Megatrend: Distributed identity management
The digital transformation is not only changing business models, but also the way we deal with digital identities. Companies no longer just manage their internal employees, but also partners, customers, suppliers, external specialists, devices, and roles. These identities arise in different systems, spread across departments, locations, and company boundaries.
In this article, we explain why we consider distributed identity management to be a megatrend, how “distributed identities” and “distributed identity management” differ, and how it is used in practice.
Index
Identity in changing times
Increase in distributed identities
Companies no longer have to deal only with their own employees. The number of identities within a company and outside its boundaries is growing exponentially—an effect of advancing digitalization and an irreversible trend that affects everyone.
Companies are confronted with an exponentially growing number of identities, both within and outside the company.
It’s not easy to give good advice on how companies should deal with such a multitude of identities. How can you maintain an overview? And how can you generate real added value from the multitude of existing identities?
Even the definition of the term “identity” is open to interpretation. Does it refer to technical accounts or real people?
What is a digital identity?
Before we delve deeper into the topic, it is worth taking a brief look at the fundamental question: What do we mean by digital identity?
Basically, an identity refers to a uniquely identifiable entity that is systematically recorded and managed. This can be a natural person, such as an employee, but also an organization or a technical account. A printer would be classified as an entity, but not as an identity in the strict sense.
In a narrower sense, a digital identity is a “digital twin,” i.e., the image of a real person in the digital world.
👉 1:1, i.e., one person = one digital identity
- It consolidates information such as user accounts, roles, rights, and attributes across different systems—for example, for email, ERP, Microsoft 365, or other applications.
- Often, a central account is used for this purpose, such as the AD account or, in cloud-based environments, Microsoft Entra ID. This primary account then serves as the basis for access and permissions in other systems.
Who or what counts as a digital identity?
However, the issue is more complex than that. Digital identities can also include:
- External users such as guests or partners who have temporary access to systems,
- Administrator accounts, which are usually managed separately from regular user accounts and are subject to special protection (e.g., via MFA, logging, or time restrictions),
- Service and technical accounts, which are used for services, applications, or bots, for example—often without being directly assigned to a person,
- Group or role identities that combine multiple users into a logical rights construct (e.g., AD groups),
- and last but not least, organizations or companies themselves, which can act as separate entities with digital identities (e.g., in the context of federated identity management).
📎In summary: Each company must define for itself what exactly constitutes a digital identity. This applies in particular to PIM accounts, i.e., admin accounts.
Why move away from centralized management?
For several years now, a clear trend has been emerging: the move away from traditional, centralized identity and access management (IAM) systems. Centralized IAM systems often fail due to the integration of heterogeneous directories and applications. Active Directory, Entra ID, SAP SuccessFactors, CRM systems, and specialized industry solutions all maintain their own identity logic.
👉 A comprehensive single point of truth is proving almost impossible to achieve.
Attempts to consolidate all identities centrally lead to
- complex migration projects,
- high operating costs, and
- lengthy change management processes.
Added to this are security risks due to inconsistent group memberships, outdated permissions, and a lack of visibility into external access. Even simple tasks such as password changes or absence cover quickly overwhelm traditional help desks.
Distributed identity management: A paradigm shift
“Distributed identities” and “distributed identity management” represent different levels.
👥 Distributed identities describe the technical reality of multiple sources and forms of identity.
🧠 Distributed identity management represents a paradigm shift in organization:
- Identity processes are transferred to specialist departments,
- the burden on IT is reduced,
- central control instances still retain an overview.
Distributed identity management leverages the distributed data landscape and orchestrates identities across existing systems. Instead of centralizing data, it is made accessible via standardized interfaces. Identities are maintained where they originate, with full transparency and control in the backend.
Distributed identity management accompanies digital identities throughout their entire lifecycle: from entry to role changes, internal transfers, absences, and leaving the firm.
How the my-IAM platform unlocks the power of identities
Distributed identity management with my-IAM
FirstAttribute’s my-IAM platform provides a native SaaS solution that supports this new logic. It acts as middleware between directories, specialist applications, and user interfaces. Identities are accessed via RealIdentity, while group management is handled by RealGroup.
my-IAM processes all status changes automatically. The platform recognizes relevant events and synchronizes them in real time across all connected systems. This ensures that the entire user lifecycle is mapped seamlessly, without overloading central interfaces or requiring manual corrections.
