Identity and Account Management
Apporetum correlates accounts from every Data Source to your Identities to enable your Security Operations teams to gain a new level of visibility of accounts across all your Directories. Algorithms detect all primary and secondary accounts from an identity based on a range of scores to find the most likely identity to own these accounts. However, the technology isn't magic and requires some prior setup to ensure we do it efficiently and accurately correlate accounts. The following article outlines how to effectively choose the mastered account that seeds and maintains the Identity.
Selecting the optimal source for your Identitiesβ
Apporetum masters each Identity initially based on the primary account of each end-users. However, it may take some careful analysis to determine which Primary account to use as sometimes the mastered AD primary account has more information than the synced counterpart in Entra ID (formerly Azure Active Directory). The decision on which account may not always be an obvious choice. As a general rule of thumb take into consideration the following to determine which directory object is best to use.
1. Maximise Uniquely Identifiable Attributesβ
Apporetum relies on the Identity having attributes which are uniquely identifiable so that we don't confuse accounts with the wrong Identity. For example, attributes like Email, User Principle Name, Username, Employee Id, and Employee Number should be either empty or have a unique value.
2. Maximise Matching Attributesβ
Apporetum needs attributes which contain identity-unique properties to find a strong correlation to an account. Ensuring that information like Employee Id or emails contain identifiable information ensures that we can efficiently match accounts. We also score less strong matching to attributes like Display Names, Phone numbers, and proxy address so ensure they contain as much information as possible.
3. Minimise Stale Informationβ
Stale information is the enemy of Apporetum. You should consider how up-to-date information on the accounts is to find the right account to set as the master. Accounts which are maintained via Microsoft Identity Manager or by a third-party system may have the best up-to-date information and be the perfect candidate for Apporetum.
4. Don't limit yourself to a single directoryβ
Identities can be mastered from different directories altogether. Your organization may have a small subset of accounts which are managed via alternative flows or may be currently migrating accounts due to a merger or acquisition. Apporetum supports having multiple Account Types seed identities event from separate Data Sources. Although extreme care should be taken to avoid duplicating Identities for the same employee.
Set the account to master Identitiesβ
Once you have a good idea of which account should be the master account, you can set it up on the Account Type page(s).