Oort Knowledge Base
  • Home
  • Glossary
  • 📊Dashboard
    • Get Started Dashboard
    • Overview Dashboard
    • MFA Dashboard
  • 👥Understanding your users
    • 📇Users
      • 💾Saved Filters
      • ❓Basic Search & Advanced Query Mode
    • 🩻User 360
      • 🗺️Overview Tab
      • 🔬Activity Tab
      • 📶Networks Tab
      • 💻Devices Tab
      • 🪺Applications and Groups Tabs
      • ✅Checks Tab
    • 🛠️Triaging Alerts and Remediation Actions
    • 🔗Linking User Accounts
    • 🤷User Statuses
  • 🗃️Applications
  • 💻Devices
  • 🧩Configuring Integrations
    • Managed Integrations
    • Auth0
      • Auth0 Data Integration
      • Auth0 Log Streaming & Marketplace App
    • Microsoft Entra ID (Azure AD) Data Integration
    • Microsoft Entra ID (Azure AD) SSO Integration
    • Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD)
    • Azure Sentinel SIEM Integration
    • AWS
    • AWS User-Based Access [Deprecated]
    • Duo Security Integration
    • Email Notifications
    • Github
    • Google Workspace Integration
    • Jamf
    • Jira Integration
    • Mailgun Integration
    • Microsoft Teams Notification Integration
    • Okta Log Streaming AWS EventBridge Integration
    • Okta Data Integration
    • Okta Workflows
    • Okta Integration Network - Production SSO App
    • Okta SSO
    • Polarity Integration
    • Salesforce Integration
    • SendGrid Integration
    • ServiceNOW Integration
    • Slack
    • Snowflake
    • Webex Notification Integration
    • Webhooks
    • Workday
      • Manual Import (CSV)
      • Report as a Service (RaaS)
  • ☑️Understanding Check failures
    • 🔍Reviewing Check Results
    • 🧹Customizing Checks
    • 📖Cisco Identity Insights
      • Identity Posture Management Insights
        • Access from Denied Territories
        • Allow/Block Email Logins
        • Application Login Bypasses SSO
        • Applications with Expired Secret
        • HRIS Discrepancies
        • Identity Intelligence Client Secret Expiring Soon
        • Inactive Account Probing
        • Inactive Guest Users
        • Inactive Users
        • Missing Value in Mandatory Field
        • Never Logged In
        • No MFA Configured
        • No Strong MFA Configured
        • Okta Long Running Sessions
        • Okta Session Length Policy Compliance
        • Personal VPN Usage
        • Provider User Type Missing
        • Rate Limit Alert
        • Role Assigned to Azure Cloud Only Account
        • Salesforce Direct Login Settings
        • Shared Mailbox Sign In Enabled
        • Slack User Inconsistencies
        • Telecom MFA Limit Reached
        • Unmanaged Devices Access
        • Unused Application for a User
        • Upcoming App Key Expiration
        • User Authorized to Bypass MFA
        • User Has Directly Assigned Application
        • User in IDP but not in HRIS
        • User Password Expiration Failure
        • User Stuck in Non-functional State
        • Users Sharing Authenticators
        • Weak MFA Was Used To Successfully Sign In
      • Identity Threat Detection Insights
        • A Bypass Code Was Used To Successfully Sign In
        • Access From Dormant Account
        • Accounts With Unusually High Activity
        • Active Account Under Heavy Attack
        • Activity From Untrustworthy ISP
        • Admin Impersonation in Okta
        • Admin Role Assigned to User
        • Authenticator Registration Anomalies
        • Code Exfiltration By Guest Account
        • Compromised Session
        • Google Drive File with Excessive Sharing Permissions
        • Impossible Travel
        • IP Threat Detected
          • IP Threat Detected In Depth
        • Login to Admin Console
        • MFA Flood
        • Microsoft Entra ID Admin Activity Anomaly
        • New Country for Tenant
        • New IDP Created
        • Okta Admin Activity Anomaly
        • Rare Browser Activity
        • Registered Location Mismatch
        • Risky Parallel Sessions
        • Service Account Successful Sign In
        • Shared Mailbox Successful Sign In
        • Sign In Threat Detected
        • Sign-in from Recently Created IdP
        • Successful Access from a Previously Only Failing IP
        • Super Admin Login to Google
