Reconciliation report on Active Directory accounts (access)
complete
R
Rick van den Dijssel
We would like to see which Active Directory accounts are not managed by HelloID Provisioning and if these accounts are enabled/disabled. This helps to clean up the current Active Directory state.
- Import accounts + accounts access (enable/disable) state from Active Directory
- Match the state from Active Directory (network state) against HelloID Provisioning entitlement state (based on account entitlement reference)
- Report is renewed each month
Based on a mismatch (unmanaged by HelloID provisioning) the following data is shown per mismatch:
- Show Active Directory user
- Show System (We only support Active Directory but you could have multiple Active Directories)
- Show the person if available we do a check based on correlation value (When a person is shown this could mean that the scope of the Business Rules assigning the account entitlement is not correct)
- Show business rules assigning the account (access) entitlement from the Active Directory system
- Show Description of the scenario as described down below
Scenario's:
- Unmanaged account: The account exists in Active Directory but no corresponding state can be found in HelloID
- Missing account: An account entitlement exists but no corresponding accounts exist in Active Directory
- Mistakenly enabled account: An account in Active Directory exists with a corresponding account entitlement in HelloID but the account is enabled but no corresponding account access entitlement exists
- Mistakenly disabled account: An account in Active Directory exists with a corresponding account entitlement in HelloID but the account is disabled although it has a corresponding account access entitlement
This feature needs the Governance module license.
R
Rick van den Dijssel
Merged in a post:
Include correlation in evaluation
Arnout van der Vorst
I would like to include the correlation results in the evaluation. Currently the evaluation is listing account create entries for persons which might already have an account. Since the correlation only works when enforcing, the evaluation doesn't present a clear simulation on what will actually happen. The evaluation is the single most important tool to determine if HelloID can go "live", so it needs to be as accurate as possible.
R
Rick van den Dijssel
complete
R
Rick van den Dijssel
in progress
M
Mike van Eck
Interesting development! Would be nice to also show the last AD login timestamp on active accounts - to be able to see if the accounts are actively used or not. And, but this would be another development path, this complete feature is also needed for EntraID.
R
Rick van den Dijssel
Mike van Eck: I discussed the option to add the last login timestamp from AD with the development team. But this is not so easy because we have to check this timestamp on every domain controller which is a feature we currently don't have. Therefore I created a new feedback item for this topic in behalf of your name: https://feedback.helloid.com/provisioning/p/show-the-last-login-timestamp-in-ad-reconciliation-report
R
Rick van den Dijssel
planned
R
Rick van den Dijssel
We expect this feature sooner than original expected so we will release this feature in the April release.
Arnout van der Vorst
Same goes for adding the entitlements, these are added even though the account might already be a member of the group. I understand that HelloID needs to "add" these entitlements to make them managed, but I would like to see an indication of this behaviour in the evaluation.