Description
As machine account usage continues to grow, teams need a way to organize and manage accounts that serve very different purposes, such as service accounts, bots, agents, and test accounts. Without clear categorization, these accounts become more difficult to govern and even more challenging to secure.
This update introduces machine account subtypes, a flexible way to group machine accounts by function. It helps identity teams bring more clarity and control to their machine landscape.
New Capabilities
Admins can now create and manage subtypes for machine accounts within a source. These subtypes can be used to classify accounts like Service, Bot, Agent, or Test. Accounts can be assigned a subtype automatically through mapping or manually using the UI. Subtypes are now visible in machine account lists and can be used to filter, sort, and audit machine accounts more effectively. Subtypes can also be created, updated, or deleted programmatically via API for customers who prefer automated configuration.
Problem
Today, all machine accounts are treated the same, even though their roles vary widely. This makes it difficult for teams to understand how each account is used, why it exists, or whether it introduces risk. Without a way to categorize machine accounts, it becomes harder to maintain control.
Solution
Machine account subtypes allow identity teams to categorize accounts based on their function within a given source. This feature provides foundational structure to machine account inventories and supports better governance practices.
With subtypes, teams can:
- Create, update, and delete subtypes per source using the UI or API
- Assign subtypes to accounts automatically through Mappings configuration or manually via the Update Account UI
- View subtype information in machine account details
- Filter and sort machine account lists by subtype
- Audit changes to subtypes, including who made the change and what was updated
Subtypes are configured per source and require a unique technical name, display name, and description. This structure sets the stage for future capabilities, including request and provisioning workflows tied to specific subtypes.
Sources β [Source Name] β Machine Accounts β Account Subtypes
Sources β [Source Name] β Machine Accounts β Mappings
To assign a machine account subtype using the Mappings page, select the Account Attribute that contains the value representing the subtype. This value must match the technical name specified when the subtype was created.
Once the mapping is configured, navigate to Classification and click Process Classification to apply the changes (note: only applies to accounts that have not been manually edited).
Example:
If the account attribute sn contains the value Service Account, and a subtype named Service Accounts was created with the technical name Service Account, then any machine account where sn = Service Account will automatically be assigned the Service Accounts subtype.
Identities β Accounts β Machine Accounts β Update Account
Identities β Accounts β Machine Accounts β Filtered View by Sub types
Who is affected?
Customers who have licensed Machine Identity Security.
Action Required
Admins can start using subtypes by configuring them per source in the UI or via API. Once subtypes are created, accounts can be assigned automatically through Mappings or manually via the Update Account screen. We recommend reviewing your machine accounts and assigning subtypes to improve organization and reporting.
Important Dates
- Sandbox Rollout: August 18, 2025
- Production Rollout: The week of August 25, 2025.
Calendar
By RSVPβing to this event you will be reminded of this release prior.
