Batch Request for AD Create Account

IdentityIQ (IIQ) IIQ Discussion and Questions
1

Hi All,

I’m trying to create AD account via batch request. The request is keep getting failed with invalid status as below. I have tried both approaches (Using identityName instead of nativeIdentity, or with nativeIdentity). Please let me know if you have any inputs or possible suggestions. (FYI - This will work for other applications but not for AD)

image
image1873×495 20.6 KB

Approach 1: using nativeIdentity

operation, application, nativeIdentity,distinguishedName,ObjectType,givenName,sn,displayName,sAMAccountName,userPrincipalName,*password*
CreateAccount, Active Directory,"CN=Test.User2,OU=Singapore,OU=Asia-Pacific,OU=Demo,DC=seri,DC=sailpointdemo,DC=com","CN=Test.User2,OU=Singapore,OU=Asia-Pacific,OU=Demo,DC=seri,DC=sailpointdemo,DC=com",User,Test,User2,Test.User2,Test.User2,Test.User2@sailpointdemo.com,ADpass1$

Approach 2: Using identityName

operation, application, identityName
CreateAccount, PRISM,Test.User2
2

Pls check your create account provisioning policy. it maybe because some field might be mandatory and it may be missing, in order to create account.
For eg if sam-account-Name is mandatory for account creation then it needs to present, if not auto generated.

3

As you see in approach 1, I have kept all required attributes as per create account provisioning policy.

4

Can you please try to click on Invalid and see the error what’s it invalid for?

5

Hello @Arpitha1 I can see spaces between fields and attributes such as operation, application, and also in attributes like CreateAccount, Active Directory. Could you please remove the spaces and try again? Also, why did you keep asterisks for the password field?

6

Hi,

Have you already tried adding single quotes around the CN, for example: ‘CN=Test.User2,OU=Singapore,OU=Asia-Pacific,OU=Demo,DC=seri,DC=sailpointdemo,DC=com’ ?

7

Hello @LydiaLu, first I kept it the same as @Arpitha1 and I got the same error. After removing the spaces, the batch request is running with double quotes. I also tried your approach using single quotes, and the batch request is running. Let’s see how it works from her side.

2 Likes
8

it should work with double quotes and no spaces.

9

For CreateAccount batch requests, “Invalid” is usually a format/lookup issue, not AD itself. Two must-fix items:

  1. Use the documented 3rd column exactly as nativeIdentity | identityName and populate it with the IIQ Identity name (e.g., Test.User2) — this column identifies the person, not the AD DN.

  2. Make the CSV strict: no spaces after commas, and use double quotes only when needed. Also don’t use *password* in the header — if you want to pass a password, the column name should be the actual attribute (e.g., password) and it must match the provisioning policy fields.

Example structure (conceptually):

  • operation,application,nativeIdentity | identityName,

  • CreateAccount,Active Directory,Test.User2,“CN=Test.User2,OU=…”,“…”,User,…,password

click the Invalid count to see the exact per-row validation error — that will confirm whether it’s “Identity not found”, “unknown column”, or “missing required field”.

10

It says “Target Identity not found”

11

Hi, again tried with no spaces (strict csv) as below. Still, same issue.

Approach 1:

operation,application,nativeIdentity,distinguishedName,ObjectType,givenName,sn,displayName,sAMAccountName,userPrincipalName,*password*
CreateAccount,Active Directory,"CN=Test.User2,OU=Singapore,OU=Asia-Pacific,OU=Demo,DC=seri,DC=sailpointdemo,DC=com","CN=Test.User2,OU=Singapore,OU=Asia-Pacific,OU=Demo,DC=seri,DC=sailpointdemo,DC=com",User,Test,User2,Test.User2,Test.User2,Test.User2@sailpointdemo.com,ADpass1$

Approach 2:

operation,application,nativeIdentity
CreateAccount,Active Directory,Test.User2
12

Yes tried but still no luck

13

Below csv is working for me. Also PFA regarding options i checked during import.

image
image1202×733 26.3 KB

operation,application,identityName
"CreateAccount","Active Directory","zsmith"
1 Like
14

Hey @Arpitha1

“Target Identity not found” means IIQ cannot find a matching Identity object for what you put in the 3rd column. The batch row fails before it even tries to provision to AD.

