dictionary. Default: false
passwordExcludeFirstName boolean: User firstName attribute must be excluded from the password
passwordExcludeLastName boolean: User lastName attribute must be excluded from the password
passwordExcludeUsername boolean: If the user name must be excluded from the password. Default: true
passwordExpireWarnDays number: Length in days a user will be warned before password expiry: 0 = no warning. Default: 0
passwordHistoryCount number: Number of distinct passwords that must be created before they can be reused: 0 = none. Default: 4
passwordLockoutNotificationChannels string[]: Notification channels to use to notify a user when their account has been locked.
passwordMaxAgeDays number: Length in days a password is valid before expiry: 0 = no limit. Default: 0
passwordMaxLockoutAttempts number: Number of unsuccessful login attempts allowed before lockout: 0 = no limit. Default: 10
passwordMinAgeMinutes number: Minimum time interval in minutes between password changes: 0 = no limit. Default: 0
passwordMinLength number: Minimum password length. Default is 8.
passwordMinLowercase number: If a password must contain at least one lower case letter: 0 = no, 1 = yes. Default = 1
passwordMinNumber number: If a password must contain at least one number: 0 = no, 1 = yes. Default = 1
passwordMinSymbol number: If a password must contain at least one symbol (!@#$%^&*): 0 = no, 1 = yes. Default = 0
passwordMinUppercase number: If a password must contain at least one upper case letter: 0 = no, 1 = yes. Default = 1
passwordShowLockoutFailures boolean: If a user should be informed when their account is locked. Default: false
questionMinLength number: Min length of the password recovery question answer. Default: 4
questionRecovery string: Enable or disable security question password recovery: ACTIVE or INACTIVE. Default: ACTIVE
recoveryEmailToken number: Lifetime in minutes of the recovery email token. Default: 60
skipUnlock boolean: When an Active Directory user is locked out of Okta, the Okta unlock operation should also attempt to unlock the user's Windows account. Default: false
smsRecovery string: Enable or disable SMS password recovery: ACTIVE or INACTIVE. Default: INACTIVE

call_recovery str: Enable or disable voice call recovery: ACTIVE or INACTIVE. Default: INACTIVE
email_recovery str: Enable or disable email password recovery: ACTIVE or INACTIVE. Default: ACTIVE
password_auto_unlock_minutes int: Number of minutes before a locked account is unlocked: 0 = no limit. Default: 0
password_dictionary_lookup bool: Check Passwords Against Common Password Dictionary. Default: false
password_exclude_first_name bool: User firstName attribute must be excluded from the password
password_exclude_last_name bool: User lastName attribute must be excluded from the password
password_exclude_username bool: If the user name must be excluded from the password. Default: true
password_expire_warn_days int: Length in days a user will be warned before password expiry: 0 = no warning. Default: 0
password_history_count int: Number of distinct passwords that must be created before they can be reused: 0 = none. Default: 4
password_lockout_notification_channels Sequence[str]: Notification channels to use to notify a user when their account has been locked.
password_max_age_days int: Length in days a password is valid before expiry: 0 = no limit. Default: 0
password_max_lockout_attempts int: Number of unsuccessful login attempts allowed before lockout: 0 = no limit. Default: 10
password_min_age_minutes int: Minimum time interval in minutes between password changes: 0 = no limit. Default: 0
password_min_length int: Minimum password length. Default is 8.
password_min_lowercase int: If a password must contain at least one lower case letter: 0 = no, 1 = yes. Default = 1
password_min_number int: If a password must contain at least one number: 0 = no, 1 = yes. Default = 1
password_min_symbol int: If a password must contain at least one symbol (!@#$%^&*): 0 = no, 1 = yes. Default = 0
password_min_uppercase int: If a password must contain at least one upper case letter: 0 = no, 1 = yes. Default = 1
password_show_lockout_failures bool: If a user should be informed when their account is locked. Default: false
question_min_length int: Min length of the password recovery question answer. Default: 4
question_recovery str: Enable or disable security question password recovery: ACTIVE or INACTIVE. Default: ACTIVE
recovery_email_token int: Lifetime in minutes of the recovery email token. Default: 60
skip_unlock bool: When an Active Directory user is locked out of Okta, the Okta unlock operation should also attempt to unlock the user's Windows account. Default: false
sms_recovery str: Enable or disable SMS password recovery: ACTIVE or INACTIVE. Default: INACTIVE

