Identity Mesh Logo Identity Mesh
Documentation / How to Provision Users to AD

How to Provision Users to Active Directory

Import employee records from an HR SQL database, transform attributes in the mesh, and provision user accounts into Active Directory.

60–90 minutes
Intermediate Audience: IT professionals with basic Identity Mesh knowledge

Before You Begin

This guide assumes you have the following in place:

  • Identity Mesh Windows Service installed and running (Getting Started guide)
  • Admin UI accessible via your browser
  • SQL Server with an HR database (or willingness to create a sample one)
  • Active Directory domain that you can create user accounts in
  • Service account with write permissions to the target AD OU

Scenario

Your organization wants to automate employee provisioning. The HR system stores employee records in a SQL Server database. When a new employee is added to the HR database, Identity Mesh should automatically create a corresponding user account in Active Directory with the correct attributes, username, and OU placement.

The HR database contains an Employees table with columns: EmployeeId, FirstName, LastName, Email, Department, Title, and EmployeeType.

Architecture

HR SQL Database

Employees table

SQL Connector

Import from HR DB

Identity Mesh

Join, Flow, Compose, Project

AD Connector

Export to AD

Active Directory

OU=IMObjects

Components You Will Create

Component Description
SQL Database Connector Reads employees from the HR database
AD Connector Writes user accounts to Active Directory
Join Rule Matches HR employees to mesh objects by EmployeeId
Flow Rules (Inbound) Maps FirstName, LastName, Email, Department, Title from SQL to mesh
MeshComposer Rule Generates sAMAccountName and displayName from mesh attributes
Projection Rule Provisions mesh objects as AD users in the IMObjects OU
Projection Attribute Rules Maps mesh attributes to AD attributes (dn, sAMAccountName, displayName, givenName, sn, mail, department, title)
1

Create the AD Organizational Unit

Create a dedicated OU in Active Directory where Identity Mesh will provision new user accounts. 

# PowerShell — run on a domain controller or machine with RSAT
New-ADOrganizationalUnit -Name "IMObjects" `
  -Path "DC=identitymesh,DC=com" `
  -Description "Provisioned by Identity Mesh"

Note: Replace DC=identitymesh,DC=com with your own domain distinguished name throughout this guide.

2

Create the HR Database Table

If you don't already have an HR database, create a sample Employees table and insert test data. 

CREATE TABLE Employees (
    EmployeeId    INT PRIMARY KEY,
    FirstName     NVARCHAR(100),
    LastName      NVARCHAR(100),
    Email         NVARCHAR(200),
    Department    NVARCHAR(100),
    Title         NVARCHAR(100),
    EmployeeType  NVARCHAR(50),
    ModifiedDate  DATETIME2 DEFAULT GETUTCDATE()
);

Insert a sample employee:

INSERT INTO Employees
    (EmployeeId, FirstName, LastName, Email, Department, Title, EmployeeType)
VALUES
    (1001, 'Jane', 'Doe', 'jane.doe@identitymesh.com',
     'Engineering', 'Software Engineer', 'Employee');
3

Configure the SQL Database Connector

In the Admin UI, navigate to ConnectorsAdd Connector and select SQL Database.

  1. 1. Name: Corporate HR
  2. 2. Connector Type: SqlDatabase
  3. 3. Import Query: SELECT * FROM Employees
  4. 4. ExternalIdColumn: EmployeeId
  5. 5. DeltaColumn: ModifiedDate (enables delta imports)

The resulting ConfigJson will look like:

{
  "ConnectionString": "Server=sqlserver;Database=HumanResources;Integrated Security=true;",
  "ImportQuery": "SELECT * FROM Employees",
  "ExternalIdColumn": "EmployeeId",
  "DeltaColumn": "ModifiedDate"
}
4

Configure the Active Directory Connector

Add a second connector for Active Directory. Navigate to ConnectorsAdd Connector and select Active Directory.

  1. 1. Name: Corporate AD
  2. 2. Connector Type: ActiveDirectory
  3. 3. CreateEnabled: true (allows Identity Mesh to create new AD accounts)
  4. 4. ExternalIdAttribute: objectGUID

The resulting ConfigJson will look like:

{
  "LdapServer": "dc01.identitymesh.com",
  "BaseDn": "DC=identitymesh,DC=com",
  "SearchBases": ["OU=IMObjects,DC=identitymesh,DC=com"],
  "UseSsl": false,
  "Filter": "(&(objectClass=user)(objectCategory=person))",
  "ExternalIdAttribute": "objectGUID",
  "CreateEnabled": true,
  "AttributesToLoad": [
    "sAMAccountName", "displayName", "givenName", "sn",
    "mail", "department", "title", "employeeID"
  ]
}
5

Create the Join Rule

A join rule tells Identity Mesh how to correlate imported objects with mesh objects. Navigate to RulesJoin RulesAdd Join Rule.

