I saw that CMSEnsureSafeUserNames applied to Active Directory, but was hoping that CMSUserValidationRegEx did not. It seems like it doesn't based on the documentation. However, it doesn't list the Import Toolkit.
Applies when new users register on the website, are created in the administration interface or through the API, and when the name of an existing user is modified.
I was also hoping not to have to write a custom import using the API in a Console App, but as you suggest that looks to be my only solution. I'll double check the app setting CMSUserValidationRegEx in the Console App to verify whether it will work with the API or it truly is only for use with Active Directory. I'll report back on what I find.
Thanks for the help!