In entra create provisioning policy, for userPrincipal name and mail nickname i used usename Genearor

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi Team, In Entra source create account provisioning policy, User principal name, mail nick name attributes used username generator. But when i tried identity peocessing it is failed. I will attach the usename genearator transform. Please suggest any issue with the code. The UPN output would be ADM+Firstletter of firstname+lastname@domainname, same for mailnickname also ADM+Firstletter of firstname+lastname.

{
“name”: “userPrincipalName”,
“transform”: {
“type”: “usernameGenerator”,
“attributes”: {
“template”: “ADM$(firstInitial)$(lastname)$(uniqueCounter)@chubbfsadmin.co.uk”,
“patterns”: [
“ADM$(firstInitial)$(lastname)@chubbfsadmin.co.uk”,
“ADM$(firstInitial)$(lastname)$(uniqueCounter)@chubbfsadmin.co.uk
]
},
“firstInitial”: {
“type”: “substring”,
“attributes”: {
“input”: {
“type”: “identityAttribute”,
“attributes”: {
“name”: “firstname”
}
},
“begin”: 0,
“end”: 1
}
},
“lastname”: {
“type”: “identityAttribute”,
“attributes”: {
“name”: “lastname”
}
}
},
“attributes”: {},
“isRequired”: true,
“type”: “string”,
“isMultiValued”: false
},

image
image862×271 28 KB

2

@ravikumar7284 Can I know what type of error you are getting when doing the identity processing?

3

Now manual identity processing passed, after changing the code. But create account failed. Please find the updated code. please suggest any modification required.
{
“name”: “userPrincipalName”,
“transform”: {
“type”: “usernameGenerator”,
“attributes”: {
“sourceCheck”: true,
“patterns”: [
“ADM$(firstInitial)$(lastname)@chubbfsadmin.co.uk”,
“ADM$(firstInitial)$(lastname)$(uniqueCounter)@chubbfsadmin.co.uk
],
“firstInitial”: {
“type”: “substring”,
“attributes”: {
“input”: {
“type”: “identityAttribute”,
“attributes”: {
“name”: “firstname”
}
},
“begin”: 0,
“end”: 1
}
},
“lastname”: {
“type”: “identityAttribute”,
“attributes”: {
“name”: “lastname”
}
}
}
},
“attributes”: {
“cloudMaxSize”: “100”,
“cloudMaxUniqueChecks”: “5”,
“cloudRequired”: “true”
},
“isRequired”: true,
“type”: “string”,
“isMultiValued”: false
},

image
image1028×750 117 KB

4

Hello Ravi, I saw the same question with this transform in one of the groups, so I think I know what’s going on here. There are three things in the JSON that need fixing, and any one of them alone will break the transform.

  1. firstInitial and lastname are sitting in the wrong place. Move them inside the attributes block, next to patterns. Right now they’re outside, so the generator can’t find them.

  2. The placeholder syntax is wrong. Use $firstInitial and $lastname, not $(firstInitial) and $(lastname). For uniqueCounter, use curly braces: ${uniqueCounter}.

  3. Drop the template line. usernameGenerator only uses patterns. Also, keep ${uniqueCounter} only in the last pattern, since the generator stops there.

Here’s the corrected JSON:

{
  "name": "userPrincipalName",
  "transform": {
    "type": "usernameGenerator",
    "attributes": {
      "sourceCheck": true,
      "patterns": [
        "ADM$firstInitial$lastname@chubbfsadmin.co.uk",
        "ADM$firstInitial$lastname${uniqueCounter}@chubbfsadmin.co.uk"
      ],
      "firstInitial": {
        "type": "substring",
        "attributes": {
          "input": {
            "type": "identityAttribute",
            "attributes": { "name": "firstname" }
          },
          "begin": 0,
          "end": 1
        }
      },
      "lastname": {
        "type": "identityAttribute",
        "attributes": { "name": "lastname" }
      }
    }
  },
  "attributes": {
    "cloudMaxSize": "100",
    "cloudMaxUniqueChecks": "5",
    "cloudRequired": "true"
  },
  "isRequired": true,
  "type": "string",
  "isMultiValued": false
}

Use the same structure for mailNickname, just remove @chubbfsadmin.co.uk from the patterns.

5

image
image898×320 46.6 KB

Ravi, identity processing passed but look at the screenshot, the username being sent to Entra is literally ADM$(firstInitial)$(lastname)@chubbfsadmin.co.uk. The placeholders aren’t being replaced.

The syntax needs to be $firstInitial and $lastname, not $(firstInitial) and $(lastname). Same fix for mailNickname. Update both patterns like this:

"patterns": [
  "ADM$firstInitial$lastname@chubbfsadmin.co.uk",
  "ADM$firstInitial$lastname${uniqueCounter}@chubbfsadmin.co.uk"
]

Save, then run identity refresh again. The username in the account request should now show as the actual generated value (something like ADMAFellows@chubbfsadmin.co.uk) instead of the raw placeholder text.

