Skip to main content
Version: Angophra

Identity Reports

Menu path: Observe → Deep Dive → Identities
URL: /en/insights/dashboard/identity/identities

Purpose

The Identity Reports page examines Apporetum's identity layer - the records that bridge your HR workforce data and your directory accounts. An identity in Apporetum is the unified representation of a person: it joins together their HR record (workforce person) with all the directory accounts (in Entra ID, Active Directory, etc.) that belong to them.

This page surfaces the good, the bad, and the ugly of your identity population: how many identities exist, where they come from, how many are orphaned (not linked to any HR record), how many are missing an end date (which means leaver controls cannot function), and whether any accounts have been accessed after their identity's expiry date.

Charts and Reports

Account Count Frequency By Feed

Chart type: add example --> Grouped bar chart
What it shows: For each workforce feed, how many identities own a given number of accounts. This is a frequency distribution - it shows whether most identities have one account, two accounts, three accounts, etc., broken out by source feed.

Why it matters: In most organisations, a standard employee should have between one and three accounts (e.g., a standard Entra ID account and a privileged admin account). Identities with an unusually high number of accounts may indicate excessive account proliferation, which adds management complexity and security risk. The chart helps you spot outliers and understand the "normal" account-per-person ratio for your environment.

What to investigate: Look for any feed that shows a significant cluster of identities with many accounts. These could be over-provisioned users, test accounts, or service accounts incorrectly linked to person records.

Identities Without End Dates

Chart type: add example --> Bar chart
What it shows: The number of identities, broken down by feed, that do not have an end date set.

Why it matters - this is THE critical leaver-control metric. An end date on an identity is what triggers the automated leaver workflow - the disabling and eventual deletion of accounts when someone leaves the organisation. If an identity has no end date set and the person eventually leaves, Apporetum cannot automatically initiate the offboarding process. This means accounts belonging to former employees could remain active indefinitely.

In the example environment, a significant bar for ModernIAM HR Feed shows a substantial number of identities without end dates. This is the "ugly" - it represents a population of people whose departure from the organisation cannot be automatically handled by the system.

What to do: Work with your HR team to ensure that end dates (or at least expected end dates for contract staff) are populated in the HR system and flowing through to Apporetum identities. For permanent employees, the end date should be set when they resign or are terminated.

Activity Post Departure

Chart type: add example --> Bar or KPI
What it shows: The number of identities where logon activity has been recorded after their expiry/end date.

Why it matters - this is the most critical security indicator on this page. Post-departure activity means a former employee or contractor's account was used after they should have been off-boarded. This could indicate: the accounts were not disabled promptly, someone has access to those credentials, or the end date in the system was incorrect.

What to investigate: Click through to see the specific identities and accounts involved. Investigate whether the logon was legitimate (e.g., a scheduled task running under their account) or whether it represents unauthorised access. Any confirmed cases of post-departure access should be treated as a security incident.

Orphan Identities

Chart type: add example --> Bar chart
What it shows: Identities that are not linked to any workforce person record, broken down by feed.

Why it matters: An orphaned identity exists in Apporetum but has no corresponding person in an HR feed. This means there is no authoritative source governing this person's lifecycle - if they leave the organisation, there is no HR record to trigger the offboarding process. Orphaned identities are often created when: someone leaves the HR system (e.g., due to a data error), they were created manually outside the normal HR process, or there is a data matching failure between the HR feed and the identity layer.

What to investigate: For each orphaned identity, determine whether the person is still active in the organisation. If they are, work to link their identity to their HR record. If they have left, their accounts should be reviewed and disabled/deleted.

Identities By Feed

Chart type: add example --> Donut chart
What it shows: The total number of identities (9,237 in the example) broken down by their source workforce feed.

Why it matters: This gives you a high-level view of which HR systems are the authoritative source for your identities. It should closely mirror the Workforce Persons by Feed chart - significant discrepancies between the two may indicate provisioning failures.

Identities By Data Source

Chart type: add example --> Donut chart
What it shows: The total identities broken down by the data source (directory) where their linked accounts reside.

Why it matters: This chart shows the spread of identities across your directories. It helps you understand whether identities are concentrated in one system or distributed across multiple. It also helps identify if identities exist without accounts in certain expected directories (e.g., all employees should have an account in the main Entra ID tenant).

The Identities Table

The table below the charts lists all identity records. Key columns include:

  • Display Name - The identity's name
  • Workforce Person - The linked HR person record (blank for orphaned identities)
  • Accounts - The number of directory accounts linked to this identity

Use the "Linked Person" filter toggle to show only identities without a linked workforce person (orphaned identities). Use the search box to find a specific person and verify their identity linkage is correct.

Reading the table for health indicators

A zero in the Accounts column for an active employee means they have an identity but no accounts - they may not be able to log in at all. Investigate whether provisioning has failed for this person. A high account count (e.g., 5 or more) for a non-admin user should be investigated.