After AD Provision is Completed, update the attributes


We have a scenario

When the user is onboarded and starts 02/28/2024, as soon as records come into IDN, it will provision the AD account that mean today AD account will get provision, but there are two attributes, extensionAttribute16 and 17, that need to be populated at least four days before the start date that means 02/26 extensionAttribute16 and 17 values need to populate in AD.

What is best way to achive this?


I haven’t used AD extensionAttributes, so first off you have to validate if you can add them to your Account Schema on your AD connector, and can actually pull in the fields during Account Aggregation. If that works, then you can do one of the following:

If the values are static for all users, you could add them as as part of the Create Account.

If they are unique per user, you could use an Identity Profile Attribute along with Attribute Sync on the source to update the values. You would also probably need a Transform to get correct the attribute values for the Identity Profile.

Or you could use an After Create Rule. This is the most cumbersome since you have to get Expert Services to evaluate and upload the rule to your tenant anytime you make a change to the rule, but it gives you a lot of flexibility.

Lastly, if you are wanting these extensionAttributes to be manually populated, you could create a Workflow that would send an email or generate a service ticket (if you have an integration) when the account is created.

You can give a try to this:
1 - Create two provisioning policies Create and Update. Create - will create the account only with the necessaries attributes including the ExtensionAttributes and the Update will have the others attributes.
2 - Create Two LCM’s. Ex: PreOboarding(admissionaldate < today) and Onboarding(admissionalDate >= Today)
3 - 2 identities attributes for ExtensionAttribute16 and 17(do the transform to substract 4 days)
4 - Roles for both LCM’s the first one will trigger the account creation before the actual admissional date and the Other will trigger a account update when the admissional date come.

To avoid updates every account update you can put a static transform that validate the “onboarding” and only runs when user it’s in “onboarding” lcm. And let the attribute sync do his job.

We are planning to use the approach below.

  1. Add extensionAttribute16 and 17 attributes in the create profile and exclude them from provisioning.

  2. Use the Powershell script to get the extensionAttribute16 and 17 from the provisioning plan and create a CSV file with attribute samaccountname,extensionAttribute16 and 17, and start date.

  3. Every day, PowerShell executes and checks if there is any identity; start four days before, look at the CSV file, and update the extensionAttribute16 and 17 to AD.