EmpowerID Logs
EmpowerID maintains permanent logs of all activity and transactions that occur in the system. User logins as well as all activity within the EmpowerID system is logged in detail with date, time, initiator, approver, target, and other ancillary information regarding the transaction.
Log Types Overview
EmpowerID provides several categories of logs accessible through the web interface:
- Audit Logs - Track all operations, attribute changes, new objects, and membership changes
- System Reports - Over 75 built-in reports covering accounts, groups, people, security, and compliance
- Inbox Logs - Monitor account provisioning and resource entitlement processing
- Login History - Track authentication attempts and session information
- Workflow Errors - Capture exceptions during workflow execution for troubleshooting
Audit Log
You can view audit logs in the web interface by expanding System Logs and clicking Audit Log.
Operation Audit Log
All activity within the EmpowerID system that impacts any protected resource object, such as user accounts, person objects and groups, is logged in detail with date, time, initiator, approver, target, and other ancillary information regarding the transaction.
Attribute Changes
EmpowerID monitors any changes currently taking place within your directories and between EmpowerID and those external directories.
Changes detected in external systems can be viewed under Inbound Attribute Changes while any changes occurring within EmpowerID that are being passed to another system can be viewed under Outbound Attribute Changes. Outbound changes are processed by the Directory Change Processor job.
New Objects
The EmpowerID inventory engine monitors all connected systems for changes. One primary type of change detected is the creation of new objects within managed systems, such as Azure Active Directory or SharePoint online.
Membership Changes
EmpowerID's inventory process detects all changes to group membership and logs these changes for reporting and enforcement purposes. Both changes made via EmpowerID workflows as well as changes to group memberships made outside of EmpowerID with native tools are captured and classified by the change source.
System Reports
EmpowerID provides over 75 reports out of the box to allow you to view information about the current status of your environment. Each report provides information pertinent to the resource type associated with the report, is searchable and provides links to initiate related workflows or view a specific resource contained in the report. Additionally, each grid in the user interfaces provides an Export button that allows you to download grid information as an Excel sheet.
Reports can be accessed by clicking Reports under System Logs.
Report Categories
Reports are organized into the following categories:
Account Reports - Monitor account status, security settings, password policies, login activity, ownership, and expiration. Examples include accounts with expired passwords, accounts that haven't logged in for 90 days, privileged accounts, and accounts without responsible parties.
Group Reports - Track group membership, security classifications, ownership, and lifecycle status. Examples include empty groups, high security groups, groups without responsible parties, possible stale groups, and groups expiring within specified timeframes.
People Reports - View person status, enrollment, login activity, access assignments, and verification status. Examples include people created recently, people not enrolled for password reset, duplicate contact information, and people with verified communication channels.
Security and Risk Reports - Identify high-risk accounts, groups, and people based on security classifications and calculated risk scores. Examples include high security groups, riskiest groups and people based on access capabilities, and accounts with privileged access.
Recertification Reports - Monitor access certification campaigns and fulfillment status. Examples include recertification revokes by status (completed, failed, in progress, ignored), fulfillment actions, and certification status by location.
Access Assignment Reports - View direct and inherited access assignments for people, including current assignments, expiring assignments, and assignments for direct reports.
Compliance Reports - Track password manager enrollment, audit log data, and accounts without proper ownership or management relationships.
Inbox Logs
Account Inbox
EmpowerID flows all new accounts through the Account Inbox, which determines – based on configurable join and provision rules – whether the new account is an account that should be joined to an existing person, an account that needs to have a new person provisioned for it, or an account that should be ignored. The Account Inbox can be accessed by expanding Identity Lifecycle and clicking Account Inbox.
The Account Inbox provides four log views:
All
Displays all external accounts that have been processed by the Account Inbox and their status within the system.
| Field | Description |
|---|---|
| Processed (Ago) | The time and date the external account was processed by the inbox |
| Result | The processing result for the account: • No result – The account has not been processed • Ignored – The account does not meet the conditions specified by the Join and Provision Rules • Provisioned – An new EmpowerID Person has been provisioned and joined to the account • Joined – The account meets the conditions of the Join rule and has been joined to an existing EmpowerID Person |
| Logon Name | The logon name of the account |
| Domain or Directory | The domain from where the account was inventoried |
| EmpowerID Logon | The login of the EmpowerID Person that was provisioned or joined to the account, if any |
| Last Login | The last login of the person account |
| Process Status | Displays whether the account was processed by the Account Inbox: • 0 – Unprocessed • 1 – Ignored • 2 – Processed |
| Display Name | The name for the user account in the EmpowerID user interfaces |
| Deleted | Displays whether the account has been deleted in EmpowerID |
| Distinguished Name | Distinguished name of the account |
| Disabled | Displays whether the user is disabled |
| Employee ID | Employee ID set for the account |
| Employee ID Other | Value set for the Employee ID other attribute |
| Email address for the user account | |
| Person Deleted | Displays whether the Person linked to the account has been deleted in EmpowerID |
| Discovered | Date and time the account was discovered in the external system by EmpowerID (inventory) |
| Processed By Server | The server that processed the account entry |
Proposed
Displays external accounts discovered by EmpowerID that were not processed for Person provisioning by the Account Inbox because a Person already exists. In these cases, the accounts are joined to their respective Person objects based on the Join rule.
