Provisioning Reports

Menu path: Observe → Deep Dive → Provisioning
URL: /en/insights/dashboard/identity/flow

Purpose

The Provisioning Reports page gives you a holistic view of the identity lifecycle flow across your organisation - from HR workforce persons, through to identities, through to actual directory accounts. It answers the question: "Is our provisioning pipeline working correctly, and what does the health of our account population look like as a result?"

Think of this page as your provisioning pipeline health dashboard. It shows the entire chain: 9,156 Workforce Persons → 9,237 Identities → 18,540 Accounts. The discrepancies between these numbers tell a story about the health and hygiene of your provisioning processes.

---

The Provisioning Flow Summary

At the top of the page, a three-stage flow indicator shows:

• Workforce: 9,156 persons in the HR system
• Identities: 9,237 identities in Apporetum
• Accounts: 18,540 accounts across all directories

The fact that identities (9,237) exceed workforce persons (9,156) means some identities exist without a corresponding HR record - these are orphaned identities. The fact that accounts (18,540) significantly exceed identities (9,237) means most people have multiple accounts across different systems, which is expected (e.g., a standard account plus a privileged admin account).

---

Charts and Reports

Accounts By Workforce Feed

Chart type: add example --> Donut chart
What it shows: The distribution of all accounts across the workforce feeds that their owners belong to.

Why it matters: This chart tells you how accounts are mastered - which HR feeds are driving account creation. In a well-governed environment, the vast majority of accounts should trace back to known HR feeds. A large "unmastered" or uncategorised segment indicates accounts that exist outside the governed provisioning pipeline.

Account Activity

Chart type: add example --> Time-series line chart
What it shows: The number of accounts logging in per day/week over the past 6 months.

Why it matters: This is your baseline activity pulse. It shows whether account usage patterns are normal or anomalous. Sudden spikes or drops in activity can indicate security events, system outages, or major organisational changes. The chart covers the past 6 months so you can identify trends.

What to look for: Consistent daily activity with normal variation (weekends lower than weekdays) is the healthy pattern. A sudden spike could indicate an automated attack or bulk account compromise. A sudden drop could indicate a system outage or a sync problem.

Stale Passwords

Chart type: add example --> Time-series area chart
What it shows: The count of accounts with passwords that are more than 90 days old, tracked over time (typically the past year).

Why it matters: Password age is a key security hygiene metric for environments that still use passwords (as opposed to passwordless or certificate-based authentication). Old passwords are more likely to have been compromised, shared, or guessed. The chart's trend is particularly important - a rising line means the problem is getting worse over time and the password policy is not being enforced or enforced consistently.

In the example environment, the chart shows a significant peak (around 240 accounts with stale passwords at the peak) followed by a decline. This pattern may indicate a password reset campaign was run that improved the situation.

What to do: Accounts with stale passwords should be required to change their password at next logon, or the password policy should be reviewed to ensure maximum password age is enforced. Privileged accounts (Admins) with stale passwords are particularly urgent.

Expiring Accounts

Chart type: add example --> Bar chart
What it shows: Accounts that are due to expire in the next 30 days, broken down by data source or account type.

Why it matters: This is a proactive joiner/mover/leaver management tool. Expiring accounts may represent contractors or fixed-term employees whose contracts are ending. Knowing in advance allows you to: confirm with HR whether the contract is being renewed (and extend the account), or prepare for the offboarding process. Accounts that expire without action may cause disruption if the person is still actively working.

Accounts By Workforce Feed (per Data Source)

Chart type: add example --> Stacked bar chart
What it shows: How accounts in each data source (directory) trace back to each workforce feed. For example: how many accounts in the Hospital directory come from the ModernIAM HR Feed vs other sources?

Why it matters: This chart reveals which directories are fed by which HR systems. Mismatches (e.g., accounts in a directory that have no HR feed attribution) highlight provisioning gaps.