callRecovery String: Enable or disable voice call recovery: ACTIVE or INACTIVE. Default: INACTIVE
emailRecovery String: Enable or disable email password recovery: ACTIVE or INACTIVE. Default: ACTIVE
passwordAutoUnlockMinutes Number: Number of minutes before a locked account is unlocked: 0 = no limit. Default: 0
passwordDictionaryLookup Boolean: Check Passwords Against Common Password Dictionary. Default: false
passwordExcludeFirstName Boolean: User firstName attribute must be excluded from the password
passwordExcludeLastName Boolean: User lastName attribute must be excluded from the password
passwordExcludeUsername Boolean: If the user name must be excluded from the password. Default: true
passwordExpireWarnDays Number: Length in days a user will be warned before password expiry: 0 = no warning. Default: 0
passwordHistoryCount Number: Number of distinct passwords that must be created before they can be reused: 0 = none. Default: 4
passwordLockoutNotificationChannels List<String>: Notification channels to use to notify a user when their account has been locked.
passwordMaxAgeDays Number: Length in days a password is valid before expiry: 0 = no limit. Default: 0
passwordMaxLockoutAttempts Number: Number of unsuccessful login attempts allowed before lockout: 0 = no limit. Default: 10
passwordMinAgeMinutes Number: Minimum time interval in minutes between password changes: 0 = no limit. Default: 0
passwordMinLength Number: Minimum password length. Default is 8.
passwordMinLowercase Number: If a password must contain at least one lower case letter: 0 = no, 1 = yes. Default = 1
passwordMinNumber Number: If a password must contain at least one number: 0 = no, 1 = yes. Default = 1
passwordMinSymbol Number: If a password must contain at least one symbol (!@#$%^&*): 0 = no, 1 = yes. Default = 0
passwordMinUppercase Number: If a password must contain at least one upper case letter: 0 = no, 1 = yes. Default = 1
passwordShowLockoutFailures Boolean: If a user should be informed when their account is locked. Default: false
questionMinLength Number: Min length of the password recovery question answer. Default: 4
questionRecovery String: Enable or disable security question password recovery: ACTIVE or INACTIVE. Default: ACTIVE
recoveryEmailToken Number: Lifetime in minutes of the recovery email token. Default: 60
skipUnlock Boolean: When an Active Directory user is locked out of Okta, the Okta unlock operation should also attempt to unlock the user's Windows account. Default: false
smsRecovery String: Enable or disable SMS password recovery: ACTIVE or INACTIVE. Default: INACTIVE

Outputs

All input properties are implicitly available as output properties. Additionally, the PolicyPasswordDefault resource produces the following output properties:

DefaultAuthProvider string: Default Authentication Provider
DefaultIncludedGroupId string: Default group ID (always included)
Description string: Default policy description
Id string: The provider-assigned unique ID for this managed resource.
Name string: Default policy name
Priority int: Default policy priority
Status string: Default policy status

DefaultAuthProvider string: Default Authentication Provider
DefaultIncludedGroupId string: Default group ID (always included)
Description string: Default policy description
Id string: The provider-assigned unique ID for this managed resource.
Name string: Default policy name
Priority int: Default policy priority
Status string: Default policy status

defaultAuthProvider String: Default Authentication Provider
defaultIncludedGroupId String: Default group ID (always included)
description String: Default policy description
id String: The provider-assigned unique ID for this managed resource.
name String: Default policy name
priority Integer: Default policy priority
status String: Default policy status

