title: Understanding the Person-Centric Identity Model category: Getting Started tags: identity, person, objects, matching, multi-source, architecture priority: High
Understanding the Person-Centric Identity Model
IdentityCenter uses a person-centric identity model that separates the concept of a real person from the accounts and objects that belong to them across multiple directory sources. This is the foundation of how IdentityCenter provides unified identity governance.
The Core Concept
In most organizations, a single employee has multiple accounts across different systems:
- An Active Directory account for Windows login
- An Entra ID (Azure AD) account for cloud services
- A mailbox object in Exchange
- Multiple group memberships
- Computer objects assigned to them
Traditional tools treat each of these as separate, unrelated items. IdentityCenter links them together under a single Person record.
Key Entities
Person (Identity)
A Person represents a real individual in your organization. The Person record contains:
| Field | Description |
|---|---|
| Display Name | The person's full name |
| Primary email address | |
| Department | Organizational department |
| Title | Job title |
| Manager | Direct manager (linked to another Person) |
| Status | Active, Inactive, or Terminated |
| Source | Which system is the authoritative source |
A Person is not imported directly from any directory. Instead, it is created automatically when objects are synchronized and matched.
Object (Identity Object)
An Object represents a specific account or entry from a connected directory source. Objects have:
| Field | Description |
|---|---|
| CN (Common Name) | The object's common name in the directory |
| DN (Distinguished Name) | Full LDAP path (e.g., CN=jsmith,OU=Users,DC=corp,DC=local) |
| Object Class | The type: user, group, computer, contact, organizationalUnit, etc. |
| Source Connection | Which directory connection this came from |
| Source Unique ID | The unique identifier from the source (objectGUID for AD) |
| Attributes | All synchronized attributes from the directory |
| IsActive | Whether the object is enabled in the source directory |
The Relationship
┌──────────────┐
│ Person │
│ "John Smith"│
└──────┬───────┘
│
┌────────────┼────────────┐
│ │ │
┌───────▼──────┐ ┌──▼──────────┐ ┌▼─────────────┐
│ AD Object │ │ Entra Object│ │ LDAP Object │
│ jsmith@corp │ │ john@tenant │ │ jsmith (HR) │
└──────────────┘ └─────────────┘ └──────────────┘
One Person can have multiple Objects from different sources. This gives you:
- Unified view of all accounts belonging to one individual
- Cross-source correlation for access reviews
- Complete audit trail across all systems
- Orphan detection when accounts exist without a matching person
How Matching Works
When IdentityCenter synchronizes objects from a directory, the Internal Sync Step automatically matches objects to existing Persons or creates new ones.
Matching Rules
The matching process follows a priority-based approach:
- Email Match (highest confidence) - If the object's email matches an existing Person's email
- Employee ID Match - If the object's employeeID attribute matches
- Name + Department Match - Fuzzy matching on display name within the same department
- UPN Match - User Principal Name correlation
- Create New - If no match is found, a new Person is created
Matching in Sync Workflows
Matching happens automatically as part of the sync workflow:
- Source Query step imports raw objects from the directory
- Object Commit step saves/updates objects in the database
- Internal Sync step matches objects to Persons
- Lookup step resolves manager relationships (DN to Person)
Object Classes
IdentityCenter supports 24 Active Directory object classes. The most commonly used are:
Primary Object Classes
| Object Class | LDAP Filter | Description |
|---|---|---|
| User | (&(objectClass=user)(objectCategory=person)) |
Employee and service accounts |
| Group | (&(objectClass=group)(objectCategory=group)) |
Security and distribution groups |
| Computer | (&(objectClass=computer)(objectCategory=computer)) |
Domain-joined machines |
| Contact | (objectClass=contact) |
External contacts (mail-enabled) |
| Organizational Unit | (objectClass=organizationalUnit) |
OU structure |
Extended Object Classes
| Object Class | Description |
|---|---|
| gMSA (Group Managed Service Account) | Automated password service accounts |
| MSA (Managed Service Account) | Traditional managed service accounts |
| Printer | Network printers published in AD |
| Shared Folder | Published file shares |
| Foreign Security Principal | Cross-domain/forest trust objects |
| InetOrgPerson | RFC 2798 compliant person objects |
| DNS Zone | AD-integrated DNS zones |
| DNS Node | Individual DNS records |
| GPO (Group Policy Object) | Group Policy objects |
| Site | AD replication sites |
| Subnet | AD replication subnets |
| Site Link | Replication topology links |
| Trust | Domain/forest trust relationships |
| Schema Class | AD schema class definitions |
| Schema Attribute | AD schema attribute definitions |
| PKI Certificate Template | Certificate Services templates |
| PKI Enrollment Service | Certificate enrollment services |
| Service Connection Point | Service discovery objects |
Manager Resolution
IdentityCenter resolves manager hierarchies across your organization:
- AD stores managers as Distinguished Name references (e.g.,
CN=Jane Doe,OU=Managers,DC=corp,DC=local) - The Lookup Step in the sync workflow resolves these DN references to actual Object GUIDs
- Objects are then linked to their manager's Person record
- This builds a complete organizational chart automatically
How It Works
AD Object (jsmith) IdentityCenter
───────────────── ──────────────
manager: CN=jdoe,OU=... ──────► ManagerObjectId: {guid}
ManagerPersonId: {guid}
│
▼
Person: Jane Doe
The lookup step is generic — it works for any object type that has a manager attribute, not just users.
Multi-Source Identity Correlation
When you connect multiple directory sources, IdentityCenter correlates identities across them:
Example Scenario
Your organization has:
- Corporate AD (
corp.local) — 500 users - Cloud Entra ID (
company.onmicrosoft.com) — 500 users - HR LDAP — 480 records
After syncing all three:
- IdentityCenter creates ~500 Person records
- Each Person has up to 3 linked Objects (one per source)
- 20 cloud-only accounts are flagged (no HR match)
- Orphaned accounts are detected automatically
Correlation Benefits
| Benefit | Description |
|---|---|
| Single Pane of Glass | View all accounts for one person in one place |
| Orphan Detection | Accounts that exist in AD but not in HR are flagged |
| Access Aggregation | See total group memberships across all sources |
| Compliance Reviews | Review all access for a person, not per-system |
| Automated Deprovisioning | When HR removes someone, find all their accounts |
Best Practices
- Start with one source — Connect your primary AD first, let it sync and create Person records
- Add sources incrementally — Each new source will match against existing Persons
- Use email as primary match — It's the most reliable cross-source identifier
- Review unmatched objects — Check the Objects browser for items that didn't match to a Person
- Set an authoritative source — Decide which system is the "source of truth" for each attribute (e.g., HR for department/title, AD for login details)
Next Steps
- Quick Start Guide — Set up your first sync
- Auto Sync Projects — Auto-create sync projects for all 24 object classes
- Directory Browser — Explore your synchronized objects
- Access Reviews Overview — Start reviewing access across sources