@aloof-oxygen-62624 Hello. good question. can you first post you identity schema here? then we can have a discussion about how to achieve your goal.

This is still in the planning phase, so I dont have a proper identity schema yet. However, it would contain at least the e-mail as public metadata (not a trait)

thats standard anyway.

And some kind of private metadata containing the flag, so that such an automatic linkage can only happen once

I dont really understand why you need webhooks (supported ) when you have a data madel for ids that contains your flags. Lets try to model that first. In general I think you can achieve your goals either way with Kratos

I'd need to implement automatic linking. I want an admin to be able to create an account before the user has ever logged in with a social login. This is so that the admin can configure some other data related to the user (such as permissions in other parts of the application) without the requirement of the user having logged in at least once

is AAD = Azure Active Directory

Correct

Have you considered storing the special flags in the AAD IdP instead of in Kratos? They could be added against the users there and requested by Kratos.

Thinking more about it, the lack of a social link in a Kratos identity would fulfill the same function as such a flag