        • Suspicious Activity Reported by End User
        • Unusual Repo Access
        • User IP in Blocked State
        • User Lock Out Risk Detected
        • User Trust Level Alert
        • Users With Defined Email Forward Rules
        • Users With New Email Forward Rules
        • Weak MFA Manually Activated and Utilized
  • ⚙️Tenant Settings
    • 👨‍💼Role-based Access (RBAC) and Tenant Access Logs
    • Systems Logs
  • 🏥Identity Posture Score
  • 🚨User Trust Level
  • How-to Guides
    • 🔐Accessing and Securing your Cisco Identity Intelligence Tenant
    • 🏎️Can Identity Intelligence analyze behavior and fail checks more frequently?
    • 🛂Importing Known IP Address Lists
    • 🔎Networks Tab & User Investigations
    • 🔁Okta Workflows Webhook Example
    • 🗃️Understanding HRIS Data and SCIM
    • MFA Factors FAQ
  • Public API
    • APIs
  • Troubleshooting & Support
    • API Permissions for Integrations
    • Responsible Disclosure Policy
  • Best Practices
    • 🛣️What’s Next? How to use Identity Intelligence effectively
    • 📚Identity Security Reading List
    • ✍️KPIs for
 IAM Teams
  • Blogs
    • 0ktapus for humans
    • Oort Releases GitHub Integration To Extend Identity Threat Detection
    • Oort Recognized Twice as a Sample Vendor in Gartner® 2023 Hype Cycle Reports™
    • Oort's Response Capabilities: Remediate Compromised Accounts with Just One Click
    • Oort Unveils Dashboard, Providing A Single Pane of Glass for Identities
    • Oort’s New Identity Security Dashboard
    • Oort Unveils Identity Technology Ecosystem, Bringing Identity Data out of Orbit and Into View
    • Oort: Your Security Layer On Top Of Okta
    • Populating the Unpopulated: Challenges of Building a Comprehensive User Inventory
    • Protecting IT Help Desk Teams Against Cyber Attacks
    • Protecting Salesforce Accounts from Takeovers and Ungoverned Access
    • Restrict Guest Access Permissions: Best Practices and Challenges
    • Seizing the Communication Opportunity: Aligning Perspectives in Identity Security
    • Session Hijacking in a Post-Genesis World
    • SIEM vs. Security Data Lake: Why it's Time to Rethink Your Security Program
    • Speaking the Same Language for Identity Security: Identify, Protect, Detect, Respond
    • State of Identity Security research reveals 40% of accounts use weak or no form of multi-factor authentication to protect identities
    • Strengthening Identity Controls: Mapping to CIS CSC and NIST CSF Security Frameworks
    • Strengthening Identity Security with Single Sign-On (SSO) Systems
    • Succeeding with Proper Detection for Identity Security: A Comprehensive Approach
    • Taking a Data-Driven Approach to Identity Security
    • The Concerning Prevalence of Weak Second Factors
    • The Crucial Role of an Identity Security Leader
    • Why I am Joining Oort
    • The Quest for a Passwordless World
    • Understanding Azure Active Directory (Azure AD)
    • Understanding the Implications of New SEC Rules on Cyber Incident Disclosure
    • Unlocking the Power of Zero Trust: The Crucial Role of Identity and Oort's Identity Security Platform
    • Respond Even Quicker to Identity Threats
    • What to Look Out For at Gartner IAM
    • 7 Critical Requirements for Securing Third-Party and Vendor Access
    • Best Practices for Efficiently Responding to Identity Threats
    • Announcing our Identity Technology Partner Ecosystem
    • Catching waves and building clouds
    • Cisco Announces Intent to Acquire Oort
    • CISO Perspectives: Eric Richard, HubSpot
    • Defining Roles & Responsibilities for an Identity Security Program
    • Detecting Session Hijacking
    • 8 Things to Look for in an ITDR Solution
    • Enhancing Identity Threat Detection: Introducing Oort’s New GitHub Integration
    • Founder Perspective: Matt Caulfield On Why He Started Oort
    • Founder Perspective: Vision To Reality
    • Four Reasons Why Traditional SIEMs Fall Short For Identity Security Programs
    • How Oort Partners with Duo for Unbeatable Secure Access
    • Governance, Risk, and Compliance
    • How to Find Inactive Users
    • Identity and Access Management and Oort Explained
