Using the Google Provisioning API, under Managing Organization Units, it states that the creation of a user within an organization unit is a two step process. First I must create the user and then I must move them into an OU.
This creates a problem if I am migrating somebody from a legacy system. Creating their account causes our routing to immediately start sending emails to that account, overriding their legacy account. However, we will often create these accounts in advance and so have a specific OU for which routing is ignored.
Currently, we have to create the account with a different email address (e.g. append "-renamed" to the username), move the account in the non-routing OU, rename the account back again and finally remove the extraneous "-renamed" alias that is created during the rename. This seems pretty messy for what should be a simple operation.
Is there a simpler/better way of doing this?
Sadly you cannot create a user in a specific suborg right away. I take that you have some kind of callback after a new user is created wired up to the routing, you can either tell that service to ignore the next callback for that specific username before creating the user or have your default organization as the non-routed one.
I can also just recommend using SAML SSO, especially if the user is going to need any other account, syncing accounts correctly and handling exceptions in this context can be a pain.