blindzero · blindzero · Feb 11, 2026 · Feb 10, 2026 · Feb 10, 2026 · Feb 10, 2026
diff --git a/docs/reference/capabilities.md b/docs/reference/capabilities.md
@@ -114,7 +114,7 @@ Steps require capabilities, but **capabilities are not step names**.
 
 Examples of step type identifiers (not capabilities):
 
-- `IdLE.Step.EnsureAttribute`
+- `IdLE.Step.EnsureAttributes`
 - `IdLE.Step.DisableIdentity`
 
 If you need a mapping between step types and required capabilities, document that mapping next to the

diff --git a/docs/reference/providers/provider-ad.md b/docs/reference/providers/provider-ad.md
@@ -1,3 +1,3 @@
 ---
 title: Provider Reference - IdLE.Provider.AD (Active Directory)
 sidebar_label: Active Directory
@@ -119,12 +119,14 @@
 
 ## Installation and Import
 
-The AD provider is automatically imported when you import the main IdLE module:
+The AD provider is a **standalone provider module** that must be imported separately:
 
 ```powershell
-Import-Module IdLE
+Import-Module IdLE.Provider.AD
 ```
 
+**Note:** The AD provider requires `IdLE.Core` to be available. When using IdLE in development mode (from the repository), import the main `IdLE` module first, which automatically loads the required dependencies and extends `PSModulePath` to make provider modules discoverable by name. When using published packages from PowerShell Gallery, module dependencies are resolved automatically.
+
 This makes `New-IdleADIdentityProvider` available in your session.
 
 ---
@@ -322,24 +324,13 @@
 
 ```powershell
 @{
-    Type = 'IdLE.Step.EnsureAttribute'
-    Name = 'SetPrivilegedAttribute'
-    With = @{
-        IdentityKey = 'user@domain.com'
-        Name = 'AdminCount'
-        Value = 1
-        AuthSessionName = 'ActiveDirectory'
-        AuthSessionOptions = @{ Role = 'Tier0' }  # Broker returns Tier0 credential
-    }
-}
-
-@{
-    Type = 'IdLE.Step.EnsureAttribute'
+    Type = 'IdLE.Step.EnsureAttributes'
     Name = 'SetDepartment'
     With = @{
         IdentityKey = 'user@domain.com'
-        Name = 'Department'
-        Value = 'IT'
+        Attributes = @{
+            Department = 'IT'
+        }
         AuthSessionName = 'ActiveDirectory'
         AuthSessionOptions = @{ Role = 'Admin' }  # Broker returns Admin credential
     }
@@ -529,7 +520,7 @@
 - **IdLE.Step.EnableIdentity** - Enable user accounts
 - **IdLE.Step.MoveIdentity** - Move users between OUs
 - **IdLE.Step.DeleteIdentity** - Delete user accounts (requires provider initialization with `-AllowDelete` switch)
-- **IdLE.Step.EnsureAttribute** - Set/update user attributes
+- **IdLE.Step.EnsureAttributes** - Set/update user attributes
 - **IdLE.Step.EnsureEntitlement** - Manage group memberships
 
 Step metadata (including required capabilities) is provided by step pack modules (`IdLE.Steps.Common`) and used for plan-time validation.
@@ -662,17 +653,18 @@
 }
 ```
 
-**Setting Manager via EnsureAttribute (UPN):**
+**Setting Manager via EnsureAttributes (UPN):**
 
 ```powershell
 @{
   Name = 'SetManager'
-  Type = 'IdLE.Step.EnsureAttribute'
+  Type = 'IdLE.Step.EnsureAttributes'
   With = @{
     Provider = 'Identity'
     IdentityKey = 'jdoe'
-    Name = 'Manager'
-    Value = 'jsmith@contoso.local'  # UPN - will be resolved to DN
+    Attributes = @{
+      Manager = 'jsmith@contoso.local'  # UPN - will be resolved to DN
+    }
     AuthSessionName = 'ActiveDirectory'
   }
 }
@@ -685,12 +677,13 @@
 ```powershell
 @{
   Name = 'ClearManager'
-  Type = 'IdLE.Step.EnsureAttribute'
+  Type = 'IdLE.Step.EnsureAttributes'
   With = @{
     Provider = 'Identity'
     IdentityKey = 'jdoe'
-    Name = 'Manager'
-    Value = $null
+    Attributes = @{
+      Manager = $null
+    }
     AuthSessionName = 'ActiveDirectory'
   }
 }

