Okta’s New “Block Restricted Content” Feature

Okta continues to strengthen identity security with a new Block Restricted Content feature. This enhancement helps organizations prevent users from setting weak or non-compliant passwords by detecting and blocking:

  • Commonly used passwords
  • Dictionary words
  • Personal identifiers (like usernames or email addresses)
  • Reused or compromised credentials

This option blocks passwords that match the Okta Expression Language statement below. Validation occurs additionally after the above complexity requirements are satisfied. Reference the password as `password.value`

Enter an Okta Expresion Language expression in the field. You can put each word in its own statement, like password.value.contains("allidm"). For multiple words, use the OR operator between each expression, like password.value.contains("allidm") OR password.value.contains("okta").

Here are a few screenshots to give you a quick look at the feature in action.

  1. Log in to your Okta admin console and go to the Features section, and select Custom Password Policy Restriction from the Early Access section.

2. Now modify the Okta Password Authenticator. You will see now an option called Block restricted content.

  • Enter an expression in the field. You can put each word in its own statement, like password.value.contains(“BlockedWord1”). For multiple words, use the OR operator between each expression, like password.value.contains(“BlockedWord1”) OR password.value.contains(“BlockedWord2”). See Okta Expression Language in Okta Identity Engine.
  • Users see an error message if they try to use a custom word in their new password.

3. Now if you have a user performing a password change and use any of the restricted content work, they will receive the message

” Password must be at least Passwords can’t include restricted content. Please create another password or contact your admin.”

3. Additionally if you try to use a password that exist in the commonly used password list, you will get the following message.

” This password was found in a list of commonly used passwords. Please try another password.”

Gabriel Magarino – Senior Security Manager | IAM Evangelist - Experienced leader with over 20 years in the IT and cybersecurity industry, specializing in Identity & Access Management. Expert in Okta, One Identity, SailPoint (IdentityIQ & IdentityNow), OneLogin, Delinea, and CyberArk. Passionate about exploring IAM and emerging technologies, coaching, and training IAM teams. Holds a Master’s in Computer Science and multiple certifications, including Okta Professional & Administration, One Identity Architect & Instructor, SailPoint Identity Now, ITIL, Scrum Master, among others. Currently pursuing a PhD with a focus on Computer Science and Artificial Intelligence.

Published On