Problem

How to Handle End to End “Name Change“ flow in Active Directory which could lead to CN Change, Mail Change, UPN Change, CN Change? Due to Multiple Complexities involved its not straight forward.

Diagnosis

In order to perform the Name Change Flow, we need to use combination of components in SailPoint ISC in order to perform it successfully. The high level details are.

1. We need to create an identity attribute such as “Display Name History“ which will store the value of OLD Display Name prior to change and NEW Display Name post changes. The example is “Rohit Wekhande<>Rohit Wekh“
2. The attribute sync b/w SailPoint ISC - Display Name Identity Attribute and AD - DisplayName account attribute is Enabled
3. The Before Provisioning Cloud Rule is developed which handles the uniqueness calculation for CN, MailID, UPN and SamAccountName.
4. The Before Provisioning Rule is also attached to AD source

Without the above steps, just through

Solution

Introduction

In the world of Identity Governance, a “simple” name change is rarely simple. When a user has a legal name change in your HR system, the ripple effect across Active Directory—affecting Distinguished Names (DN), UPNs, and Common Names—can often lead to broken profiles or orphaned accounts if not handled with precision.

I’ve put together a technical walkthrough of a design approach I use to ensure identity integrity. This algorithm bridges the gap between the HRMS Source and Active Directory, utilizing Identity Security Cloud (ISC) and a targeted Before-Provisioning Rule to ensure that every attribute is updated accurately and in the correct sequence.

Whether you are dealing with complex OU structures or just trying to automate the update of the sAMAccountName, this logic provides a roadmap for a hands-off, “zero-touch” renaming process.

Flow Diagram

image1916×542 142 KB

Algorithm Steps

This algorithm outlines the logic for detecting a legal name change in a source HR system and ensuring all downstream Active Directory (AD) attributes are updated consistently without manual intervention.

Phase 1: Data Source & Identity Refresh

• Step 1: HRMS Detection The process triggers when a change is detected in the HRMS Source (e.g., Workday, SAP SuccessFactors). The system identifies a mismatch between the current HR record and the existing Identity Cube.

• Step 2: Identity Attribute Recalculation SailPoint Identity Security Cloud (ISC) aggregates the new First Name and Last Name. The Identity Profile logic automatically updates the Display Name and Full Name attributes on the user’s Identity Cube.

Phase 2: Transformation Logic (The “Before Provisioning” Rule)

• Step 3: Trigger Account Update Once the Identity Cube reflects the new name, ISC triggers an “Update” operation for the linked Active Directory Account. This Update Account/Modify Account operation is triggered for “DisplayName“ attribute in AD.

• Step 4: Execute “Before Provisioning” Rule Before the request is sent to AD, a cloud rule intercepts the plan to handle complex renaming logic:

  • It captures the Old Display Name and compares it against the New Display Name through “Display Name History“ attribute in identity profile

  • It calculates the new Distinguished Name (DN) if the name change requires moving the object or renaming the RDN (Relative Distinguished Name). This has to be done through AC_NewParent attribute in MS AD.

Phase 3: Attribute Construction

• Step 5: Attribute Mapping The system prepares the final payload for the AD Connector. This includes:

  • CN (Common Name): Formatted as FirstName LastName. The new CN will be sent through AC_NewName attribute in the provisioning plan of AD.

  • sAMAccountName: (Optional) Updated based on corporate policy. The new SamAccountName will be sent through “sAMAccountName“ OOTB attribute of AD through provisioning plan.

  • UserPrincipalName (UPN): Updated to match the new legal name/email structure. The new userPrincipleName will be sent through “userPrincipleName “ OOTB attribute of AD through provisioning plan.

  • Display Name: The finalized string generated in Step 2.

Phase 4: Downstream Execution & Verification

• Step 6: IQ Service Communication The update request is sent to the Active IQ Service (the gateway to the Windows environment).

• Step 7: AD Domain Controller Update The IQ Service executes the LDAP modify commands on the AD Domain Controller. This updates the physical account attributes in the directory.

• Step 8: Confirmation & Re-Aggregation AD sends a Success Response back to ISC. On the next scheduled aggregation, ISC pulls the updated account data to confirm that the “Account Attribute” in SailPoint matches the “Identity Attribute.”

Key Technical Considerations for your Article

1. Attribute Sync: Ensure that Attribute Sync is Enabled for respective attribute in this case “Display Name“ against which Name Change Transformation flow will be triggered through Before Provisioning Rule.

2. Impact on Login: Remind readers that changing the sAMAccountName or UPN will impact the user’s login experience and may require a desktop re-logon.

3. Downstream Apps: Mention that once AD is updated, other integrated apps (like O365 or Zoom) will typically inherit the change via their own sync with AD.

Hi @rohit_wekhande

I have to be honest, I’m a bit confused by this posting.

You seem to be talking about basic functionality, ie Attribute Sync. A Before Provisioning rule is not needed in your scenario and AFAIK LDAP modify commands don’t go via IQService.

Also:

1. Automatic updating of sAMAccountName and/or userPrincipalName based on Auth Source update can’t be recommended because of the unscheduled nature of an update affecting the user’s ability to login.
2. Any updating of CN or DN is not supported over Attribute Sync without employing AC_NewName and AC_NewParent functionality

Hello @j_place ,

Thanks for your comments!

Based on your comments, I have updated the article a bit to be more specific.

Note that Design Pattern I have mentioned is not implemented simply through Attribute Sync. Its implemented through combination of Attribute Sync (which triggers an Modify Account Task in AD Connector) and Before Provisioning intercepts that and checks whether its a Name Change flow, if yes, then, it will perform change in mail, UPN, SamAccountName and CN as per the Corporate Policy of that organization.

It cannot happen through Simple 1 to 1 mapping of identity attributes with account attributes and then, enable attribute sync. I agree with you on that. If you go through flow diagram, you will find that out. I am going to publish another article in which I will provide the details of Technical Implementation which i performed.

Thank You,

Regards,

Rohit Wekhande.