Apporetum Observe Overview
What is the Observe Module?
The Observe module in Apporetum is your organisation's identity and access management (IAM) intelligence centre. It provides a comprehensive set of reports, charts, and dashboards that continuously surface the health of your identity ecosystem - your people, their accounts, the directories that hold those accounts, and the non-human applications and service principals that operate within them.
Think of Observe as your IAM health monitor: it shows you the good (what is working correctly), the bad (what needs attention), and the ugly (what poses real risk and demands immediate action). The goal is to give directory and IAM administrators a clear, data-driven picture of their environment so they can prioritise remediation work, demonstrate compliance, and prevent security incidents before they occur.
Organisation of This Documentation
This documentation is organised to mirror the Observe menu structure:
| Section | Description |
|---|---|
| Reporting Overview | The top-level dashboard - daily insights and ecosystem snapshot |
| Deep Dive | |
| Workforce | HR person records and their link to identities |
| Identities | Identity records bridging HR and directory accounts |
| Accounts | Directory account health and lifecycle analysis |
| Provisioning | End-to-end provisioning flow and account hygiene |
| Data Sources | Directory and HR feed connectivity and health |
| Access Reviews | Access review campaign outcomes and reviewer activity |
| Application Governance | |
| App Gov Overview | Non-human entity estate summary and key risk indicators |
| Tagging Compliance | Application registration metadata and compliance posture |
| Certificates | Certificate inventory, expiry, and lifecycle compliance |
| Client Secrets | Client secret inventory, expiry, and rotation health |
| Owners | Application and service principal ownership analysis |
| Legacy OAuth | Insecure or deprecated OAuth configurations |
| Object Assignments | Application access assignments - direct vs group-based |
| Sign-In Activity | Application usage and dormancy analysis |
| App Role Permissions | Application (daemon) API permission risk analysis |
| Delegated Permissions | User-consented delegated permission risk analysis |
| Multi-Tenant Apps | Applications accepting sign-ins from external tenants |
| Application SSO | SSO adoption and access control enforcement |
| SSO Redirect Security | Redirect URI security findings |
Audience
This documentation is written for people who understand directory administration, authentication, and authorisation - such as IT operations staff, security analysts, and IAM practitioners - but who may not be Entra ID or Active Directory specialists. Technical jargon is explained where used, and the focus is always on what you need to do with the information, not just what it means.
Key Concepts
Workforce Person - A record sourced from an HR or workforce management system representing a real employee, contractor, or other person affiliated with your organisation.
Identity - Apporetum's unified representation of a person, linking their HR record to their directory accounts across all connected data sources.
Account - An individual user object in a specific directory or data source (e.g., an Entra ID user, an Active Directory account).
Data Source - A connected directory or HR feed (e.g., Entra ID tenant, Active Directory domain, CSV upload).
Service Principal / Enterprise Application - A non-human identity in Entra ID representing an application's access to resources within a tenant.
Application Registration - The definition of an application in Entra ID (the "blueprint"), which creates service principals in tenants where it is consented.
Managed Identity - A system-managed service principal in Azure where the credential lifecycle is handled automatically by Azure.