Overview
Torii identifies users through their unique email addresses. Whenever a new email address is detected from an app or any other source, Torii generates a new user. This process ensures comprehensive tracking of app activities, aiding in cost-saving measures by uncovering instances where an individual has multiple user accounts for the same app.
People may have multiple emails associated with them across different systems due to various reasons (such as name change, domain change, emails used across different regions, among others).
For this reason, Torii’s Merge Users feature will automatically detect multiple email aliases for a single employee, providing IT the option to merge aliases with a single click of a button. By merging aliases, Torii provides a complete picture of each user’s apps, licenses, costs and more, as well as supporting automating actions across all users a person has.
The Merge Users feature currently supports merging users based on data coming in from an IDP source. You can choose to either:
- Merge users based on these fields in Azure Active Directory:
- “proxyAddresses”
- You can find this field in the Microsoft 365 admin center under Users → Active users → Manage username and email
- “Other emails”
- You can find this field in your Azure portal User management section under AllUsers → choose a user -> Edit properties -> Contact Information
- You can find this field in your Azure portal User management section under AllUsers → choose a user -> Edit properties -> Contact Information
- “proxyAddresses”
- Merge users based on the “Emails” field in Google Workspace, which takes data from these fields in the Google Workspace UI:
- “Contact information”
- “Alternate email addresses (email alias)”
- You can find these fields in the Google admin center under Users -> choose a user -> User information
Notes on updating your IDP Fields
- Each field has different specifications regarding which email addresses it can support:
| IDP | Email Field | Supported domains | Additional notes |
| Azure | “proxyAddresses” | Managed domains only | The user you want to add an alias to must have an Exchange Online license. Read Microsoft’s help article on this here |
| Azure | “Other emails” | Any email address | |
| “Alternate email addresses (email alias)” | Managed domains only | You cannot add an email that belongs to a user in a managed domain as an alias to another user | |
| “Contact information” | Non-managed domains only |
Configuring the Merge Users feature
To activate the merge users feature, navigate to the Settings → Users & Employees tab. Then, click on the “Configure Merge” button under the “Merge Users” section, and follow the instructions to set up the Merge Users feature. This should only take a few moments.
We highly recommend you select the “Email full changes report” and review the data before turning this feature on. In case of data discrepancy, please verify that user aliases configured in your IDP of choice are set up correctly. but don’t worry, this feature is completely reversible with no loss of data, should you choose to do so.
After configuring the Merge Users feature, you will be able to edit the merge configuration and/or revoke the merge from the Settings → Users & Employees tab. Selecting either option will reopen the wizard and inform you of the expected changes.
Where will I feel the effects of this feature?
Changes to the UI
Once Merge Users has been configured (and after a short sync), you will notice changes in Torii due to all “users” for a person being consolidated:
- User numbers will be updated to reflect the new user count in Torii.
- You will only be able to see the merged users in Torii - the individual users who comprise them have become their additional emails. You can still search for specific emails - they will lead you to the new merged user.
- App owners & other fields which point to a specific user (contract owner, workflow created by, etc.) will all be updated to reflect the relevant merged users.
- Annual cost & number of apps for each user will now be calculated based on all the users merged together for each person.
- The app catalog will display all apps a person has access to, from all their users combined.
- A new “email” column will be added in several areas on the UI to help explain to which of the user’s email the data is referring to. For example, when looking at unused licenses, you will still see who the user is, but you will also see which of their emails is associated with the unused license. This feature will help you take action on the correct emails within the apps and to differentiate in cases where a user has multiple emails in use for that app.
Changes to workflows and actions
For the most part, workflows and actions will continue to operate with no changes.
There are some exceptions:
- Actions which contact a user (such as sending an email, or via Slack) will always first attempt to contact the user’s primary email, regardless of which of their emails triggered the workflow.
- Actions which link a user to a ticket (such as Create Jira Cloud issue) will always first attempt to contact the user’s primary email, regardless of which of their emails triggered the workflow. If that email is not associated with the relevant software, Torii will find the email which is, and put it in the relevant field(s).
Changes to offboarding
With Merge Users feature turned on, when you begin offboarding for a user, all emails and app accounts associated with that user will be deprovisioned as per the offboarding settings you’ve defined in Torii.
The merged user’s status will be set based on the status of the user who was previously associated with the primary email of the merged user.
Here’s an example - let’s say we merge these users together: user1@example.com (current), and user2@example.com (past).
- If user1@example.com is the primary email for the merged user, then the merged user will be a current user.
- If user2@example.com is the primary email for the merged user, then the merged user will be a past user.
What about users in the process of being offboarded?
- User (and all their email aliases) will begin or stop offboarding together. A change in the status of the user’s primary email will apply to all other email aliases.
Changes to Torii Login
You will be able to continue logging into Torii using any email you used previously, retaining any permissions you had. This is true even if you are logging into Torii using a non-primary email.
Please note the following:
- If you have multiple admin users in Torii prior to enabling the Merge users feature, you can log into any one of them, and each login email retains its specific permission set - permissions are not combined or shared between a user's emails.
- We recommend you log into the Torii app catalog using your primary email address. Doing so will show you all applications you have access to from all your email combined. If you log into the app catalog with a secondary email, you will see only apps that email has access to.
Changes to Discovery
Torii’s browser extension supports discovery for email aliases - so any app discovered by the browser extension for any of a user's emails will count towards app discovery and usage for that user.
This is true as long as those aliases are from one of the domains configured for your Torii account. This is to prevent the browser extension from collecting information on private browsing sessions (i.e. if you @gmail email as an alias for your work email, the browser extension will not collect usage data for that email).
Important notes
- As a precaution in cases where merging users may lead to an incorrect state in Torii, we have elected not to merge specific users in the following cases:
- Employees (as defined by the employee SOT configuration) can’t be merged into other users. This is relevant for cases such as where a person’s email becomes their superior’s alias when they are terminated.
- If a user is an alias to multiple other users, they will not be merged. This is to prevent merging the wrong users together.
-
A user with aliases of their own cannot be merged into another user. This is to prevent cases where a user is an alias of an alias, and similar situations where the logic may break.
Q&A
Q: Why are some of my email aliases not appearing under my user's additional emails?
A: Under "additional emails", Torii shows all emails for which both of the following are true:
- The email is defined as an alias for your primary email address in your IDP
- The email was discovered from an integration or one of Torii's other discovery sources at least once. (i.e. if your personal email is set as an alias in Google, but you aren't using it in any work-related app, it will not have been discovered by Torii and shown in this field).