defaultAuthProvider string: Default Authentication Provider
defaultIncludedGroupId string: Default group ID (always included)
description string: Default policy description
id string: The provider-assigned unique ID for this managed resource.
name string: Default policy name
priority number: Default policy priority
status string: Default policy status

default_auth_provider str: Default Authentication Provider
default_included_group_id str: Default group ID (always included)
description str: Default policy description
id str: The provider-assigned unique ID for this managed resource.
name str: Default policy name
priority int: Default policy priority
status str: Default policy status

defaultAuthProvider String: Default Authentication Provider
defaultIncludedGroupId String: Default group ID (always included)
description String: Default policy description
id String: The provider-assigned unique ID for this managed resource.
name String: Default policy name
priority Number: Default policy priority
status String: Default policy status

Look up Existing PolicyPasswordDefault Resource

Get an existing PolicyPasswordDefault resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: PolicyPasswordDefaultState, opts?: CustomResourceOptions): PolicyPasswordDefault

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        call_recovery: Optional[str] = None,
        default_auth_provider: Optional[str] = None,
        default_included_group_id: Optional[str] = None,
        description: Optional[str] = None,
        email_recovery: Optional[str] = None,
        name: Optional[str] = None,
        password_auto_unlock_minutes: Optional[int] = None,
        password_dictionary_lookup: Optional[bool] = None,
        password_exclude_first_name: Optional[bool] = None,
        password_exclude_last_name: Optional[bool] = None,
        password_exclude_username: Optional[bool] = None,
        password_expire_warn_days: Optional[int] = None,
        password_history_count: Optional[int] = None,
        password_lockout_notification_channels: Optional[Sequence[str]] = None,
        password_max_age_days: Optional[int] = None,
        password_max_lockout_attempts: Optional[int] = None,
        password_min_age_minutes: Optional[int] = None,
        password_min_length: Optional[int] = None,
        password_min_lowercase: Optional[int] = None,
        password_min_number: Optional[int] = None,
        password_min_symbol: Optional[int] = None,
        password_min_uppercase: Optional[int] = None,
        password_show_lockout_failures: Optional[bool] = None,
        priority: Optional[int] = None,
        question_min_length: Optional[int] = None,
        question_recovery: Optional[str] = None,
        recovery_email_token: Optional[int] = None,
        skip_unlock: Optional[bool] = None,
        sms_recovery: Optional[str] = None,
        status: Optional[str] = None) -> PolicyPasswordDefault

func GetPolicyPasswordDefault(ctx *Context, name string, id IDInput, state *PolicyPasswordDefaultState, opts ...ResourceOption) (*PolicyPasswordDefault, error)

public static PolicyPasswordDefault Get(string name, Input<string> id, PolicyPasswordDefaultState? state, CustomResourceOptions? opts = null)

public static PolicyPasswordDefault get(String name, Output<String> id, PolicyPasswordDefaultState state, CustomResourceOptions options)

resources:  _:    type: okta:PolicyPasswordDefault    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