Connector Corporate HR (SQL connector)
MSAttribute EmployeeId
MeshAttribute employeeId
IsAnchor true

When an employee is imported from SQL, Identity Mesh looks for an existing mesh object whose employeeId matches. If none is found, a new mesh object is created.

6

Create Inbound Flow Rules

Flow rules define how attributes move from the SQL management space into the mesh. Navigate to RulesFlow RulesAdd Flow Rule and create one rule per attribute.

MSAttribute (SQL column) MeshAttribute Confidence TransformScript
FirstName firstName 90
LastName lastName 90
Email mail 90 ToLower(value)
Department department 90
Title title 90
EmployeeType employeeType 90
EmployeeId employeeId 100

The confidence score of 90 means the HR system is a high-authority source. If another connector provides the same attribute with a lower confidence, the HR value wins.

7

Create the MeshComposer Rule

MeshComposer rules generate new attributes from existing mesh attributes. Navigate to RulesComposerAdd Composer Rule.

Create two composer rules:

Rule 1: Generate sAMAccountName

Target Attribute sAMAccountName
Script Concat(Left(firstName, 1), lastName)

Example: firstName="Jane", lastName="Doe" → sAMAccountName="JDoe"

Rule 2: Generate displayName

Target Attribute displayName
Script Concat(firstName, " ", lastName)

Example: firstName="Jane", lastName="Doe" → displayName="Jane Doe"

8

Create the Projection Rule

A projection rule tells Identity Mesh which mesh objects should be provisioned to a target connector. Navigate to RulesProjection RulesAdd Projection Rule.

Target Connector Corporate AD
MeshObjectType User
TargetObjectType user
CreateIfMissing true
TargetContainer OU=IMObjects,DC=identitymesh,DC=com
PreconditionScript source.employeeType !== "Contractor"

The precondition script filters out contractors — only full employees will be provisioned to AD. Remove this condition if you want all employee types to be provisioned.

9

Create Projection Attribute Rules

Projection attribute rules define how mesh attributes map to the target AD attributes. Add one rule per attribute on the projection rule you just created.

MeshAttribute TargetAttribute (AD) TransformScript
sAMAccountName sAMAccountName
displayName displayName
firstName givenName
lastName sn
mail mail
department department
title title
10

Run the Initial Import

Trigger a full import from the SQL connector to pull employee records into the management space and apply join/flow rules.

  1. 1. Navigate to Connectors and select Corporate HR
  2. 2. Click Full Import
  3. 3. Monitor the run history until the import completes successfully

Verify:

Run history shows status: Success with 1 object imported
Management space objects page shows Jane Doe's record
11

Verify Mesh Objects

Navigate to Mesh Objects in the Admin UI and confirm the imported data was joined and flowed correctly.

A mesh object for Jane Doe exists
firstName = "Jane", lastName = "Doe"
mail = "jane.doe@identitymesh.com" (lowercased by flow rule transform)
sAMAccountName = "JDoe" (generated by MeshComposer)
displayName = "Jane Doe" (generated by MeshComposer)
Confidence scores are 90 for all HR-sourced attributes
12

Run the Export

The projection engine has evaluated the projection rule and queued Jane Doe for creation in AD. Trigger an export on the AD connector.

  1. 1. Navigate to Connectors and select Corporate AD
  2. 2. Click Export
  3. 3. Monitor the run history until the export completes successfully

Verify:

Export run history shows status: Success with 1 object created
The export queue for the AD connector is now empty
13

Verify the User in Active Directory

Confirm the new user account was created in the target OU with the correct attributes. 

# PowerShell
Get-ADUser -Filter "sAMAccountName -eq 'JDoe'" `
  -SearchBase "OU=IMObjects,DC=identitymesh,DC=com" `
  -Properties displayName, givenName, sn, mail, department, title

Expected output:

sAMAccountName JDoe
displayName Jane Doe
givenName Jane
sn Doe
mail jane.doe@identitymesh.com
department Engineering
title Software Engineer
14

Test Delta Sync

Verify that changes in the HR database flow through to Active Directory automatically.

1. Update the HR record:

UPDATE Employees
SET Title = 'Senior Software Engineer',
    ModifiedDate = GETUTCDATE()
WHERE EmployeeId = 1001;

2. Run a delta import on the Corporate HR connector via the Admin UI.

3. Verify the mesh object's title attribute updated to "Senior Software Engineer".

4. Run an export on the Corporate AD connector.

5. Verify in AD:

# PowerShell
(Get-ADUser -Filter "sAMAccountName -eq 'JDoe'" -Properties title).title
# Expected output: Senior Software Engineer

Summary

You have successfully set up an end-to-end provisioning pipeline:

SQL Import Join Flow Compose Mesh Project Export AD

Next Steps

Advanced Rules

Add conditional logic, multi-source flows, and complex transforms

Projection Pipeline

Understand delta computation, export queues, and scheduling

Connector Configuration

Explore advanced connector settings and additional connector types

Need Help with Your Deployment?

Our team can help you design provisioning pipelines for your specific environment and identity systems.

Contact Sales Browse Documentation