diff --git a/docs/reference/providers/provider-entraID.md b/docs/reference/providers/provider-entraID.md
@@ -1,3 +1,3 @@
 ---
 title: Provider Reference - IdLE.Provider.EntraID
 sidebar_label: Entra ID
@@ -316,7 +316,7 @@
 | `IdLE.Step.CreateIdentity` | `User.ReadWrite.All` | Requires write permissions to create users |
 | `IdLE.Step.DisableIdentity` | `User.ReadWrite.All` | Modifies `accountEnabled` property |
 | `IdLE.Step.EnableIdentity` | `User.ReadWrite.All` | Modifies `accountEnabled` property |
-| `IdLE.Step.EnsureAttribute` | `User.ReadWrite.All` | Modifies user properties (displayName, department, etc.) |
+| `IdLE.Step.EnsureAttributes` | `User.ReadWrite.All` | Modifies user properties (displayName, department, etc.) |
 | `IdLE.Step.DeleteIdentity` | `User.ReadWrite.All` | Requires `AllowDelete = $true` on provider |
 | `IdLE.Step.RevokeIdentitySessions` | `User.RevokeSessions.All` | Security-sensitive; invalidates all active sessions |
 | `IdLE.Step.EnsureEntitlement` | `Group.Read.All`<br/>`GroupMember.ReadWrite.All` | Lists and modifies group memberships |
@@ -511,7 +511,7 @@
 
 ### Identity Attributes
 
-These attributes can be set via `CreateIdentity` and `EnsureAttribute`:
+These attributes can be set via `CreateIdentity` and `EnsureAttributes`:
 
 | Attribute | Graph Property | Notes |
 |-----------|---------------|-------|
@@ -609,7 +609,7 @@
 The provider works with these built-in IdLE steps:
 
 - `IdLE.Step.CreateIdentity`
-- `IdLE.Step.EnsureAttribute`
+- `IdLE.Step.EnsureAttributes`
 - `IdLE.Step.DisableIdentity`
 - `IdLE.Step.EnableIdentity`
 - `IdLE.Step.RevokeIdentitySessions` (revokes active sign-in sessions)

diff --git a/docs/reference/providers/provider-mock.md b/docs/reference/providers/provider-mock.md
@@ -115,7 +115,9 @@ This provider has no additional data-only option keys beyond its constructor par
 ### Idempotency and consistency
 
 - **Idempotent operations:** Partial
-  - `EnsureAttribute` is idempotent (returns `Changed = $false` when already converged).
+  - `EnsureAttributes` step is idempotent (returns `Changed = $false` when already converged).
+    - The step calls the provider's `EnsureAttributes` method if available (batch operation).
+    - Otherwise, it falls back to calling `EnsureAttribute` for each attribute individually.
   - `DisableIdentity` is idempotent.
   - Entitlement grant/revoke are idempotent by Kind+Id.
   - `GetIdentity` creates missing identities on demand (test convenience).
@@ -159,12 +161,13 @@ $result = Invoke-IdlePlan -Plan $plan -Providers $providers
   Steps = @(
     @{
       Name = 'Ensure department'
-      Type = 'IdLE.Step.EnsureAttribute'
+      Type = 'IdLE.Step.EnsureAttributes'
       With = @{
         Provider    = 'Identity'
         IdentityKey = 'user1'
-        Name        = 'Department'
-        Value       = 'IT'
+        Attributes  = @{
+          Department = 'IT'
+        }
       }
     }
   )

