Currently there is no easy way in our default search UI to find all identities who have more than one accounts from a single source. There are other ways like doing account link search or via accounts CSV etc.
But there is a way to do find them (not pretty but still helpful) via search aggregation API. I found this somewhat easier if the result is small. If its a large set, you can always parse it to you liking. I am no coder 🙂
Here is the call
POST https://{TENANTURL}/v3/search/aggregate
BODY
{
"query": {
"query": "*"
},
"indices": ['identities'],
"aggregationsDsl": {
"accounts": {
"nested": {
"path": "accounts"
},
"aggs": {
"source id": {
"terms": {
"field": "accounts.source.id",
"min_doc_count": 2,
"size": 65536,
},
"aggs": {
"identities": {
"terms": {
"field": "_id",
"min_doc_count": 2,
"size": 65536,
},
"aggs": {
"accounts": {
"top_hits": {}
}
}
}
}
}
}
}
}
}
The result will be something like this
{
"aggregations": {
"accounts": {
"doc_count": 143280,
"source id": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [{
"key": "2c918088719e0a5e0171a51ec1f45c33",
"doc_count": 13266,
"identities": {
"doc_count_error_upper_bound": 3,
"sum_other_doc_count": 13188,
"buckets": [{
"key": "identity#2c918084719e5fda0171a635ed8465d9",
"doc_count": 2,
"accounts": {
"hits": {
"total": 2,
"max_score": 1,
"hits": [{
"_nested": {
"field": "accounts",
"offset": 6
},
"_score": 1,
"_source": {
"id": "2c918089784243b001785a6893314204",
"name": "dupeaccount1@email.com",
"accountId": "c5ea1cb6-6135-4773-b620-db710df1f448",
"source": {
"id": "2c918088719e0a5e0171a51ec1f45c33",
"name": "Azure Active Directory",
"type": "Azure Active Directory"
},
"disabled": false,
"locked": false,
"privileged": false,
"manuallyCorrelated": false,
"entitlementAttributes": {
"groups": [
"0478ac5b-e1ae-4a61-bc63-5bd386b34b1c"
]
},
"created": "2021-03-22T14:48:26.168Z"
}
},
{
"_nested": {
"field": "accounts",
"offset": 5
},
"_score": 1,
"_source": {
"id": "2c91808676443055017644ecfaed1cfc",
"name": "dupeaccount2@email.com",
"accountId": "9d70e2a1-aafc-45c3-aa55-2b542a9b3bce",
"source": {
"id": "2c918088719e0a5e0171a51ec1f45c33",
"name": "Azure Active Directory",
"type": "Azure Active Directory"
},
"disabled": false,
"locked": false,
"privileged": false,
"manuallyCorrelated": false,
"entitlementAttributes": {
"groups": [
"296568fa-5a98-4fd3-b39e-394c4432e74b"
]
},
"created": "2020-12-09T00:35:50.125Z"
}
}
]
}
}
},
{
"key": "identity#2c918086719e629d0171a639675771a8",
"doc_count": 2,
"accounts": {
"hits": {
"total": 2,
"max_score": 1,
"hits": [{
"_nested": {
"field": "accounts",
"offset": 5
},
"_score": 1,
"_source": {
"id": "2c918086745501130174552067e32ca8",
"name": "dupeaccount1@email2.com",
"accountId": "0f7b23cb-2d16-4a53-a808-b3d305663851",
"source": {
"id": "2c918088719e0a5e0171a51ec1f45c33",
"name": "Google Suite",
"type": "Google Suite"
},
"disabled": false,
"locked": false,
"privileged": false,
"manuallyCorrelated": false,
"entitlementAttributes": {},
"created": "2020-09-03T18:00:21.220Z"
}
},
{
"_nested": {
"field": "accounts",
"offset": 4
},
"_score": 1,
"_source": {
"id": "2c9180847430c3350174345c589244e0",
"name": "dupeaccount2@email2.com",
"accountId": "ce8cf36b-5a33-4bea-becd-8b795484720b",
"source": {
"id": "2c918088719e0a5e0171a51ec1f45c33",
"name": "Google Suite",
"type": "Google Suite"
},
"disabled": false,
"locked": false,
"privileged": false,
"manuallyCorrelated": true,
"entitlementAttributes": {
"groups": [
"296568fa-5a98-4fd3-b39e-394c4432e74b"
]
},
"created": "2020-08-28T09:18:21.331Z"
}
}
]
}
}
},
{
"key": "identity#2c918089719e5fc30171a639cd6a2cff",
"doc_count": 2,
"accounts": {
"hits": {
"total": 2,
"max_score": 1,
"hits": [{
"_nested": {
"field": "accounts",
"offset": 5
},
"_score": 1,
"_source": {
"id": "2c91808674550113017455233ff632f4",
"name": "dupeaccount1@email3.com",
"accountId": "c4714b3c-3a48-460c-ba80-bdb2791f3f92",
"source": {
"id": "2c918088719e0a5e0171a51ec1f45c33",
"name": "Active Directory",
"type": "Active Directory"
},
"disabled": false,
"locked": false,
"privileged": false,
"manuallyCorrelated": false,
"entitlementAttributes": {},
"created": "2020-09-03T18:03:27.606Z"
}
},
{
"_nested": {
"field": "accounts",
"offset": 4
},
"_score": 1,
"_source": {
"id": "2c918087742242470174244d59c977ca",
"name": "dupeaccount2@email3.com",
"accountId": "74e864cb-7633-4c1e-884d-bdc8a1e10f3f",
"source": {
"id": "2c918088719e0a5e0171a51ec1f45c33",
"name": "Active Directory",
"type": "Active Directory"
},
"disabled": false,
"locked": false,
"privileged": false,
"manuallyCorrelated": true,
"entitlementAttributes": {
"groups": [
"296568fa-5a98-4fd3-b39e-394c4432e74b"
]
},
"created": "2020-08-25T06:28:03.146Z"
}
}
]
}
}
},
.............
.............
.............
]
}
}
]
}
}
}
}
Here you can see multiple accounts for a user from Azure AD
- dupeaccount1@email.com and dupeaccount2@email.com
Similarly another user having duplicate accounts in Google Suite and Active Directory.
You can’t filter to get particular sources only but at least this will give you all users with more than one account from all sources.
Hope this helps!!!