Blackbaud ID
We recently made changes to account management to enhance security - for all user accounts.
In this post, we'll review the backstory, share feedback we heard, outline improvements we plan to take to reduce potential negative impacts, and list the steps you can take to manage accounts for your school community.
Blackbaud ID History
Prior to the Blackbaud ID requirement for authentication, non-Blackbaud ID accounts inactive for 13 months (395 days) were automatically disabled in Blackbaud's education management solutions to reduce security risks.
In September 2022, all logins were switched to Blackbaud ID (BBID), which uses an email address as a user's identity. BBID accounts may use social sign-ins (Apple, Google), single sign-on via your school’s identity provider, or personal email addresses. Any Blackbaud ID account Registered with Education Management is associated with the organization with whom they authenticate. As a result, when a user updates their BBID username, the username is also updated in Education Management.
BBID enforces password changes every six months and marks accounts inactive if dormant too long. If a Blackbaud ID account has no activity for two years (730 days) and is not associated with any organization, personally identifiable information (PII)—including username and names—is redacted to comply with data privacy laws.
When an account is disabled or marked inactive in Education Management, then the BBID account is no longer associated with your school’s organization. Thus, only accounts that are inactive for 730 days and disconnected from Education Management risk having their BBID username (email address) redacted, if they aren’t also connected to another organization’s solution.
Inactivity alone does not trigger a redaction of the BBID account. It must also be completely disconnected from all organizations.
What changed?
As of September 9, Education Management expanded its account inactivation logic to include BBID-connected accounts. Initially, a large number of users were inactivated because they have not logged in within the last 395 days - sometimes in as long as 5 years. Each night, up to 500 dormant accounts per school are marked inactive after 395 days. If your school has many dormant accounts, this process may take several nights.
Because a BBID can be connected to multiple solutions or organizations, inactivation in your instance of Education Management (BEM) may or may not trigger redaction. Here are a few examples:
BEM user at your school | Last login elsewhere | Last BEM login | BEM account status | Blackbaud ID status |
|---|---|---|---|---|
Staff | Logged into RE NXT 3 days ago | 3 years ago | Inactive | Active |
Parent | Logged into another school 3 days ago | 3 years ago | Inactive | Active |
Parent | None | 7 months ago | Active | Inactive – password reset required |
Parent | None | 400 days ago | Inactive | Inactive – password reset required |
Parent | None | Over 2 years ago | Inactive | Redacted |
When a BBID account is synced to Education Management, if that account has no activity for 730 days, and isn’t connected to any organization, then Education Management will now also show a redacted email address as their username in Education Management.
What’s the issue?
For most dormant users, this change does not impact their experience—they have not used the system in two years or more.
However, some schools rely on the username field for use in other systems. Young students or some parents who don’t log into Education Management may use an integrated tool that depends on the username (email address), such as Classlink.
Rest assured: Parents and alums inactive for 395 days who have logged in within 730 days have not been redacted.
Check out the Users List in Core and view the column for Last Login to see users who may be at risk of inactivation (13 months/395 days) or redaction (2 years/730 days). Note: We only store login information for 2 years. Absence of a last login date means the user has either never logged in or their last login was more than 2 years ago.
What is Blackbaud doing?
We’re listening to your feedback and we’ve identified several ways we can improve this experience.
- We have temporarily paused the process of marking BBID accounts inactive in Education Management. We will notify you before resuming.
- In Core, Security, Blackbaud ID Authentication, we’ll add an option to Enable and Disable accounts in bulk, for users who are Registered or Awaiting response. Note: These options already exist for Unregistered users. You can also do this from an individual’s Core user profile.
- We expect this change to make it easier for your school to reenable accounts in bulk, especially before contract season starts.
- With this change, you can disable Education Management for users who are still connected to Blackbaud ID.
- We’ll also add a column to show Last login date in Core, Security, Blackbaud ID Authentication, Registered. (This information already appears as a column in Core, Users, User list.)
- As of 9/30/25, we’ll preserve your data, instead of redacting it. When Education Management receives a redacted account from BBID, we’ll disconnect them.
- With this change, the original username (email address) will remain preserved in Education Management. We never redacted the first or last names, though they will still be redacted outside of Education Management.
- Since the username will be preserved in Education Management, integrations that depend on this information should continue to function. This is especially useful for schools with integrations, such as Classlink.
- When BBID indicates that an account has been updated, deprecated, or forgotten, we’ll update the Access tab of their Core user profile, as well as their Login history. This will indicate when:
- User updated their BBID
- Identity provider (IdP) updated their BBID
- User disconnected their BBID
- User requested their BBID be disconnected
- User appears to have abandoned their BBID account
We are thoroughly testing these changes to ensure a smooth experience and will communicate timelines as soon as possible.
What can schools do?
- Regularly review inactive and disabled accounts to determine if they should remain connected to BBID.