    • 5 Identity Security Questions Every IAM Leader Needs to Answer
    • Identity security is bigger than just ITDR
    • Identity is the apex threat vector, so why is identity security still a mess?
    • Identity Threat Detection
    • Identity Threat Detection and Response: what you need to know
    • Identiverse 2023: What I'm Looking Forward to & What Not to Miss
    • Interview with Oort: Best Practices for Managing & Protecting Service Accounts
    • Interview with Alex “Sasha” Zaslavsky (Oort Data Science Lead)
    • Interview with Andy Winiarski (Head of Solutions Engineering)
    • Interview with Nicolas Dard (Oort’s VP of Product Management)
    • Introducing our Latest Integration to Protect Identities in AWS
    • Introducing The 2023 State of Identity Security Report
    • Maintaining a Strong Identity Security Posture: Why IAM Hygiene Matters
    • Managing Machine Identities: A Comprehensive Guide
    • Managing Risk In Shipwreck Diving and Security
    • Monitoring MFA Usage and Adoption: Strengthening Your Security Strategy
    • Okta Breach: Why Attackers Target GitHub, and What You Can Do to Secure It
    • Okta Security
    • Oort and Polarity Combine to Provide Instant Context on Identities
    • Oort + Polarity: Instant Identity Context to Power Investigations and Response
    • Oort Announces $15M in Seed and Series A Funding Round
    • Oort Stacks Go-to-Market Leadership Team Following Series A Investment
    • Oort Extends Identity Threat Detection with New AWS Integration
    • Announcing General Availability of the Oort Identity Analytics & Automation Platform
    • Oort Joins Forces with Microsoft Intelligent Security Association to Bring Visibility into Unmanaged Devices
    • Oort Joins the Microsoft Intelligent Security Association (MISA)
    • Building an Effective Identity Security Program: A Comprehensive Handbook
    • Oort Launches Identity Security Platform in Auth0 Marketplace
    • Oort Launches Identity Security Platform in AWS Marketplace
    • Oort Launches One-Click Remediation Actions for Streamlined Identity Security Response
    • Oort Origins and Our Vision for Identity Security
  • Release Notes
    • Week 22, 2024
    • Week 21, 2024
    • Week 20, 2024
    • Week 19, 2024
    • Week 18, 2024
    • Week 17, 2024
    • Week 16, 2024
    • Week 14, 2024
    • Week 13, 2024
    • Week 11, 2024
    • Week 9, 2024
    • Week 7, 2024
    • Week 5, 2024
    • Week 4, 2024
    • Week 3, 2024
    • Week 2, 2024
    • 2023
      • Week 49, 2023
      • Week 48, 2023
      • Week 47, 2023
      • Week 46, 2023
      • Week 45, 2023
      • Week 44, 2023
      • Week 43, 2023
      • Week 42, 2023
      • Week 41, 2023
      • Week 40, 2023
      • Week 39, 2023
      • Week 38, 2023
      • Week 37, 2023
      • Week 35, 2023
      • Week 34, 2023
      • Week 33, 2023
      • Week 32, 2023
      • Week 31, 2023
      • Week 30, 2023
      • Week 29, 2023
      • Week 28, 2023
      • Week 27, 2023
      • Week 26, 2023
      • Week 25, 2023
      • Week 24, 2023
      • Week 23, 2023
      • Week 22, 2023
      • Week 21, 2023
      • Week 20, 2023
      • Week 19, 2023
      • Week 18, 2023
      • Week 17, 2023
      • Week 16, 2023
      • Week 15, 2023
      • Week 13, 2023
      • Week 12, 2023
      • Week 11, 2023
      • Week 10, 2023
      • Week 9, 2023
      • Week 8, 2023
      • Week 7, 2023
      • Week 6, 2023
      • Week 5, 2023
      • Week 4, 2023
      • Week 3, 2023
      • Week 2, 2023
      • Week 1, 2023
    • 2022
      • Week 51, 2022
      • Week 50, 2022
      • Week 49, 2022
      • Week 48, 2022
      • Week 47, 2022
      • Week 46, 2022
      • Week 43, 2022
      • Week 42, 2022
      • Week 41, 2022
      • Week 38, 2022
      • Week 37, 2022
      • Week 36, 2022
      • Week 35, 2022
      • Week 34, 2022
      • Week 33, 2022
      • Week 32, 2022
      • Week 31, 2022
      • Week 30, 2022
      • Week 29, 2022
      • Week 24, 2022
      • Week 12, 2022
Powered by GitBook
On this page
  • Overview
  • Identity Provider (IdP) Status
  • Statuses and definitions
  • Identity Intelligence Status
  • Statuses and definitions
  • Inconsistent Users
  1. Understanding your users