diff --git a/docs/reference/steps.md b/docs/reference/steps.md
@@ -10,7 +10,7 @@
 | [IdLE.Step.DisableIdentity](steps/step-disable-identity.md) | ``IdLE.Steps.Common`` | Disables an identity in the target system. |
 | [IdLE.Step.EmitEvent](steps/step-emit-event.md) | ``IdLE.Steps.Common`` | Emits a custom event (demo step). |
 | [IdLE.Step.EnableIdentity](steps/step-enable-identity.md) | ``IdLE.Steps.Common`` | Enables an identity in the target system. |
-| [IdLE.Step.EnsureAttribute](steps/step-ensure-attribute.md) | ``IdLE.Steps.Common`` | Ensures that an identity attribute matches the desired value. |
+| [IdLE.Step.EnsureAttributes](steps/step-ensure-attributes.md) | ``IdLE.Steps.Common`` | Ensures that multiple identity attributes match their desired values. |
 | [IdLE.Step.EnsureEntitlement](steps/step-ensure-entitlement.md) | ``IdLE.Steps.Common`` | Ensures that an entitlement assignment is present or absent for an identity. |
 | [IdLE.Step.Mailbox.EnsureOutOfOffice](steps/step-mailbox-ensure-out-of-office.md) | ``IdLE.Steps.Mailbox`` | Ensures that a mailbox Out of Office (OOF) configuration matches the desired state. |
 | [IdLE.Step.Mailbox.EnsureType](steps/step-mailbox-ensure-type.md) | ``IdLE.Steps.Mailbox`` | Ensures that a mailbox is of the desired type (User, Shared, Room, Equipment). |

diff --git a/.../reference/steps/step-ensure-attribute.md → ...reference/steps/step-ensure-attributes.md b/.../reference/steps/step-ensure-attribute.md → ...reference/steps/step-ensure-attributes.md
@@ -1,27 +1,31 @@
-# IdLE.Step.EnsureAttribute
+# IdLE.Step.EnsureAttributes
 
 > Generated file. Do not edit by hand.
 > Source: tools/Generate-IdleStepReference.ps1
 
 ## Summary
 
-- **Step Type**: `IdLE.Step.EnsureAttribute`
+- **Step Type**: `IdLE.Step.EnsureAttributes`
 - **Module**: `IdLE.Steps.Common`
-- **Implementation**: `Invoke-IdleStepEnsureAttribute`
+- **Implementation**: `Invoke-IdleStepEnsureAttributes`
 - **Idempotent**: `Yes`
 
 ## Synopsis
 
-Ensures that an identity attribute matches the desired value.
+Ensures that multiple identity attributes match their desired values.
 
 ## Description
 
-The host must supply a provider instance via
-Context.Providers[&lt;ProviderAlias&gt;]. The provider must implement an EnsureAttribute
-method with the signature (IdentityKey, Name, Value) and return an object that
-contains a boolean property 'Changed'.
+This is a provider-agnostic step that can ensure multiple attributes in a single step.
+The host must supply a provider instance via Context.Providers[&lt;ProviderAlias&gt;].
 
-The step is idempotent by design: it converges state to the desired value.
+Provider interaction strategy:
+
+1. If the provider implements EnsureAttributes(IdentityKey, AttributesHashtable), it is called once (fast path).
+
+2. Otherwise, the step falls back to calling EnsureAttribute(IdentityKey, Name, Value) for each attribute.
+
+The step is idempotent by design: it converges state to the desired values.
 
 Authentication:
 
@@ -40,20 +44,18 @@ The following keys are required in the step's ``With`` configuration:
 
 | Key | Required | Description |
 | --- | --- | --- |
+| `Attributes` | Yes | Hashtable of attributes to set |
 | `IdentityKey` | Yes | Unique identifier for the identity |
-| `Name` | Yes | Name of the attribute or property |
-| `Value` | Yes | Desired value to set |
 