- Go to Core, Security, Blackbaud ID Authentication, Registered. Show the column for Disabled. Clear the Filter for Hide disabled. Select the column header to sort the list and show disabled accounts on top. Review the accounts and take action when necessary.
- Then select Awaiting Response. Show the column for Disabled. Clear the Filter for Hide disabled. Select the column header to sort the list and show disabled accounts on top. Review the accounts and take action when necessary.
- Find users at risk of inactivation.
- Go to Core, Users, Users list in Core.
- View the column for Last login to review users who may be at risk of inactivation (13 months/395 days) or redaction (2 years/730 days).
- “Reset” the inactivity timer.
- Encourage users to login to Education Management.
- Manually enable accounts that were previously disabled or inactive in Education Management.
- Connect, reconnect, or invite an account to BBID. Do this in bulk or individually.
- Find redacted users.
- Go to Core, Users, Users list in Core. View the columns for Last login, Disabled, Username, and Authentication status. Search for “Redacted.”
- You can export this list, such as for use in Microsoft Excel.
- Reset the username of redacted users.
- Go to Core, Security, Blackbaud ID Authentication, Registered. Select the redacted users and then Disconnect them. Then go to Unregistered, reselect them, and choose Enable. Select them again and then choose Connect to BBID.
- If your community can wait a few weeks to re-enable users, you’ll soon be able to Re-Enable accounts in bulk from the Registered and Awaiting Response tabs. Watch the Release notes for the announcement!
- Review and update your policies and procedures; consider adding the actions above.
- Check logins and accounts for parents before contract season.
- If your school has young users who rarely log in but use integrations (such as Classlink), we recommend you check their user logins and accounts annually.
- Contact support. If you have a large number of integrations which are interrupted by username redactions on or after September 9, we’ll revert them to the prior username value, based on our audit history.
- Stay informed. Watch for updates in What’s New and the user community.
Summary
Although we implemented the changes to enhance security and data privacy, we wish to acknowledge the disruption they caused and mitigate potential negative impacts on our school communities.
We have temporarily paused the automated inactivation process. We’ll resume after making improvements that streamline user management, thanks to feedback from users like you!
Please review our action plan and recommendations. Help us protect users by monitoring inactive accounts, reconnecting valid ones, and encouraging users to login regularly.
Comments
-
Thank you! This would have been very useful information before the change was made, and I appreciate the planned enhancements to manage the process going forward. I hadn't realized that faculty and students on our SSO would be affected as well as our parents who have external authentication.
4 -
Why are accounts linked to SSO included in this inactivity process. According to this knowledgebase article they shouldn't be. Why is a user's account inactivated? In your chart above you don't mention students or SSO at all. Can you please address that. Further this process of updating the user name to redacted.com (which by the way is a real domain that you don't own) triggers the record to be marked as updated and thus attempted to be sync by Connect:RE. Most of these accounts are Alum / Past students which are dormant and then they suddenly pop up as updated causing huge issues.
0 -
I have a case open Blackbaud Support Case 020604503 and I am told that I will have to go and disconnect and reconnect students that are redacted in this way. No Current Student with SSO should be deactivated ever.
1
Categories
- All Categories
- 6 Blackbaud Community Help
- 206 bbcon®
- 1.4K Blackbaud Altru®
- 394 Blackbaud Award Management™ and Blackbaud Stewardship Management™
- 1.1K Blackbaud CRM™ and Blackbaud Internet Solutions™
- 15 donorCentrics®
- 357 Blackbaud eTapestry®
- 2.5K Blackbaud Financial Edge NXT®
- 646 Blackbaud Grantmaking™
- 561 Blackbaud Education Management Solutions for Higher Education
- 3.2K Blackbaud Education Management Solutions for K-12 Schools
- 934 Blackbaud Luminate Online® and Blackbaud TeamRaiser®
- 84 JustGiving® from Blackbaud®
- 6.4K Blackbaud Raiser's Edge NXT®
- 3.6K SKY Developer
- 242 ResearchPoint™
- 117 Blackbaud Tuition Management™
- 165 Organizational Best Practices
- 238 The Tap (Just for Fun)
- 33 Blackbaud Community Challenges
- 28 PowerUp Challenges
- 3 (Open) Raiser's Edge NXT PowerUp Challenge: Product Update Briefing
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Standard Reports+
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Email Marketing
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Gift Management
- 4 (Closed) Raiser's Edge NXT PowerUp Challenge: Event Management
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Home Page
- 4 (Closed) Raiser's Edge NXT PowerUp Challenge: Standard Reports
- 4 (Closed) Raiser's Edge NXT PowerUp Challenge: Query
- 777 Community News
- 2.9K Jobs Board
- 53 Blackbaud SKY® Reporting Announcements
- 47 Blackbaud CRM Higher Ed Product Advisory Group (HE PAG)
- 19 Blackbaud CRM Product Advisory Group (BBCRM PAG)