CallRecovery string: Enable or disable voice call recovery: ACTIVE or INACTIVE. Default: INACTIVE
DefaultAuthProvider string: Default Authentication Provider
DefaultIncludedGroupId string: Default group ID (always included)
Description string: Default policy description
EmailRecovery string: Enable or disable email password recovery: ACTIVE or INACTIVE. Default: ACTIVE
Name string: Default policy name
PasswordAutoUnlockMinutes int: Number of minutes before a locked account is unlocked: 0 = no limit. Default: 0
PasswordDictionaryLookup bool: Check Passwords Against Common Password Dictionary. Default: false
PasswordExcludeFirstName bool: User firstName attribute must be excluded from the password
PasswordExcludeLastName bool: User lastName attribute must be excluded from the password
PasswordExcludeUsername bool: If the user name must be excluded from the password. Default: true
PasswordExpireWarnDays int: Length in days a user will be warned before password expiry: 0 = no warning. Default: 0
PasswordHistoryCount int: Number of distinct passwords that must be created before they can be reused: 0 = none. Default: 4
PasswordLockoutNotificationChannels List<string>: Notification channels to use to notify a user when their account has been locked.
PasswordMaxAgeDays int: Length in days a password is valid before expiry: 0 = no limit. Default: 0
PasswordMaxLockoutAttempts int: Number of unsuccessful login attempts allowed before lockout: 0 = no limit. Default: 10
PasswordMinAgeMinutes int: Minimum time interval in minutes between password changes: 0 = no limit. Default: 0
PasswordMinLength int: Minimum password length. Default is 8.
PasswordMinLowercase int: If a password must contain at least one lower case letter: 0 = no, 1 = yes. Default = 1
PasswordMinNumber int: If a password must contain at least one number: 0 = no, 1 = yes. Default = 1
PasswordMinSymbol int: If a password must contain at least one symbol (!@#$%^&*): 0 = no, 1 = yes. Default = 0
PasswordMinUppercase int: If a password must contain at least one upper case letter: 0 = no, 1 = yes. Default = 1
PasswordShowLockoutFailures bool: If a user should be informed when their account is locked. Default: false
Priority int: Default policy priority
QuestionMinLength int: Min length of the password recovery question answer. Default: 4
QuestionRecovery string: Enable or disable security question password recovery: ACTIVE or INACTIVE. Default: ACTIVE
RecoveryEmailToken int: Lifetime in minutes of the recovery email token. Default: 60
SkipUnlock bool: When an Active Directory user is locked out of Okta, the Okta unlock operation should also attempt to unlock the user's Windows account. Default: false
SmsRecovery string: Enable or disable SMS password recovery: ACTIVE or INACTIVE. Default: INACTIVE
Status string: Default policy status

CallRecovery string: Enable or disable voice call recovery: ACTIVE or INACTIVE. Default: INACTIVE
DefaultAuthProvider string: Default Authentication Provider
DefaultIncludedGroupId string: Default group ID (always included)
Description string: Default policy description
EmailRecovery string: Enable or disable email password recovery: ACTIVE or INACTIVE. Default: ACTIVE
Name string: Default policy name
PasswordAutoUnlockMinutes int: Number of minutes before a locked account is unlocked: 0 = no limit. Default: 0
PasswordDictionaryLookup bool: Check Passwords Against Common Password Dictionary. Default: false
PasswordExcludeFirstName bool: User firstName attribute must be excluded from the password
PasswordExcludeLastName bool: User lastName attribute must be excluded from the password
PasswordExcludeUsername bool: If the user name must be excluded from the password. Default: true
PasswordExpireWarnDays int: Length in days a user will be warned before password expiry: 0 = no warning. Default: 0
PasswordHistoryCount int: Number of distinct passwords that must be created before they can be reused: 0 = none. Default: 4
PasswordLockoutNotificationChannels []string: Notification channels to use to notify a user when their account has been locked.
PasswordMaxAgeDays int: Length in days a password is valid before expiry: 0 = no limit. Default: 0
PasswordMaxLockoutAttempts int: Number of unsuccessful login attempts allowed before lockout: 0 = no limit. Default: 10
PasswordMinAgeMinutes int: Minimum time interval in minutes between password changes: 0 = no limit. Default: 0
PasswordMinLength int: Minimum password length. Default is 8.
PasswordMinLowercase int: If a password must contain at least one lower case letter: 0 = no, 1 = yes. Default = 1
PasswordMinNumber int: If a password must contain at least one number: 0 = no, 1 = yes. Default = 1
PasswordMinSymbol int: If a password must contain at least one symbol (!@#$%^&*): 0 = no, 1 = yes. Default = 0
PasswordMinUppercase int: If a password must contain at least one upper case letter: 0 = no, 1 = yes. Default = 1
PasswordShowLockoutFailures bool: If a user should be informed when their account is locked. Default: false
Priority int: Default policy priority
QuestionMinLength int: Min length of the password recovery question answer. Default: 4
QuestionRecovery string: Enable or disable security question password recovery: ACTIVE or INACTIVE. Default: ACTIVE
RecoveryEmailToken int: Lifetime in minutes of the recovery email token. Default: 60
SkipUnlock bool: When an Active Directory user is locked out of Okta, the Okta unlock operation should also attempt to unlock the user's Windows account. Default: false
SmsRecovery string: Enable or disable SMS password recovery: ACTIVE or INACTIVE. Default: INACTIVE
Status string: Default policy status

