Provision Identities Through Manual Import

Umbrella supports provisioning users and groups by manually importing identities from a CSV file. You must export your Active Directory (AD) users and groups to a CSV file. We recommend using CSVDE.EXE from a domain controller.

  • For each upload, the CSV file can have up to 4000 rows. An import may require ten minutes. Each subsequent CSV file upload replaces the contents of the previous upload. For large numbers of users and groups, we recommend using AD provisioning.
  • To switch from AD provisioning to CSV import, you must uninstall your AD Connectors and delete the AD Connectors from the Sites and AD page.

Table of Contents


  • Export your AD users and groups to a CSV file.

CSV File Structure

The CSV file must include the users and groups information in a comma delimited format:

Header row:


Object row:

"CN=SAMLUser,CN=Users,DC=mycompany,DC=local",User,SAML,[email protected],[email protected],"CN=Group2,CN=Users,DC=mycompany,DC=com"

The following characters are not supported:


CSV File Fields

FieldRequiredNotesSupported Number of Characters
userPrincipalName✔️ The UPN corresponds to the principal we receive in the SAML assertion, and is often identical to the object’s mail attribute. However, this is not always the case. The UPN is constant, but the mail attribute may change.
Example: [email protected]
mail✔️ Only valid email addresses
Example: [email protected]

A user may belong to multiple groups, which are defined in the memberOf attribute.

For example:



  1. Navigate to Deployments > Core Identities > Users and Groups.
  1. Expand Manual Import and click Import Users and Groups.
  1. Drag and drop or select your CSV file, then click Save. You can download the CSV template for entering users and groups. The Users and Groups section appears with the objects you uploaded.

After your organization's identities are imported into Umbrella, you can apply AD Users and AD Groups identities to the Web policy. For more information, see Manage the Web Policy. You must install the Cisco certificate on all clients configured for the policy. For more information, see Manage Policies.

Communication Flow and Troubleshooting < Provision Identities Through Manual Import > Provision Identities from Azure AD