Permanently Remove Azure Guest Accounts

chrisk · October 24, 2024, 7:09pm

Using IIQ v8.3

When the Azure Connector was initially implemented, all accounts (Guest and Member) were aggregated into IIQ.

How would you go about removing all of the ‘Guest’ accounts? Most are orphaned but some are correlated to an Identity.

Once they were cleared from the system, what would be the best mechanism to ensure aggregation does not pull in ‘Guest’ accounts again?

Thanks for any ideas!

rgarciaa · October 24, 2024, 9:34pm

Hi!
You can write a little Customization Rule for Azure application that checks if the account type is “Guest” and then return null.
This way you won’t be getting these accounts back to IdentityIQ.
Hope this helps you!

chrisk · October 24, 2024, 10:12pm

Hello, thanks for replying!
Would that effectively both remove existing links and stop future links?

Thanks again.

rgarciaa · October 24, 2024, 11:15pm

Hi!
Yes, but remember that after that rule, you will need to run an “Account Aggregation” with the “Detect deleted accounts” checked to delete the “Guest” or whatever accounts you are excluding in the rule.
Best regards.

chrisk · October 25, 2024, 12:19am

I managed to delete ALL of the links, not just the ‘Guest’ links.

My first go around I forgot to declare my String. No error, but did delete all links.

Now this is what I’m attempting -

import sailpoint.object.ResourceObject;

String azuserType = object.getStringAttribute("userType");

//Check for userType
     if(azuserType != "Member"){
          return null;
     }

I was trying ‘account.getStringAttribute’, but that gave me errors. I looked at a different customization rule and saw it was using ‘object.getStringAttribute’, but still not having luck getting the accounts re-aggregated, but it did stop erroring…

Appreciate any assistance, thank you!

rgarciaa · October 25, 2024, 12:26am

Hi!
Well, you could try something more like this:

if (object.getAttribute("userType") != null){
  if (object.getStringAttribute("userType").equals("Guest")){
     return null;
}
}

return object;

Personally I had some troubles in IdentityIQ when comparing Strings with “==” and “!=”, I highly recommend to use “equals” method instead for this kind of conditionals.

Hope that helps!!

chrisk · October 25, 2024, 12:55am

I can’t thank you enough for your help and extra guidance! That did the trick.
You don’t know how valuable the help I get from members of this forum is to me! I’ll continue to learn bit by bit thanks to folks like you.

Take care, and thanks again.

rgarciaa · October 25, 2024, 7:16am

Really appreciate your words mate!! =D
Glad to help anytime I can.
You’re welcome and take care!

system · December 24, 2024, 7:16am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Configuring Azure AD connector for filter usertypes = Guest in aggregation IIQ Discussion and Questions aggregation , identityiq , connectors	3	26	December 2, 2024
Sailpoint stops creating user accounts IIQ Discussion and Questions aggregation , identityiq , connectors	5	199	July 29, 2024
Azure has been removed from some user accounts IIQ Discussion and Questions aggregation , identityiq	4	194	March 4, 2024
Delete Garbage Identity from SailPoint IIQ Discussion and Questions identityiq , identities	18	273	October 6, 2024
Single Account Aggregation For Azure IIQ Discussion and Questions rules , identityiq	4	40	November 25, 2024

Permanently Remove Azure Guest Accounts

Related topics