It sounds great, but there is one major downside of having app-managed groups (imported from integrated applications). This re-authentication interval overrides the, Contains a single Boolean property that indicates whether, A display-friendly label for this property. For more information on this endpoint, see Get all claims. The ${authorizationServerId} for the default server is default. "conditions": { When a Policy needs to be retrieved for a particular user, for example when the user attempts to sign in to Okta, or when the user initiates a self-service operation, then a Policy evaluation takes place. "description": "The default policy applies in all situations if no other policy applies. For this example, name it Groups. Reference overview | Okta Developer Configure Device Trust on the Identity Engine for desktop devices, Configure Device Trust on the Identity Engine for mobile devices, Okta Expression Language in Identity Engine, Recovery Question Factor Properties object, Recovery Question Factor Properties Complexity object, Email Factor Properties Recovery Token object, create a different authentication policy for the app, add additional rules to the default authentication policy, merge duplicate authentication policies with identical rules, Timestamp when the Policy was last modified, Action to activate a Policy or Rule (present if the Rule is currently inactive), Action to deactivate a Policy or Rule (present if the Rule is currently active), Action to retrieve the Rules objects for the given Policy, Timestamp when the Rule was last modified, Action to activate the Rule (present if the Rules is currently inactive), Action to deactivate the Rule (present if the Rule is currently active), Specifies the required authentication provider, The AD integrations this Policy applies to. Note: The Profile Enrollment Action object can't be modified to set the access property to DENY after the policy is created. In the Admin Console, from the Security menu, select API, and then select the custom authorization server that you want to configure. Like Policies, Rules have a priority that govern the order that they are considered during evaluation. Example: "$" Here are some examples. For example, if you wanted to ensure that only administrators using the Implicit flow were granted access, then you would create a rule specifying that if: Then, the access token that is granted has a lifetime of, for example, one hour. Specifies either a general application or specific App Instance to match on. Note: The array can have only one value for profile attribute matching. Make sure that you include the openid scope in the request. Examples of Okta Expression Language User attributes mapping is much more convenient! Learn more. } Custom scopes can have corresponding claims that tie them to some sort of user information. I map the user's department field from Okta's user profile and turn it into a list via array functions of Okta expression language.