Azure AD Connector: Exclude Guest Accounts but Aggregate Shared Mailboxes

IdentityIQ (IIQ) IIQ Discussion and Questions
, , , , , , , ,
1

Which IIQ version are you inquiring about?

8.4

Share all details about your problem, including any error messages you may have received.

We have an Azure AD connector configured in IIQ. The Azure AD tenant contains both internal user accounts and external guest accounts.

Our requirement is to prevent guest accounts from being aggregated and creating identities in IdentityIQ, while still allowing shared mailboxes to be aggregated and represented as identities.

Currently, to avoid creating identities for guest accounts, we are using the “Only create links if they can be correlated to an existing identity” option in the Account Aggregation task. While this successfully prevents guest accounts from being onboarded, it also prevents shared mailboxes from being aggregated, since shared mailboxes typically cannot be correlated to existing identities.

If we disable this option, IdentityIQ creates identities for all uncorrelated accounts, including unwanted guest accounts.

The challenge is to exclude guest accounts from aggregation and identity creation, while still allowing shared mailboxes to be aggregated and have identities created, without impacting normal user accounts.

2

Hi @r_pragati I believe an advanced user filter can do what you want.

I haven’t used them myself, but something like:

userType ne “Guest“

3

@r_pragati You should be able to achieve this using Customization rule. Only aggregates the accounts which you want while for other types, you can return null. This will nullify the ResourceObject and will not be aggregated in IIQ.

Note: Found a fix? Help the community by marking the comment as solution. Feel free to react(:heart:, :+1:, etc.) with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.

4

Hi @r_pragati , We faced a similar issue, and we worked around it on the Azure connector filter to filter the accounts without a rule. I hope this will help, below is the filter:

(userType eg ‘Member’ and (NOT (endswith (userprincipa name, .1@xxxx.com’))) and (NOT (endswith (userprincipalname, .v@xxxx.com’))) and (NOT (endswith (userprincipalname, ‘. v@xxxx.com’))) and (NOT (startsWith (userprincipalname, ‘xyz’))) and (NOT (endsWith (userprincipalname, ‘@xxxxx.com’))))

Thanks,

PVR

5

That ways it would evaulate each account per aggregation.

6

@Peddapolu I will try this. Can you please let me know where I need to add this filter?