callRecovery String: Enable or disable voice call recovery: ACTIVE or INACTIVE. Default: INACTIVE
defaultAuthProvider String: Default Authentication Provider
defaultIncludedGroupId String: Default group ID (always included)
description String: Default policy description
emailRecovery String: Enable or disable email password recovery: ACTIVE or INACTIVE. Default: ACTIVE
name String: Default policy name
passwordAutoUnlockMinutes Integer: Number of minutes before a locked account is unlocked: 0 = no limit. Default: 0
passwordDictionaryLookup Boolean: Check Passwords Against Common Password Dictionary. Default: false
passwordExcludeFirstName Boolean: User firstName attribute must be excluded from the password
passwordExcludeLastName Boolean: User lastName attribute must be excluded from the password
passwordExcludeUsername Boolean: If the user name must be excluded from the password. Default: true
passwordExpireWarnDays Integer: Length in days a user will be warned before password expiry: 0 = no warning. Default: 0
passwordHistoryCount Integer: Number of distinct passwords that must be created before they can be reused: 0 = none. Default: 4
passwordLockoutNotificationChannels List<String>: Notification channels to use to notify a user when their account has been locked.
passwordMaxAgeDays Integer: Length in days a password is valid before expiry: 0 = no limit. Default: 0
passwordMaxLockoutAttempts Integer: Number of unsuccessful login attempts allowed before lockout: 0 = no limit. Default: 10
passwordMinAgeMinutes Integer: Minimum time interval in minutes between password changes: 0 = no limit. Default: 0
passwordMinLength Integer: Minimum password length. Default is 8.
passwordMinLowercase Integer: If a password must contain at least one lower case letter: 0 = no, 1 = yes. Default = 1
passwordMinNumber Integer: If a password must contain at least one number: 0 = no, 1 = yes. Default = 1
passwordMinSymbol Integer: If a password must contain at least one symbol (!@#$%^&*): 0 = no, 1 = yes. Default = 0
passwordMinUppercase Integer: If a password must contain at least one upper case letter: 0 = no, 1 = yes. Default = 1
passwordShowLockoutFailures Boolean: If a user should be informed when their account is locked. Default: false
priority Integer: Default policy priority
questionMinLength Integer: Min length of the password recovery question answer. Default: 4
questionRecovery String: Enable or disable security question password recovery: ACTIVE or INACTIVE. Default: ACTIVE
recoveryEmailToken Integer: Lifetime in minutes of the recovery email token. Default: 60
skipUnlock Boolean: When an Active Directory user is locked out of Okta, the Okta unlock operation should also attempt to unlock the user's Windows account. Default: false
smsRecovery String: Enable or disable SMS password recovery: ACTIVE or INACTIVE. Default: INACTIVE
status String: Default policy status