 ## Example
 
 ```powershell
 @{
-  Name = 'IdLE.Step.EnsureAttribute Example'
-  Type = 'IdLE.Step.EnsureAttribute'
+  Name = 'IdLE.Step.EnsureAttributes Example'
+  Type = 'IdLE.Step.EnsureAttributes'
   With = @{
+    Attributes           = @{ GivenName = 'First'; Surname = 'Last' }
     IdentityKey          = 'user.name'
-    Name                 = 'AttributeName'
-    Value                = 'AttributeValue'
   }
 }
 ```

diff --git a/docs/use/installation.md b/docs/use/installation.md
@@ -102,7 +102,7 @@ Get-Command -Module IdLE
 `IdLE` is the **baseline** entrypoint. It declares `IdLE.Core` and `IdLE.Steps.Common` as dependencies:
 
 - **IdLE.Core** — the workflow engine (step-agnostic)
-- **IdLE.Steps.Common** — first-party built-in steps (e.g. `IdLE.Step.EmitEvent`, `IdLE.Step.EnsureAttribute`)
+- **IdLE.Steps.Common** — first-party built-in steps (e.g. `IdLE.Step.EmitEvent`, `IdLE.Step.EnsureAttributes`)
 
 **PowerShell Gallery installation:**
 PowerShell automatically installs and imports these dependencies when you `Install-Module IdLE` and `Import-Module IdLE`.

diff --git a/docs/use/quickstart.md b/docs/use/quickstart.md
@@ -105,7 +105,7 @@ The mock provider below can be used with workflows that use following Step Types
 
 - IdLE.Step.EmitEvent
 - IdLE.Step.ReadIdentity
-- IdLE.Step.EnsureAttribute
+- IdLE.Step.EnsureAttributes
 - IdLE.Step.DisableIdentity
 - IdLE.Step.EnableIdentity
 - IdLE.Step.EnsureEntitlement

diff --git a/examples/README.md b/examples/README.md
@@ -13,7 +13,7 @@ Workflows that run out-of-the-box with `IdLE.Provider.Mock`. These are fully fun
 
 **Workflows:**
 - `joiner-minimal.psd1` — minimal workflow with a single EmitEvent step
-- `joiner-minimal-ensureattribute.psd1` — demonstrates EnsureAttribute step
+- `joiner-minimal-ensureattributes.psd1` — demonstrates EnsureAttributes step with multiple attributes
 - `joiner-ensureentitlement.psd1` — demonstrates EnsureEntitlement step for group assignment
 - `joiner-with-condition.psd1` — demonstrates conditional step execution
 - `joiner-with-onfailure.psd1` — demonstrates OnFailureSteps for cleanup and notifications
@@ -126,7 +126,7 @@ Hosts can optionally stream events live by providing `-EventSink` as an object i
 | Workflow File | Category | Runnable with Mock | Required Providers | External Prerequisites |
 |---------------|----------|--------------------|--------------------|------------------------|
 | joiner-minimal.psd1 | Mock | ✅ Yes | Identity (Mock) | None |
-| joiner-minimal-ensureattribute.psd1 | Mock | ✅ Yes | Identity (Mock) | None |
+| joiner-minimal-ensureattributes.psd1 | Mock | ✅ Yes | Identity (Mock) | None |
 | joiner-ensureentitlement.psd1 | Mock | ✅ Yes | Identity (Mock) | None |
 | joiner-with-condition.psd1 | Mock | ✅ Yes | Identity (Mock) | None |
 | joiner-with-onfailure.psd1 | Mock | ✅ Yes | Identity (Mock) | None |

diff --git a/examples/workflows/joiner-with-retry-profiles.psd1 b/examples/workflows/joiner-with-retry-profiles.psd1
@@ -55,12 +55,13 @@
 