RealIdentity consolidates identity data in real time
RealIdentity consolidates identity and contact data from a wide range of source systems in real time, including Active Directory, Entra ID, SuccessFactors, CRM, and ERP systems. Intelligent matching logic ensures that duplicate names, different spellings, and multiple identities are correctly assigned. Prioritization and merging automatically resolve conflicts.
The application processes any type of object, including people, rooms, locations, and vehicles, and automatically synchronizes changes via RealTalk technology with Outlook, Teams, HR systems, or low-code applications. Employee profiles, permissions, and contact details are updated without IT intervention.
A practical example: A company replaces an old Notes directory with a Mendix app. The relevant identity data is distributed across Entra, AD, an HR system, and the CRM. RealIdentity creates a central view without changing the source systems. The application accesses structured, searchable data via API. Smart Search, role filters, and decentralized write permissions significantly improve the user experience.
Read this use case: Using different identity data for Mendix application
RealIdentity is therefore not a traditional IAM system. The solution does not require its own authentication, integrates into customer systems, and can be scaled flexibly. It supports headless access and complements existing IAM processes without replacing them. The my-IAM platform uses what is already available and offers an entry point exactly where action is needed.
RealGroup consolidates groups
RealGroup aggregates group information from AD, Entra ID, IAM systems, CMS, and specialist applications. Duplicates are removed, redundant entries are cleaned up, and memberships are synchronized. The group logic remains flexible: IT manages technical groups, HR controls organizational units, and specialist departments maintain their own project groups.
An example: The marketing department needs four different SharePoint access roles. RealGroup extracts members from Entra ID, creates target groups, and keeps them synchronized. All changes are made automatically. Admins manage AD and Entra groups centrally via the IDM-Portal. At the same time, departmental managers can maintain delegated roles.
RealGroup also delivers group information to SaaS services such as Salesforce, Microsoft 365, Google Workspace, CMS, internal applications, or security infrastructures.
The right solutions in the front end
A central element of the my-IAM platform is the IDM-Portal, an IAM solution from FirstAttribute. It combines an intuitive user interface with comprehensive process control.
Distributed identity management finds practical application in the IDM-Portal:
- Employees can change their contact details, profile photos, or passwords themselves.
- Approval processes, such as for password resets, can be easily stored.
- Department heads can maintain substitution arrangements for absences directly in the portal.
All actions are logged and made traceable based on roles. IT remains in control at all times, but delegates operational tasks to specific departments as needed.
The IDM-Portal allows you to manage various directories and databases via a single interface.
With another application, PeopleConnect, FirstAttribute offers an app integrated into Microsoft Teams that makes all identities and groups accessible as a global identity directory.
Users can find colleagues, responsibilities, departments, or teams via context-sensitive search suggestions. They can start chats or meetings directly from the app or use groups as distribution lists. In the background, RealIdentity and RealGroup ensure that data is always up to date and filter information according to user roles or location.
my-IAM PeopleConnect displays identities from different source systems.
Summary
Digitalization presents companies with a number of challenges. The pace of modern working environments leaves no time for rigid processes or outdated methods. A new, flexible approach to managing distributed identities is needed. Companies are faced with the task of managing identities efficiently without losing track of who has access to what and why.
Distributed identity management brings order to this complex landscape. It does not rely on centralization, but on the intelligent orchestration of distributed identities across existing systems.
A key principle of the my-IAM platform is digitization without centralization. RealIdentity does not interfere with existing systems, but integrates seamlessly via standard interfaces. Data remains in its original system environment. Employees continue to use familiar applications, while identity and group data are automatically processed across systems. This reduces project complexity and enables rapid implementation without restructuring the IT landscape.
More about the my-IAM platform
The my-IAM platform from FirstAttribute unites all identities from various source systems and makes them usable for any kind of applications and apps. In addition to the Teams-integrated solution my-IAM PeopleConnect, it includes the business services my-IAM RealIdentity and my-IAM RealGroup.
You can also reach our team by phone at
+49 81 969 984 330.
