New user created in group not getting correct password policy

I’m making the request that follows and expect the user’s password to be subject to their group membership that is specified in the request, but that is not the behavior that I’m seeing. What I’m seeing is the user is subject to the default password policy instead of the one based on group membership.

POST //api/v1/users HTTP/1.1
Host: ****.okta.com
Accept: application/json
Content-Type: application/json
Authorization: SSWS *****
Cache-Control: no-cache
{
“profile”: {
“firstName”: “Test”,
“lastName”: “Man”,
“email”: "testman@test.com",
“login”: "teatman@test.com"
},
“credentials”: { “password”: “thisisapassword” },
“groupIds”: [ “00g5orrhc4CXZyGpi2p6”, “00gfyr5jjUiqpmSsA2p6” ]
}

How is your password policy set up?

Test Users

Assigned to groups

Test Users

Authentication Providers

Applies to - Okta

Password Settings

Minimum length: 12 characters

Complexity requirements

Does not contain part of username

Lock out

Lock out user after 10 unsuccessful attempts

Account Recovery

Self-service recovery options

SMS
Voice Call
Email
Reset/Unlock recovery emails are valid for 1 hours

There is an issue here, was able to validate it. You can log an issue to developers@okta.com

The team is aware of the issue, but I’m unsure on the timelines associated with fixing it, developers@okta.com will be able to provide additional information.

Thanks Tom, I’ll send an email to that address.