As part of our implementation, we are generating emailId for all new users and want to check for uniqueness within AD. We have tried through Username generator transform somehow we are facing issue during creation of AD.
We have a connector after create rule that calls a powershell script that resides on our IQService server. It builds the email prefix by concatenating preferredname.surname and then querying exchange online to see if a mailbox already exists with that prefix. If it does, we increment a number after it until one without a match is found, then set that as their UPN and mailbox address
I observe that Username Generator transform is used in create account profile. However, for checking the uniqueness of AD mail value being generated by us, is it mandatory for mail attribute to be accountID in AD schema?
I mean to say that distinguished Name is the acountID in our AD schema for which I used Username Generator transform. Can I also use Username Generator transform for mail attribute?
Also, I am not getting error and able to create AD Account if I change the Source Check to false. However, my business requirement is to check if the email value that we want to provision is already existing in AD or not. If so, we want the email name to be appended with an unique courter([email protected])
When the Source Check is kept as true(while using Username Generator), Identity is not getting created due to non provisioning of AD Account. Rather than going for Username Generator, I have used Create Unique LDAP Attribute so that the uniqueness check in AD happens. However, I am still not able to append the unique counter and ending up having users with same email id at both Identity level and AD level. Need to see how to get this done.
I have tried using Source Check as True but it didn’t work as expected, the results were crazy. So I used
Generator - Create Unique LDAP Attribute with pattern $(upnPfx)$(uniqueCounter)$(upnSfx), it does generate unique values but it checks inside IDN AD accounts only. Alternatively you can use Account Attribute Generator Rule as well. Both of them worked for me.
I am now able to create an email id in the pattern “$(fn).$(ln).$(uniqueCounter)$(domainname.com)” in SailPoint and provision the same to AD. The uniqueness check is achieved through Create Unique LDAP Attribute.