6

Thanks @punna0001 Issue resolved.

7

Hi Harish, even though user principal name and mail nick name processed correctly, After identity refresh, in events it shows create account failed. I ran account aggregation the account got created in entra, I tried another identity same create account failed, i ran account aggregation but account not pulled into entra source. It shoud be 16 accounts but only 15 accounts scanned.

image
image1598×239 29.2 KB

image
image1062×774 104 KB

image
image1903×759 113 KB

8

Your nativeidentity is not populating correctly it seems.

9

The generated value still has a problem. From your screenshot, SailPoint is sending

userPrincipalName: ADMGTest 1 Onboarding@chubbfsadmin.co.uk
mailNickname: ADMGTest 1 Onboarding

image
image884×524 83.8 KB

See the spaces? That’s because your identity’s lastname is literally “Test 1 Onboarding”. Entra doesn’t allow spaces in userPrincipalName or mailNickname, so it rejects the request.

I assume this is just test data, easiest fix is to use a clean test identity. Try someone with firstname John and lastname Smith. Real users usually won’t have spaces or numbers in their lastname, so the policy doesn’t need to handle that. Once it works for a clean identity, you know the policy is good.

Later, if you want to handle edge cases like hyphenated names or apostrophes or extra spaces, you can add a replaceAll transform to clean up the lastname.

Account aggregation doesn’t create accounts in Entra. It only reads accounts from Entra back into ISC. If you see 15 instead of 16, it means the account was never created in Entra in the first place, because the create failed. So, clean up the test identity and run identity refresh again

10

Hi @punna0001
Need help, Why the values not evaluating here. The requirement is firstname as users firstname, lastname as users last name.

image
image1017×749 67.6 KB

image
image786×299 40.6 KB

11

Please find the provisioning policy
{
“name”: “Account”,
“description”: null,
“usageType”: “CREATE”,
“fields”: [
{
“name”: “accountType”,
“transform”: {
“type”: “static”,
“attributes”: {
“value”: “User”
}
},
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “userPrincipalName”,
“transform”: {
“type”: “rule”,
“attributes”: {
“name”: “Create Unique Account ID”
}
},
“attributes”: {
“template”: “ADM$firstname$lastname${uniqueCounter}@chubbfsadmin.co.uk
},
“isRequired”: true,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “password”,
“transform”: {
“type”: “rule”,
“attributes”: {
“name”: “Create Password”
}
},
“attributes”: {},
“isRequired”: true,
“type”: “secret”,
“isMultiValued”: false
},
{
“name”: “displayName”,
“transform”: {
“type”: “rule”,
“attributes”: {
“name”: “Create Unique Account ID”
}
},
“attributes”: {
“template”: “ADM $(firstname) $(lastname)”
},
“isRequired”: true,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “mailNickname”,
“transform”: {
“type”: “rule”,
“attributes”: {
“name”: “Create Unique Account ID”
}
},
“attributes”: {
“template”: “ADM$firstname$lastname${uniqueCounter}”
},
“isRequired”: true,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “accountEnabled”,
“transform”: {
“type”: “static”,
“attributes”: {
“value”: “true”
}
},
“attributes”: {},
“isRequired”: false,
“type”: “boolean”,
“isMultiValued”: false
},
{
“name”: “department”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “jobTitle”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “passwordPolicies”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “otherMails”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “givenName”,
“transform”: {
“type”: “identityAttribute”,
“attributes”: {
“name”: “firstname”
}
},
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “surname”,
“transform”: {
“type”: “identityAttribute”,
“attributes”: {
“name”: “lastname”
}
},
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “usageLocation”,
“transform”: {
“type”: “static”,
“attributes”: {
“value”: “GB”
}
},
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “forceChangePasswordNextSignIn”,
“transform”: {
“type”: “static”,
“attributes”: {
“value”: “true”
}
},
“attributes”: {},
“isRequired”: false,
“type”: “boolean”,
“isMultiValued”: false
},
{
“name”: “country”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “state”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “city”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “streetAddress”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “postalCode”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “physicalDeliveryOfficeName”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “telephoneNumber”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “mobile”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “facsimileTelephoneNumber”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “invitedUserEmailAddress”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “inviteRedirectUrl”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “sendInvitationMessage”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “boolean”,
“isMultiValued”: false
},
{
“name”: “customizedMessageBody”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “invitedUserDisplayName”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “invitedUserUsageLocation”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “signInNameType”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “signInNameValue”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “localAccountDisplayName”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “enableLocalAccount”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “boolean”,
“isMultiValued”: false
},
{
“name”: “b2cPassword”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “secret”,
“isMultiValued”: false
},
{
“name”: “b2cForceChangePasswordNextLogin”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “boolean”,
“isMultiValued”: false
},
{
“name”: “employeeId”,
“transform”: {
“type”: “identityAttribute”,
“attributes”: {
“name”: “identificationNumber”
}
},
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
}
]
}