Members vs Guests

Chart type: add example --> Bar chart
What it shows: The ratio of Member (internal) accounts to Guest (external/B2B) accounts in each data source.

Why it matters: Guest accounts in Entra ID represent external users who have been invited into your tenant. A high and growing number of guest accounts is a governance challenge - guest accounts often have less stringent lifecycle management, may persist long after the collaboration project ends, and can be difficult to track back to a specific business justification.

What to look for: Is the guest population growing? Are there guests who have not signed in recently? Do all guests have a known business sponsor? Guest account lifecycle management is often an underserved area in IAM.

Orphaned Accounts by Data Source

Chart type: add example --> Stacked bar chart
What it shows: The number of orphaned accounts in each data source, split between enabled (active) and managed (correctly linked) accounts.

Why it matters: This chart shows where the orphaned account problem is concentrated. If a particular data source has a large number of enabled orphaned accounts, that directory has a significant governance gap. The "enabled orphaned" metric is the most serious - these are accounts that can be used but have no owner accountability.

Account Status by Data Source

Chart type: add example --> Stacked bar chart
What it shows: Enabled vs disabled accounts in each data source.

Post Departure

Chart type: add example --> Bar chart
What it shows: Accounts that have been used after their expiry date, broken down by data source.

Why it matters: Same as in the Accounts report - this is a security critical finding. Any post-departure activity must be investigated as a potential security incident.

Accounts By Type Per Data Source

Chart type: add example --> Stacked bar chart
What it shows: For each data source, the breakdown of accounts by account type (e.g., Productivity, Finance, Admins, Contractor).

Enabled vs Disabled by Account Type

Chart type: add example --> Bar chart
What it shows: For each account type, how many accounts are enabled versus disabled.

Why it matters: This is particularly useful for understanding privilege distribution. The ratio of enabled admin accounts to disabled admin accounts, compared against your active admin population, can reveal whether admin accounts are being properly lifecycle-managed.

Inactive Accounts (by Data Source and Account Type)

Chart type: add example --> Bar chart
What it shows: Inactive accounts (45+ days) broken down by both data source and account type.

Dormant Accounts (by Data Source and Account Type)

Chart type: add example --> Bar chart
What it shows: Dormant accounts (90+ days) broken down by both data source and account type.

Matched Accounts

Chart type: add example --> Bar chart
What it shows: Accounts that have been successfully matched to an identity, broken down by data source.

Why it matters: The flip side of the orphaned accounts metric. A high match rate is the healthy state - it means Apporetum can trace each account back to a known person and apply lifecycle governance accordingly.

Accounts By OU

Chart type: add example --> Bar chart
What it shows: The distribution of accounts across Organisational Units (OUs) in Active Directory.

Why it matters: OU structure in Active Directory often reflects organisational structure, department, or security zone. Accounts in unexpected OUs, or a large number of accounts in a generic "Users" container (rather than a properly managed OU), may indicate provisioning issues or legacy account migration problems.

Accounts By Domain

Chart type: add example --> Bar chart
What it shows: Account types broken down by the email domain used.

Why it matters: Unusual email domains (e.g., personal Gmail accounts, external domains) appearing in your directory accounts can indicate security risks or compliance issues. All internal staff should have accounts using authorised organisational domains.

Excessive Password Age

Chart type: add example --> Histogram/distribution chart
What it shows: The distribution of password age (in days) across all account types. The X-axis shows password age in days; the Y-axis shows the count of accounts.

Why it matters: This chart shows not just how many accounts have old passwords, but how old they are. Passwords hundreds or thousands of days old represent a very serious security hygiene problem. The chart breaks this down by account type so you can see whether Admins (who should have the strictest password policies) have a better or worse distribution than standard users.

What to look for: Any accounts with passwords over 365 days old should be flagged for immediate remediation. Accounts with passwords over 700 days old (nearly 2 years) are a severe hygiene failure.