User Statuses

PreviousLinking User AccountsNextApplications

Last updated 9 months ago

Overview

User Statuses are broken down into two categories: the and an . Read on to learn the differences between the two statuses, how each status is compiled and what the definition of each status is.

Identity Provider (IdP) Status

The Identity Provider (IdP) Status is a status that is gathered directly from what is configured on the data source for a particular user. You can see the respective IdP Status for each data source associated with a user in the right top corner of each source card on the User 360 tab.

Statuses and definitions

Identity Intelligence Status

Additionally, the high level Identity Intelligence status tag can be seen next to the User's name and email on every tab across the User 360.

Statuses and definitions

If there is no HRIS data integration available for your tenant or a user, the detailed status is the user type taken from the IdP + high level Identity Intelligence status (ex: Internal, Active or External, Inactive).

Below are the statuses and definitions if you do not have an HRIS data integration configured:

Identity Intelligence Status
Definition

Active

User is authorized in the IdP and has had activity in an IdP in the last 30 days

Inactive

User is authorized in the IdP, but has not had activity in an IdP in the last 30 days

Deprovisioned

User is unauthorized in the IdP and has not had activity in an IdP in the last 30 days

Inconsistent

If a HRIS data integration is available, the detailed status is the user type taken from the IdP+ the compiled status listed below (ie: Internal, Active Employee or Service Account, Non-employee).

Below are the statuses and definitions if you have an HRIS data integration configured:

Identity Intelligence Status
Compiled status
Definition

Active

Active Employee

User's HRIS employment account exists and is authorized. User is authorized in the IdP and has had activity in an IdP in the last 30 days

Active

Non-employee

User's HRIS Employment account does not exist and is unauthorized. User is authorized in the IdP and has had activity in an IdP in the last 30 days

Inactive

Inactive Employee

User's HRIS Employment account exists and is authorized. User is authorized in the IdP, but has not had activity in an IdP in the last 30 days

Inactive

Non-employee

User's HRIS Employment account does not exist and is unauthorized. User is authorized in an IdP, but has not had activity in an IdP in the last 30 days

Deprovisioned

Deprovisioned

User's HRIS Employment account exists, and the HRIS account and an IdP account are both unauthorized with no noted activity on an IdP or User's HRIS Employment account does not exist, and the HRIS account and the IdP account are both unauthorized with no noted activity on an IdP

Inconsistent

Non-employee

User's HRIS employment account does not exist, the user is unauthorized in both the HRIS and in an IdP, but there was activity noted on a data source after the user's IdP status changed

Inconsistent

Unauthorized Employee

Inconsistent Users

Users will be marked as inconsistent if we noticed account status discrepancies that could pose significant security threats to your environment. Inconsistent Users can also highlight discrepancies that arose during user onboarding or offboarding. It is important to review Inconsistent Users regularly, because these users may still have access to internal systems that they are no longer supposed to have access to. Users can be flagged as inconsistent for a variety of reasons. Below is a table visualization that maps what factors lead to each possible status, the compiled status, and inconsistency severity, if applicable.

If there is no HRIS data, a user will be marked as Inconsistent if:

  • User is authorized in a non-IdP data source, but does not have an IdP account associated

    • Example: User only has a Github account but no associated account in Okta, Azure, or G-Suite

  • User is unauthorized in the IdP, but has had activity in the IdP in the last 30 days

  • User is authorized in the IdP, but has had no activity in the IdP in the last 30 days and their user type from the IdP is listed as an External account or a Service Account

If there is HRIS data, in addition to the reasons above, a user will be marked as Inconsistent if:

  • User's HRIS account exists and is authorized, but the user is unauthorized in an IdP and there was activity noted on a data source after the user's IdP status changed

  • User's HRIS account exists and is authorized, but the user is unauthorized in an IdP

    • Note: If it is a newly created user account, the account will not flag as inconsistent, unless the user remains unauthorized in an IdP after 7 days

  • User's HRIS account exists but is not authorized, and the user is authorized in an IdP and has had activity in an IdP in the last 30 days

  • User's HRIS account exists but is not authorized, and the user is authorized in an IdP but has not had activity in an IdP in the last 30 days

  • User's HRIS account exists, the user is unauthorized in both the HRIS and an IdP, but there was activity noted on a data source after the user's IdP status changed

  • User's HRIS account does not exist, the user is unauthorized in both the HRIS and an IdP, but there was activity noted on a data source after the user's IdP status changed

  • User's HRIS account exists, the user is authorized in both the HRIS and an IdP, but the user type from the IdP is listed as an external account or a service account

    • Note: this is regardless of user's activity. The user may or may not have had activity in an IdP in the last 30 days.

  • User's HRIS account does not exist and is not authorized, but the user is authorized in an IdP and the user type from the IdP is listed as Employee or Contingent/Contractor

    • Note: this is regardless of user's activity. The user may or may not have had activity in an IdP in the last 30 days

To learn what statuses are possible and what each IdP status means, please refer to the data source's documentation on user statuses. Examples: ,

The Identity Intelligence status is a status that combines all of the user's with observability information based on a user's activity. If you have an HRIS system configured, then it will also include the user's employment status from the HRIS system.

A high level Identity Intelligence status can be seen in the Status column on the page

A more detailed, compiled Identity Intelligence status can be seen on the User 360 Tab, in the Summary widget, which is directly beneath the User's name and email. This compiled status combines the user types, taken directly from the IdP (ie: internal, external, service accounts, etc), and the Identity Intelligence status. If there is no user type in the IdP for that user, it will be marked as 'Missing'.

You can filter on Compiled Status as a basic filter on the page and/or add the field to the table as an additional column.

👥
🤷
Okta
Duo
Users
Users
IdP status
es
Overview
See below
See below
Overview
Identity Provider (IdP) Status
Identity Intelligence Status