How we can store object ids after 30 days of AD account deletion from termination date

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Hey Team ,

In SailPoint Identity Security Cloud, I have a requirement related to Entra Admin accounts.

When an Entra Admin account is deleted after 30 days, the ObjectId of that deleted account needs to be preserved in an identity attribute for tracking purposes.

Additionally, if the same user is rehired later and receives a new Entra Admin account, a new ObjectId will be generated. When that account eventually gets deleted again, the new ObjectId should also be appended to the existing stored ObjectIds instead of replacing them.

Example expected behavior:

Initial admin account deleted → store ObjectId

12345

User rehired → new admin account created → later deleted → append new ObjectId

12345,67890

So over time, the identity attribute should preserve all historical Entra Admin ObjectIds associated with that identity.

What would be the recommended way in ISC to persist and append multiple historical ObjectIds for an identity, especially when the accounts are deleted and recreated over time?

Any best practices for implementing this in ISC would be appreciated.

Thanks.

2

Hey Rakesh!

Instead of trying to store the deleted ObjectId on an identity attribute, you could look at utilizing a UniqueID database. We implemented this for tracking deleted accounts and it works well for us as it also helps prevent account names (like samAccountName, mail, upn, etc.) from being reused when accounts are being created. It is basically a delimited file source ISC writes to anytime it creates an account in the specified source(s). You can write attributes like identityId and objectId to these “accounts” so you can relate identities to Entra accounts and it would work well if users end up having multiple accounts. It also would retain the mapping after an identity is deleted so you can reference it in the future if needed. Here is a great video and workflow json on how you could implement this solution: Leveraging workflows for a fully native unique ID database - Content / Video Library - SailPoint Developer Community

Let me know if this helps!

  • Zach