Utilizing Powershell for user reporting and modification Skip to main content
https://support.okta.com/help/answers?id=906f0000000blv5iai&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Omer BarelOmer Barel 

Utilizing Powershell for user reporting and modification

Hello
I would like to export all user data, including all attributes, to a .csv
Specifically, I need the employeeNumber field in OKTA.
Any way to accomplish that via the GUI / PowerShell / API?
Any method is acceptable as long as I can get some guidance on how to achieve that (I'm not an API / Powershell guru...)

Also,
Is there any way i can modify the employeenumber in bulk? i'm thinking about exporting all users with their current login & employeenumber, change the employeenumber and then import it back, using the current login as the anchor

Thank you,

Omer
api-workday api-workdayapi-workday api-workday
Hi Omer,

If you are comfortable with powershell this is certainly feasible through the API. This (and things like it) are one of the reasons i ended up writing a powershell wrapper for the API. The number of ways i've needed to be able to perform bulk updates and transformations on users are diverse.

To accomplish this start by installing and configuring my powershell module: https://github.com/mbegan/Okta-PSModule (https://github.com/mbegan/Okta-PSModule" target="_blank)

their are instructions for configuration in the github but feel free to ask for clarification here.

Once configured you can retrieve a full list of your users, dump it out to a csv, update the csv and then read the file back in and update the okta users based on the data in the csv.

Step1 retrieve a list of users, export relevant information to CSV.
 
$users = oktaListUsers -oOrg prod  
$toexport = New-Object System.Collections.ArrayList  
  
foreach ($u in $users)  
{  
    $line = @{    
              oktaid = $u.id  
              login = $u.profile.login  
              employeeNumber = $u.profile.employeeNumber
              newEmployeeNumber = $null
             }  
    $obj = New-Object psobject -Property $line  
    $_c = $toexport.Add($obj)  
}  
  
$toexport | Export-Csv -Path path\to\export.csv -NoTypeInformation

Step2 Update export.csv (it should have a blank column for newEmployeeNumber

Step3 import the updated csv file and perform an update on the okta user.
*for the sake of simplicity remove rows from the csv that don't require an update. It saves us from having to write logic to handle it.
 
$updates = Import-Csv -Path path\to\export.csv
  
foreach ($update in $updates)  
{  
    try  
    {  
        $oktauser = oktaGetUserbyID -oOrg prod -userName $update.oktaid  
    }  
    catch  
    {  
        Write-Host Get resulted in $_.Exception.Message -BackgroundColor Red  
        continue  
    }  
    $oktauser.profile.employeeNumber = $update.newemployeeNumber  
    try  
    {  
        $updated = oktaUpdateUserProfilebyID -oOrg prod -uid $oktauser.id -Profile $oktauser.profile  
    }  
    catch  
    {  
        Write-Host update resulted in $_.Exception.Message -BackgroundColor Red  
        continue  
    }  
    Write-Host $updated.profile.login employeeNumber updated to $updated.profile.employeeNumber  
}

Hopefully that helps
-Matt
Omer BarelOmer Barel
Hi Matt
I tried to run the update script on my OKTA test instance and I got the following error:

 update resulted in E0000023 : Operation failed because user profile is mastered under another system
api-workday api-workdayapi-workday api-workday
Hi Omer,

Are these accounts AD Mastered, if so do you have write privileges to the associated AD Accounts?

A similar process would accomplish this using the ActiveDirectory powershell module and the updates to Active Directory would propogate to Okta based on the sync schedule.

-Matt
Omer BarelOmer Barel
Hi

the accounts are ad-mastered. the OKTA Service account we use has write priviligies to AD
I will update via AD and propegate to OKTA, but i wanted to test both scenarios. 
Any idea why it might fail via OKTA?

Thanks,

Omer
api-workday api-workdayapi-workday api-workday
Hi Omer,

the reason Okta rejects the updates to the Okta user profile is becasue it views AD as the profile master and okta is entirely subordinate to AD.

I tend to forget that I have a bit of a deviation in my setup from most people. In my org AD is subordinate to Okta as I have my HR system provisioning accounts in Okta and pushing the accounts and all profile updates downstream.

-Matt

 
Nic AinscowNic Ainscow
Hi Matt
I'm trying to export out a list of users which includes a custom field. This field is a String Array which when exported advises System.Object[] rather than the contents.

If I run ListUsers via PostMan I can see the String Array contents?
My preference is to have PowerScript to export to file as enduser admins could run.
Any help here appreciated.

Nic
Yuvraj Kukar (Admin)Yuvraj Kukar (Admin)
I tried running the same powershell module but I am getting http response exception:

PS C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Okta-PSModule-master> oktaListUsers -oOrg prev
VERBOSE: GET https://dev-2130-admin.oktapreview.com/api/v1/users?limit=500 with 0-byte payload
WARNING: Unable to find type [Microsoft.PowerShell.Commands.HttpResponseException].
WARNING: Encountered error, returning limited or empty set


Please help