FOUNDING ACCESS First 3 months free — use it in production and tell us what to fix. Claim it →
Back to Troubleshooting
Troubleshooting

Why is an identity missing or duplicated?

0 views

title: Why is an identity missing or duplicated? category: Troubleshooting tags: orphaned account, duplicate identity, missing user, reconciliation priority: Normal

Why is an identity missing or duplicated?

Certification Center builds a person-centric view of your organization: one identity is a real person, and that person can hold several accounts across your connected directories (for example an Active Directory account and an Entra ID account). When an expected person is missing, or the same person shows up twice, it almost always comes down to how their accounts were read from the source directory and matched together. This guide walks the common cases.

A person I expected is missing entirely

Symptoms:

  • Someone who exists in your directory does not appear anywhere in Certification Center.

Cause: Their account was never read from the source, either because the connector lacks permission to see it, because it is a type the connector skips, or because the directory that holds it has not been connected yet.

Fix:

  1. Confirm the directory that holds the account is connected and has completed at least one successful sync.
  2. Check the account type. Guests, external identities, and disabled accounts may be excluded depending on the connector. Confirm the read permissions in Least-privilege permissions for each connector.
  3. If the connection returns fewer accounts than expected overall, work through Troubleshooting cloud directory connections first, then re-sync.

An account has no owner (orphaned account)

Symptoms:

  • An account appears but is not attached to a person, or is flagged as orphaned.

Cause: An orphaned account is one that could not be matched to a real identity, or whose owner has left. Common examples are shared mailboxes, service or automation accounts, and accounts left behind after an employee departed. These are exactly the accounts an access review is meant to surface.

Fix:

  1. Decide what the account is. If it is a genuine person, matching (below) will attach it. If it is a service or shared account, it should be governed as one, not left unowned.
  2. Bring orphaned accounts into an access review so an owner is assigned or the account is revoked. See the reviewer workflow in Reviewer guide: how to approve or revoke access.

Important: Orphaned and stale accounts are a real access risk, not just noise. Surfacing them is a feature, not a fault. Route them through a certification so each one is explicitly kept or removed with an audit trail.

The same person appears twice (duplicate identity)

Symptoms:

  • One real person shows up as two separate identities.

Cause: The person holds accounts in more than one directory (or two accounts in the same directory) and the accounts did not share a common matching value, so Certification Center could not tell they belong to the same person. Matching relies on a consistent attribute across sources, most often the primary email or user principal name.

Fix:

  1. Compare the two entries and find where they differ. A mismatched or missing email, a maiden vs. married name, or a contractor account under a different domain are the usual culprits.
  2. Correct the mismatched attribute in the source directory so the two accounts share a common value, then re-sync. Certification Center reads from the source, so fixing it there is what makes the match durable.
  3. If the accounts legitimately cannot share an attribute, contact support so we can advise on matching for your workspace.

Tip: Fix duplicates at the source, not by hand each cycle. A person who is duplicated because two directories disagree on their email will keep re-duplicating every sync until the source data agrees.

The count does not match my directory

Symptoms:

  • The number of identities is higher or lower than the raw object count in your directory.

Cause: This is usually expected. Certification Center collapses multiple accounts for one person into a single identity, so the identity count is normally lower than the total account count. It also excludes account types the connector does not read. A higher-than-expected count usually points to duplicates (see above).

Fix:

  1. Remember that identities count people, not accounts. One person with three accounts is one identity. This is also how billing counts identities under governance.
  2. If the count is higher than the number of real people, look for duplicates and resolve them at the source.
  3. Re-sync after any source correction and re-check the count.

Still stuck?

Email support@certification-center.com and include:

  1. The person's name and the accounts you expect them to have.
  2. Which directories those accounts live in.
  3. Whether the person is missing, orphaned, or duplicated.
  4. Any recent source-directory changes (renames, email changes, new domains).

Next steps

Was this article helpful?

Related articles

Common Issues & Solutions
Troubleshooting cloud directory connections
Troubleshooting Notification Emails