The fix

1) Use the correct identifier in the 3rd column

For CreateAccount batch, the 3rd column is the IIQ Identity identifier (Identity.name), not an AD DN or display name.

Use identityName and make sure the value matches Identities → (Identity) Name in IIQ exactly.

Don’t use:

  • AD Distinguished Name (DN)

  • displayName

  • sAMAccountName (unless that is literally the Identity.name in IIQ)

2) Confirm the identity exists in IIQ

Go to Identities and search for the user by Name.

  • If it exists → proceed.

  • If it does NOT exist → run your authoritative source aggregation / Identity Refresh (or create the identity), then rerun the batch.

3) Start with a minimal CSV that must work

Use the smallest file first, confirm it succeeds, then add more columns one by one.

operation,application,identityName

CreateAccount,Active Directory,Test.User2

If this fails, then Test.User2 is not the Identity.name in IIQ (or the Identity doesn’t exist).

4) Password column note

If you’re passing a password, use the real field name your provisioning policy expects (commonly password).

Avoid using a header like *password* — it won’t map unless your policy explicitly uses that name.

Why used approaches failed

  • Approach 1: putting an AD DN in nativeIdentity doesn’t help. IIQ still needs a valid target Identity first, and it can’t find one → “Target Identity not found.”

  • Approach 2: if Test.User2 is not the exact Identity.name in IIQ (maybe it’s displayName), IIQ won’t match it → same error.

Quick checklis

  • The identity exists in IIQ (Identities → search by Name)

  • The CSV 3rd column uses the exact Identity.name

  • Minimal 3-column CSV succeeds

  • Add extra attributes gradually after the minimal test works

16

Hi @amrdodani

There was a issue in Approach 2 where my header had nativeIdentity instead of identityName

After correcting it, approach 2 started to work.

operation,application,identityName
CreateAccount,Active Directory,Test.User2

Approach1 is still not working. If we try with nativeIdentity instead of identityName, the behaviour is somewhat unexpected. I deleted account and then tried this approach, it works for other applications and it gets failed for AD but that is expected(as the OU in different container when we delete AD accounts). But the question here is, how come it works for existing users and same is not working for new users (We see “Target Identity not found” for only new accounts but not existing users) ?

17

Approach 1 fails for “new users” because you’re passing an AD DN/nativeIdentity (e.g., CN=Test.User2,OU=…). IIQ tries to resolve an Identity from that value; it only “works” when the identity already has an existing AD link/correlation. For a brand-new user (no link yet) you get Target Identity not found.

ensure the person already exists in IIQ, then run CreateAccount using:

CreateAccount,Active Directory,

Put DN/OU/sAMAccountName/etc. as additional columns if needed—just don’t use the AD DN as the identity key.

18

@amrdodani I’ve tried same approach. Can you test this in your local and pass the csv if it works for new users using ‘nativeIdentity’ ?

19

Hello @Arpitha1, that is what the error is supposed to tell us. The Create Account operation works only for existing identities in IIQ, not for new users who do not yet have an identity. In IIQ, every account operation must be linked to an identity. Without an identity present in IIQ, the system has nothing to associate the account with, so account creation is not possible.

For example, if user John already exists as an identity in IIQ but does not have an account on the target application, a batch request can successfully create the account. However, if John does not exist in IIQ at all, the batch request will fail because there is no identity to attach the account to.

20

We can check here, Creating Accounts by Batch Request

image
image1467×298 24.5 KB

21

Perhaps you didn’t understand what I’m saying. I tried to create AD link for new user means that identity is exist in IIQ but not having AD link. To explain more, consider below scenarios,

Scenario 1 - create test user say Test.User2 using create identity link or choose whatever way, now you have identity link but not AD link. Then try to create AD link using batch request where the csv uses nativeIdentity column with or without required columns as per your AD create provisioning policy. The batch request got failed, throwing target identity not found and it will not even make attempt to execute plan.

Scenario 2: I have some users already with AD links in my IIQ, assume user ‘Test.Identity3’. I deleted AD link for this user. Then tried to create AD link using batch request with csv having nativeIdentity. Now the plan executed and threw different error as the OU is in deleted container. But this is expected behaviour and the good news here is it attempted to execute plan. However if you tried this for different application using batch request with nativeIdentity column, ex - PRISM, the PRISM Link gets created successfully.

1 Like