Currently there is no easy way in our default search UI to find all identities who have more than one accounts from a single source. There are other ways like doing account link search or via accounts CSV etc.
But there is a way to do find them (not pretty but still helpful) via search aggregation API. I found this somewhat easier if the result is small. If its a large set, you can always parse it to you liking. I am no coder 🙂
Here is the call
POST https://{TENANTURL}/v3/search/aggregate
BODY
{
"query": {
"query": "*"
},
"indices": ['identities'],
"aggregationsDsl": {
"accounts": {
"nested": {
"path": "accounts"
},
"aggs": {
"source id": {
"terms": {
"field": "accounts.source.id",
"min_doc_count": 2,
"size": 65536,
},
"aggs": {
"identities": {
"terms": {
"field": "_id",
"min_doc_count": 2,
"size": 65536,
},
"aggs": {
"accounts": {
"top_hits": {}
}
}
}
}
}
}
}
}
}
The result will be something like this
{
"aggregations": {
"accounts": {
"doc_count": 143280,
"source id": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [{
"key": "2c918088719e0a5e0171a51ec1f45c33",
"doc_count": 13266,
"identities": {
"doc_count_error_upper_bound": 3,
"sum_other_doc_count": 13188,
"buckets": [{
"key": "identity#2c918084719e5fda0171a635ed8465d9",
"doc_count": 2,
"accounts": {
"hits": {
"total": 2,
"max_score": 1,
"hits": [{
"_nested": {
"field": "accounts",
"offset": 6
},
"_score": 1,
"_source": {
"id": "2c918089784243b001785a6893314204",
"name": "[email protected]",
"accountId": "c5ea1cb6-6135-4773-b620-db710df1f448",
"source": {
"id": "2c918088719e0a5e0171a51ec1f45c33",
"name": "Azure Active Directory",
"type": "Azure Active Directory"
},
"disabled": false,
"locked": false,
"privileged": false,
"manuallyCorrelated": false,
"entitlementAttributes": {
"groups": [
"0478ac5b-e1ae-4a61-bc63-5bd386b34b1c"
]
},
"created": "2021-03-22T14:48:26.168Z"
}
},
{
"_nested": {
"field": "accounts",
"offset": 5
},
"_score": 1,
"_source": {
"id": "2c91808676443055017644ecfaed1cfc",
"name": "[email protected]",
"accountId": "9d70e2a1-aafc-45c3-aa55-2b542a9b3bce",
"source": {
"id": "2c918088719e0a5e0171a51ec1f45c33",
"name": "Azure Active Directory",
"type": "Azure Active Directory"
},
"disabled": false,
"locked": false,
"privileged": false,
"manuallyCorrelated": false,
"entitlementAttributes": {
"groups": [
"296568fa-5a98-4fd3-b39e-394c4432e74b"
]
},
"created": "2020-12-09T00:35:50.125Z"
}
}
]
}
}
},
{
"key": "identity#2c918086719e629d0171a639675771a8",
"doc_count": 2,
"accounts": {
"hits": {
"total": 2,
"max_score": 1,
"hits": [{
"_nested": {
"field": "accounts",
"offset": 5
},
"_score": 1,
"_source": {
"id": "2c918086745501130174552067e32ca8",
"name": "[email protected]",
"accountId": "0f7b23cb-2d16-4a53-a808-b3d305663851",
"source": {
"id": "2c918088719e0a5e0171a51ec1f45c33",
"name": "Google Suite",
"type": "Google Suite"
},
"disabled": false,
"locked": false,
"privileged": false,
"manuallyCorrelated": false,
"entitlementAttributes": {},
"created": "2020-09-03T18:00:21.220Z"
}
},
{
"_nested": {
"field": "accounts",
"offset": 4
},
"_score": 1,
"_source": {
"id": "2c9180847430c3350174345c589244e0",
"name": "[email protected]",
"accountId": "ce8cf36b-5a33-4bea-becd-8b795484720b",
"source": {
"id": "2c918088719e0a5e0171a51ec1f45c33",
"name": "Google Suite",
"type": "Google Suite"
},
"disabled": false,
"locked": false,
"privileged": false,
"manuallyCorrelated": true,
"entitlementAttributes": {
"groups": [
"296568fa-5a98-4fd3-b39e-394c4432e74b"
]
},
"created": "2020-08-28T09:18:21.331Z"
}
}
]
}
}
},
{
"key": "identity#2c918089719e5fc30171a639cd6a2cff",
"doc_count": 2,
"accounts": {
"hits": {
"total": 2,
"max_score": 1,
"hits": [{
"_nested": {
"field": "accounts",
"offset": 5
},
"_score": 1,
"_source": {
"id": "2c91808674550113017455233ff632f4",
"name": "[email protected]",
"accountId": "c4714b3c-3a48-460c-ba80-bdb2791f3f92",
"source": {
"id": "2c918088719e0a5e0171a51ec1f45c33",
"name": "Active Directory",
"type": "Active Directory"
},
"disabled": false,
"locked": false,
"privileged": false,
"manuallyCorrelated": false,
"entitlementAttributes": {},
"created": "2020-09-03T18:03:27.606Z"
}
},
{
"_nested": {
"field": "accounts",
"offset": 4
},
"_score": 1,
"_source": {
"id": "2c918087742242470174244d59c977ca",
"name": "[email protected]",
"accountId": "74e864cb-7633-4c1e-884d-bdc8a1e10f3f",
"source": {
"id": "2c918088719e0a5e0171a51ec1f45c33",
"name": "Active Directory",
"type": "Active Directory"
},
"disabled": false,
"locked": false,
"privileged": false,
"manuallyCorrelated": true,
"entitlementAttributes": {
"groups": [
"296568fa-5a98-4fd3-b39e-394c4432e74b"
]
},
"created": "2020-08-25T06:28:03.146Z"
}
}
]
}
}
},
.............
.............
.............
]
}
}
]
}
}
}
}
Here you can see multiple accounts for a user from Azure AD
Similarly another user having duplicate accounts in Google Suite and Active Directory.
You can’t filter to get particular sources only but at least this will give you all users with more than one account from all sources.
Hope this helps!!!
0 Comments