         @{
             Name         = 'Set manager attribute'
-            Type         = 'IdLE.Step.EnsureAttribute'
+            Type         = 'IdLE.Step.EnsureAttributes'
             Description  = 'Set manager reference in Entra ID'
             RetryProfile = 'GraphAPI'
             With         = @{
-                AttributeName = 'manager'
-                Value         = '{{Request.Data.ManagerId}}'
+                Attributes = @{
+                    manager = '{{Request.Data.ManagerId}}'
+                }
             }
         }
     )

diff --git a/examples/workflows/mock/joiner-ensureentitlement.psd1 b/examples/workflows/mock/joiner-ensureentitlement.psd1
@@ -4,8 +4,8 @@
     Steps          = @(
         @{
             Name = 'Ensure Department'
-            Type = 'IdLE.Step.EnsureAttribute'
-            With = @{ IdentityKey = 'user1'; Name = 'Department'; Value = 'IT'; Provider = 'Identity' }
+            Type = 'IdLE.Step.EnsureAttributes'
+            With = @{ IdentityKey = 'user1'; Attributes = @{ Department = 'IT' }; Provider = 'Identity' }
         },
         @{
             Name = 'Assign demo group'

diff --git a/.../mock/joiner-minimal-ensureattribute.psd1 → ...mock/joiner-minimal-ensureattributes.psd1 b/.../mock/joiner-minimal-ensureattribute.psd1 → ...mock/joiner-minimal-ensureattributes.psd1
@@ -1,5 +1,5 @@
 @{
-  Name           = 'Joiner - Minimal (EnsureAttribute)'
+  Name           = 'Joiner - Minimal (EnsureAttributes)'
   LifecycleEvent = 'Joiner'
 
   Steps          = @(
@@ -12,13 +12,16 @@
     }
 
     @{
-      Name = 'Ensure Department'
-      Type = 'IdLE.Step.EnsureAttribute'
+      Name = 'Ensure user attributes'
+      Type = 'IdLE.Step.EnsureAttributes'
       With = @{
         Provider    = 'Identity'
         IdentityKey = 'user1'
-        Name        = 'Department'
-        Value       = 'IT'
+        Attributes  = @{
+          Department = 'IT'
+          Title      = 'Engineer'
+          Office     = 'Building A'
+        }
       }
     }
 

diff --git a/examples/workflows/mock/joiner-with-onfailure.psd1 b/examples/workflows/mock/joiner-with-onfailure.psd1
@@ -11,11 +11,12 @@
         }
         @{
             Name = 'Ensure Department'
-            Type = 'IdLE.Step.EnsureAttribute'
+            Type = 'IdLE.Step.EnsureAttributes'
             With = @{ 
                 IdentityKey = 'user1'
-                Name        = 'Department'
-                Value       = 'IT'
+                Attributes  = @{
+                    Department = 'IT'
+                }
                 Provider    = 'Identity'
             }
         }

diff --git a/examples/workflows/templates/ad-joiner-complete.psd1 b/examples/workflows/templates/ad-joiner-complete.psd1
@@ -23,22 +23,14 @@
             }
         },
         @{
-            Name = 'Set Department'
-            Type = 'IdLE.Step.EnsureAttribute'
+            Name = 'Set Department and Title'
+            Type = 'IdLE.Step.EnsureAttributes'
             With = @{
                 IdentityKey = 'newuser@contoso.local'
-                Name        = 'Department'
-                Value       = 'IT'
-                Provider    = 'Identity'
-            }
-        },
-        @{
-            Name = 'Set Title'
-            Type = 'IdLE.Step.EnsureAttribute'
-            With = @{
-                IdentityKey = 'newuser@contoso.local'
-                Name        = 'Title'
-                Value       = 'Software Engineer'
+                Attributes  = @{
+                    Department = 'IT'
+                    Title      = 'Software Engineer'
+                }
                 Provider    = 'Identity'
             }
         },

diff --git a/examples/workflows/templates/ad-leaver-offboarding.psd1 b/examples/workflows/templates/ad-leaver-offboarding.psd1
@@ -14,11 +14,12 @@
         },
         @{
             Name = 'Update Description with termination date'
-            Type = 'IdLE.Step.EnsureAttribute'
+            Type = 'IdLE.Step.EnsureAttributes'
             With = @{
                 IdentityKey = 'leavinguser@contoso.local'
-                Name        = 'Description'
-                Value       = 'Terminated 2026-01-18'
+                Attributes  = @{
+                    Description = 'Terminated 2026-01-18'
+                }
                 Provider    = 'Identity'
             }
         },