| Field | Description |
|---|---|
| Discovered | Date and time the account was discovered in the external system by EmpowerID (inventory) |
| Result | The processing result for the account |
| Max Allowed Accounts | Maximum number of user accounts allowed for the EmpowerID Person as set on the account store |
| Person Display Name | Display name of the Person account |
| EmpowerID Logon | EmpowerID Logon of the Person account |
| Display Name | Display name of the user account |
| Logon Name | Logon name of the user account |
| Domain or Directory | The domain from where the account was inventoried |
| Distinguished Name | Distinguished name of the account |
| Last Login | Date and time of the last login by the EmpowerID Person linked to the account |
| Deleted | Specifies whether the account is deleted |
| Disabled | Specifies whether the account is disabled |
| Employee ID | Employee ID set for the account |
| Employee ID Other | Value set for the Employee ID other attribute |
| Email address for the user account | |
| Person Deleted | Specifies whether the Person account is deleted |
Orphans
Displays all user accounts not linked to an EmpowerID Person.
| Field | Description |
|---|---|
| Logon Name | The logon name of the account |
| Domain or Directory | The domain from where the account was inventoried |
| Usage Type | The type of account |
| Display Name | The name for the account in the EmpowerID user interfaces |
| Description | Description of the account |
| Disabled | Whether the account is disabled |
| Distinguished Name | Distinguished name of the account in EmpowerID |
| First Name | First name, if any |
| Last Name | Last name, if any |
Dashboard
Provides a visual summary of Account Inbox information.
Provisioning (RET) Inbox
The Provisioning (RET) Inbox continuously evaluates Provisioning (RET) policies, comparing those policies to information obtained from connected directories and resource systems. The inbox process determines mismatches between the resources (user accounts, mailboxes, etc.) a person should have (according to the RET policies they receive) and the resources they actually have.
If mismatches are present, entries are created in the RET Inbox to record what provisions, de-provisions, or moves are required to rectify these differences. EmpowerID then processes those changes to perform the recommended actions. The RET Inbox can be accessed by expanding Identity Lifecycle and clicking Provisioning (RET) Inbox.
The Provisioning (RET) Inbox displays all resource entitlement entries with the following information:
| Field | Description |
|---|---|
| ID | Unique identifier for the entry |
| Processed (Ago) | Hours and minutes from the current time that the entry was processed |
| RET Action | Displays the action to be taken by the system for the entry (Grant or Revoke) |
| Entitlement Type | The resource to be granted or revoked (e.g., Azure AD User Account) |
| Processed By Server | The server that processed the entry |
| Resource | Provides a link to the View page for the specific resource processed for the entry |
| Resource System | The resource system (e.g., Azure tenant) where the entitlement was granted or revoked |
| EmpowerID Login | The login of the EmpowerID Person receiving the resource entitlement action |
| Resource Entitlement (Provisioning Policy) | The Provisioning policy linked to the resource entitlement |
| Process Status | Displays the process status of resource entitlement entry: • Not processed • In Progress • Processed • Error |
Login History
EmpowerID automatically logs all login attempts to EmpowerID or to any system using EmpowerID for login authentication. The Login History log provides a convenient searchable view of these login events. The log can be viewed by expanding Apps and Authentication and selecting Login History.
The Login History provides three logging views:
Login History
Displays all logins for all users with the following fields:
| Field | Description |
|---|---|
| When (Ago) | The number of days, hours and minutes from current that the login attempt occurred |
| Who | The person who attempted to log in; could be anonymous |
| Successful | Displays whether the login attempt succeeded |
| Message | Displays details about the login attempt and the reason for failure, if any |
| Level of Assurance (LoA) | Number of points required for the login, if any. This is derived from the Password Manager Policy of the person |
| Speed (Miles per Hour) | Speed traveled for login, if any |
| EmpowerID Login | The EmpowerID login of the person |
| Identity Provider | The IdP used to authenticate the person |
| Service Provider | The SP |
| Device | Device used to login |
| Method | Login method (e.g., WEB) |
| IP | IP recorded for the login attempt |
| City | City from where the login attempt originated |
| State | State from where the login attempt originated |
| Country | Country from where the login attempt originated |
| Organization | Organization of the person attempting to log in |
| User Name | User name of the person |
| Failure Reason | Reason for login failure, if any |
| Date | Date and time of the login attempt |
| Browser Technical Details | Browser used |
My Reports Logins
Displays all logins for the direct reports of the current user. Fields include when the login occurred, person, method, success status, EmpowerID login, identity provider, service provider, device, level of assurance, IP address, speed, location information (city, state, country), organization, message, failure reason, and timestamp.
Recent Login Sessions
Displays all login sessions occurring within the last 48 hours. Fields include when the session occurred, person display name, user name, identity provider, service provider, IP address, device, and level of assurance.
Workflow Errors
The Workflow Error Log captures any exceptions thrown by EmpowerID during a workflow execution and provides a convenient way to locate problems when troubleshooting. The log displays fields that allow you to view where the error occurred, what account and which person was executing the workflow, the severity of the error, and other values. The Workflow Error log can be viewed by expanding Infrastructure Admin > EmpowerID Servers and Settings and selecting Workflow Errors.