callRecovery string: Enable or disable voice call recovery: ACTIVE or INACTIVE. Default: INACTIVE
defaultAuthProvider string: Default Authentication Provider
defaultIncludedGroupId string: Default group ID (always included)
description string: Default policy description
emailRecovery string: Enable or disable email password recovery: ACTIVE or INACTIVE. Default: ACTIVE
name string: Default policy name
passwordAutoUnlockMinutes number: Number of minutes before a locked account is unlocked: 0 = no limit. Default: 0
passwordDictionaryLookup boolean: Check Passwords Against Common Password Dictionary. Default: false
passwordExcludeFirstName boolean: User firstName attribute must be excluded from the password
passwordExcludeLastName boolean: User lastName attribute must be excluded from the password
passwordExcludeUsername boolean: If the user name must be excluded from the password. Default: true
passwordExpireWarnDays number: Length in days a user will be warned before password expiry: 0 = no warning. Default: 0
passwordHistoryCount number: Number of distinct passwords that must be created before they can be reused: 0 = none. Default: 4
passwordLockoutNotificationChannels string[]: Notification channels to use to notify a user when their account has been locked.
passwordMaxAgeDays number: Length in days a password is valid before expiry: 0 = no limit. Default: 0
passwordMaxLockoutAttempts number: Number of unsuccessful login attempts allowed before lockout: 0 = no limit. Default: 10
passwordMinAgeMinutes number: Minimum time interval in minutes between password changes: 0 = no limit. Default: 0
passwordMinLength number: Minimum password length. Default is 8.
passwordMinLowercase number: If a password must contain at least one lower case letter: 0 = no, 1 = yes. Default = 1
passwordMinNumber number: If a password must contain at least one number: 0 = no, 1 = yes. Default = 1
passwordMinSymbol number: If a password must contain at least one symbol (!@#$%^&*): 0 = no, 1 = yes. Default = 0
passwordMinUppercase number: If a password must contain at least one upper case letter: 0 = no, 1 = yes. Default = 1
passwordShowLockoutFailures boolean: If a user should be informed when their account is locked. Default: false
priority number: Default policy priority
questionMinLength number: Min length of the password recovery question answer. Default: 4
questionRecovery string: Enable or disable security question password recovery: ACTIVE or INACTIVE. Default: ACTIVE
recoveryEmailToken number: Lifetime in minutes of the recovery email token. Default: 60
skipUnlock boolean: When an Active Directory user is locked out of Okta, the Okta unlock operation should also attempt to unlock the user's Windows account. Default: false
smsRecovery string: Enable or disable SMS password recovery: ACTIVE or INACTIVE. Default: INACTIVE
status string: Default policy status

call_recovery str: Enable or disable voice call recovery: ACTIVE or INACTIVE. Default: INACTIVE
default_auth_provider str: Default Authentication Provider
default_included_group_id str: Default group ID (always included)
description str: Default policy description
email_recovery str: Enable or disable email password recovery: ACTIVE or INACTIVE. Default: ACTIVE
name str: Default policy name
password_auto_unlock_minutes int: Number of minutes before a locked account is unlocked: 0 = no limit. Default: 0
password_dictionary_lookup bool: Check Passwords Against Common Password Dictionary. Default: false
password_exclude_first_name bool: User firstName attribute must be excluded from the password
password_exclude_last_name bool: User lastName attribute must be excluded from the password
password_exclude_username bool: If the user name must be excluded from the password. Default: true
password_expire_warn_days int: Length in days a user will be warned before password expiry: 0 = no warning. Default: 0
password_history_count int: Number of distinct passwords that must be created before they can be reused: 0 = none. Default: 4
password_lockout_notification_channels Sequence[str]: Notification channels to use to notify a user when their account has been locked.
password_max_age_days int: Length in days a password is valid before expiry: 0 = no limit. Default: 0
password_max_lockout_attempts int: Number of unsuccessful login attempts allowed before lockout: 0 = no limit. Default: 10
password_min_age_minutes int: Minimum time interval in minutes between password changes: 0 = no limit. Default: 0
password_min_length int: Minimum password length. Default is 8.
password_min_lowercase int: If a password must contain at least one lower case letter: 0 = no, 1 = yes. Default = 1
password_min_number int: If a password must contain at least one number: 0 = no, 1 = yes. Default = 1
password_min_symbol int: If a password must contain at least one symbol (!@#$%^&*): 0 = no, 1 = yes. Default = 0
password_min_uppercase int: If a password must contain at least one upper case letter: 0 = no, 1 = yes. Default = 1
password_show_lockout_failures bool: If a user should be informed when their account is locked. Default: false
priority int: Default policy priority
question_min_length int: Min length of the password recovery question answer. Default: 4
question_recovery str: Enable or disable security question password recovery: ACTIVE or INACTIVE. Default: ACTIVE
recovery_email_token int: Lifetime in minutes of the recovery email token. Default: 60
skip_unlock bool: When an Active Directory user is locked out of Okta, the Okta unlock operation should also attempt to unlock the user's Windows account. Default: false
sms_recovery str: Enable or disable SMS password recovery: ACTIVE or INACTIVE. Default: INACTIVE
status str: Default policy status

