As part of our onboarding process, we’re generating email addresses for new users and need to ensure they are unique within Active Directory. We initially attempted this using a Username provider Transfor, but encountered issues during the AD account creation phase.
Is there a recommended approach within SailPoint ISC to handle uniqueness validation for email IDs at the time of provisioning, especially when writing to AD?
gogubapu
July 15, 2025, 10:09am
2
what is the pattern you are using to create email
An Attribute Generator rule is the ideal solution because it:
Runs on the connector side (via the Virtual Appliance or connector gateway), giving it direct access to AD.
Allows you to both generate an email address and validate its uniqueness in real-time during the provisioning process.
Ensures the email is unique before the account is created in AD, preventing conflicts.
Here’s how to implement this approach:
In SailPoint ISC, navigate to the AD source configuration.
Ensure the email attribute (typically mail in AD) is defined in the account schema . This attribute will store the email address for each AD account.
Verify that the schema mapping aligns with your AD environment (e.g., confirm that mail is the correct attribute for email addresses).
Go to the provisioning policy for AD account creation (found under the AD source’s “Create” policy).
Set the email attribute to be populated by an Attribute Generator rule instead of a static value or Transform.
This tells SailPoint to invoke your custom rule during provisioning to determine the email value.
Create a custom Attribute Generator rule in SailPoint to generate and validate the email address. The rule will:
Use user attributes (e.g., first name, last name) to generate a candidate email.
Query AD to check if the email exists.
Adjust the email if necessary until a unique one is found.