User Provisioning with Active Directory enables organisations to automatically create, update, and deactivate user accounts in OutThink based on the information stored in their directory system (ex. EntraId or on‑prem AD) or HR data exports.
This removes the need for manual uploads, keeps user data accurate, and ensures that employees always receive the right training, phishing and communications based on their role, location, or department. Provisioning runs continuously, so any change in Active Directory is reflected in OutThink.
1. When to Use CSV/SFTP User Provisioning method?
If SCIM is not the preferred provisioning method for your organization, you can synchronize users with OutThink using a CSV‑based process instead. This approach is typically used by customers with on‑premises directories, complex multi-organization hierarchies or environments where SCIM cannot be enabled.
This method requires:
- A regular extraction of user data from Active Directory (e.g., via PowerShell/scripting, third‑party tools, etc.)
- Secure transfer of the generated CSV file to OutThink using Secure FTP (SFTP)
- Optional additional tooling to automate the extraction and scheduling process
This guide walks you through how to set up and automate CSV‑based user provisioning to ensure your end‑users remain synchronised with the OutThink platform.
OutThink reads a defined set of user attributes and uses them to:
- Create new users when they appear in your directory
- Update existing users when any mapped attribute changes
- Deactivate users when they are removed from the directory or flagged as inactive
Each user is uniquely identified by the sourceIdentifier, ensuring accurate 1‑to‑1 matching between the directory and OutThink accounts.
OutThink supports a wide range of user attributes. Only four fields are mandatory; all others are optional but recommended for richer personalisation and accurate reporting.
Although only a subset of fields are required for user creation, mapping as many attributes as possible unlocks advanced OutThink product capabilities, including richer personalization, automated workflows, manager visibility, dynamic targeting, and deeper risk insights.
2. Attributes to include:
You must first determine which users you wish to synchronize from your Active Directory with the OutThink platform. This may be your entire organization, or just a subset of users.
Using either an export-engine, script (Powershell, etc), the capabilities of your Directory, or a third-party tool (such as AD Manager Plus from ManageEngine), extract your user population to a CSV file.
This extraction should happen regularly to ensure that any changes to your user population is reflected in the OutThink platform. This may typically be every 24 or 48 hours, but can be more or less frequent if required.
| User Attribute | Mandatory? |
|---|---|
| sourceIdentifier | Yes |
| firstName | Yes |
| lastName | Yes |
| Yes | |
| jobRole | No |
| department | No |
| managerSourceIdentifier | No |
| country | No |
| language | No |
| customId | No |
| objectId | No* |
| lmsIdentifier | No* |
Please note the following:
sourceIdentifier – Because this field defines the user’s unique identity, it must stay consistent. Changing it creates a new user, while updating any other attributes simply modifies the existing user record.
managerSourceIdentifier – The sourceIdentifier of the user’s manager; this value must correspond to the sourceIdentifier of a manager who is also provisioned in the tenant; only provisioned users can appear as managers in OutThink.
objectID* – The user’s Microsoft Object ID, required for Graph API and MS Teams integrations to enable expanded functionality. It can be omitted for non-MS directories.
preferredLanguage – The user’s preferred language, which defines the language used for all platform communications, training and phishing simulations. Optional.
If provided, this must be a combination of an ISO-639-1 Language Code (“639-1” column) and an ISO-3166-1 Alpha 2 Country Code (green or blue field in Decoding Table). Available language options:
| ar-AE | Arabic – UAE |
| cs-CZ | Czech |
| da-DK | Danish |
| de-DE | German |
| en-GB | English – UK |
| en-US | English – USA |
| es-MX | Spanish |
| fi-FI | Finnish |
| fr-FR | French |
| he-IL | Hebrew |
| hu-HU | Hungarian |
| it-IT | Italian |
| lt-LT | Lithuanian |
| nb-NO | Norwegian Bokmål |
| nl-NL | Dutch |
| pl-PL | Polish |
| pt-BR | Portuguese – Brazil |
| pt-PT | Portuguese – Portugal |
| ro-RO | Romanian |
| sk-SK | Slovak |
| sv-SE | Swedish |
| sw-KE | Swahili |
| tr-TR | Turkish |
| zh-Hans | Chinese (Simplified) |
country – The User’s country, typically where they reside or perform their work. Optional.
If provided, this must be an ISO 3166-1 “Alpha 2” Code, such as “GB”, “US” or “FR”.
lmsIdentifier* – This identifier is optional, unless training is delivered through an LMS.
If your LMS uses a different user ID than your Directory, you must provide the LMS user identifier here so OutThink can correctly match learner records.
The CSV file must have a header row with the attribute names given above.
3. Schedule sending the CSV file to the OutThink Platform, via SFTP
Every time the CSV file is generated (or regenerated), it should be passed securely to the OutThink platform. Upon receipt, the OutThink engines will process the file and automatically process any changes (additions, deletions and updates) required to ensure the users are correctly synchronized. This process may take up to an hour, therefore allow time between sending an updated file and seeing those user changes reflected in the OutThink Command Centre.
Where possible, for single organization tenants, please use the filename users.csv as the submitted file. For multi-organization tenants, please refer to your Customer Success Manager for naming requirements.
Submitting the file to the OutThink SFTP Servers should be automated using appropriate scheduling or workflow software.
Your OutThink Customer Success Manager will securely provide the address of the SFTP Servers, together with a username and SSH key that you require to securely authenticate.
OutThink employs strict handling policies for all personal identifiable information either transmitted or stored. This includes requirements to ensure the data sent to OutThink is encrypted at all times, and is removed immediately upon processing. The user data is encrypted within the realms of your private customer tenancy, in your chosen geographic hosting region.
Was this helpful?
10 / 1