callRecovery String: Enable or disable voice call recovery: ACTIVE or INACTIVE. Default: INACTIVE
defaultAuthProvider String: Default Authentication Provider
defaultIncludedGroupId String: Default group ID (always included)
description String: Default policy description
emailRecovery String: Enable or disable email password recovery: ACTIVE or INACTIVE. Default: ACTIVE
name String: Default policy name
passwordAutoUnlockMinutes Number: Number of minutes before a locked account is unlocked: 0 = no limit. Default: 0
passwordDictionaryLookup Boolean: Check Passwords Against Common Password Dictionary. Default: false
passwordExcludeFirstName Boolean: User firstName attribute must be excluded from the password
passwordExcludeLastName Boolean: User lastName attribute must be excluded from the password
passwordExcludeUsername Boolean: If the user name must be excluded from the password. Default: true
passwordExpireWarnDays Number: Length in days a user will be warned before password expiry: 0 = no warning. Default: 0
passwordHistoryCount Number: Number of distinct passwords that must be created before they can be reused: 0 = none. Default: 4
passwordLockoutNotificationChannels List<String>: Notification channels to use to notify a user when their account has been locked.
passwordMaxAgeDays Number: Length in days a password is valid before expiry: 0 = no limit. Default: 0
passwordMaxLockoutAttempts Number: Number of unsuccessful login attempts allowed before lockout: 0 = no limit. Default: 10
passwordMinAgeMinutes Number: Minimum time interval in minutes between password changes: 0 = no limit. Default: 0
passwordMinLength Number: Minimum password length. Default is 8.
passwordMinLowercase Number: If a password must contain at least one lower case letter: 0 = no, 1 = yes. Default = 1
passwordMinNumber Number: If a password must contain at least one number: 0 = no, 1 = yes. Default = 1
passwordMinSymbol Number: If a password must contain at least one symbol (!@#$%^&*): 0 = no, 1 = yes. Default = 0
passwordMinUppercase Number: If a password must contain at least one upper case letter: 0 = no, 1 = yes. Default = 1
passwordShowLockoutFailures Boolean: If a user should be informed when their account is locked. Default: false
priority Number: Default policy priority
questionMinLength Number: Min length of the password recovery question answer. Default: 4
questionRecovery String: Enable or disable security question password recovery: ACTIVE or INACTIVE. Default: ACTIVE
recoveryEmailToken Number: Lifetime in minutes of the recovery email token. Default: 60
skipUnlock Boolean: When an Active Directory user is locked out of Okta, the Okta unlock operation should also attempt to unlock the user's Windows account. Default: false
smsRecovery String: Enable or disable SMS password recovery: ACTIVE or INACTIVE. Default: INACTIVE
status String: Default policy status

Import

$ pulumi import okta:index/policyPasswordDefault:PolicyPasswordDefault example .

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Okta pulumi/pulumi-okta
License: Apache-2.0
Notes: This Pulumi package is based on the okta Terraform Provider.

Okta v6.1.0 published on Wednesday, Oct 29, 2025 by Pulumi

pulumi/pulumi-okta

okta.PolicyPasswordDefault

On this page

On this page

Example Usage

Create PolicyPasswordDefault Resource

Constructor syntax

Parameters

Constructor example

PolicyPasswordDefault Resource Properties

Inputs

Outputs

Look up Existing PolicyPasswordDefault Resource

Import

Package Details

On this page

On this page