Update AD Account Attributes Through SailPoint Workflows

We are exploring the capability to update the ‘account expiration’ attribute on Active Directory (AD) for a user based on input collected through SailPoint Forms. However, we’ve encountered a challenge: there doesn’t appear to be a direct method to modify AD account attributes via workflows.

As a potential workaround, we considered updating an identity attribute and leveraging attribute synchronization to push the change to AD. Unfortunately, SailPoint currently does not support direct identity attribute updates via workflows either.

Given these limitations, we would like to understand:

• Is there a supported method to update account-level attributes in AD through workflows?
• Alternatively, is it feasible to update an identity attribute in a way that allows it to be synchronized to the corresponding AD account attribute?

If anyone has encountered a similar use case or has suggestions or alternative approaches to achieve this in SailPoint Identity Security Cloud, we would greatly appreciate your input.

Hi,

For direct connectors you cannot do update account from workflows. And as you mentioned we cannot update identity attributes as well.

One workaround I can think of is create an intermediate delimited file with minimal account attributes. And for these delimited connector you can trigger update account from workflow.

-Abhinov

Hi Abhinav,

Thank you for the suggestion, we actually considered a similar approach using an intermediate delimited file connector to work around the limitation.

That said, we were hoping to explore if there are any alternative methods to achieve this before going down that path. If it turns out that this is the only viable option, then yes, the delimited file connector might end up being our fallback solution.

Appreciate your input!

Hi,

Yes its the only option I can think of. Its because we cannot store intermediate data in any attribute of ISC.

-Abhinov