This article is based on SentinelOne community documentation about LDAP and Entra for the purpose of identifying user accounts.
Enhanced Guide:
Introduction
This guide explains how Guardz automatically maps SentinelOne (S1) endpoints to users using LDAP and Entra ID (formerly Azure AD).
Why is this important?
Connect threats to users π‘οΈ β Helps link SentinelOne detections to end users.
Improved investigation & response π β Provides context to security events, making incident response faster and more efficient.
Actionable remediation β‘ β Ensures issues are addressed by the right people in your organization.
This feature is compatible with both Guardz Managed SentinelOne (S1) and BYO-S1 (Bring Your Own SentinelOne).
How It Works
The Auto Association feature in Guardz maps SentinelOne endpoint data to known users in your organization profile (from Microsoft 365 & Google Workspace).
π οΈ Data Sources
Guardz relies on SentinelOneβs ability to retrieve user login information from:
βLDAP / Active Directory (AD) β No additional setup is required in Guardz.Entra ID (Azure AD) β Requires specific permissions & conditions to function properly.
Once SentinelOne retrieves the logged-in user information, Guardz automatically assigns the endpoint to the correct user in your organization.
Requirements & Setup
LDAP / Active Directory (AD) Integration
Fully automated β No setup is required in Guardz.
SentinelOne will pull user data automatically if AD integration is enabled in your environment.
No configuration of an AD server is needed within Guardz.
π‘ Note: Guardz does not provide technical support for LDAP-specific issues within SentinelOne.
Entra ID (Azure AD) Integration
Entra ID auto-association requires additional conditions to function correctly.
SentinelOne Agent Version β The S1 agent must be v23.4.5 or later.
Entra Graph API Access β Logins must not be throttled, blocked, or restricted by Microsoft security policies.
User Login Method β Users must log in individually to their endpoints using M365 credentials (SSO).
βCommon Issues & Fixes:
β
βIssue: "User mapping failed for Entra ID"
βFix: Check Microsoft Entra policies that might block API access (e.g., rate limits or conditional access policies).
βIssue: "SentinelOne agent not updating user association"
βFix: Ensure the SentinelOne agent is up-to-date (v23.4.5+ required).
How Does SentinelOne Update User Data?
SentinelOne updates Active Directory (AD) and Entra ID (Azure AD) at regular intervals based on:
Agent Startup β The SentinelOne agent loads on an endpoint.
User Login / Logout β When a user logs in or logs out of a device.
Periodic Refresh β The agent updates every 180 minutes (3 hours).
βImportant Note: Guardz only maps each user once. Subsequent changes to user data are NOT automatically updated.
βNeed to update user info manually?
Manually assigned users will NOT be overwritten by Auto Association.
To change a userβs mapping, remove the existing manual assignment first.
Troubleshooting Auto-Association Issues
Issue: "User not found" in Guardz
Ensure the user exists in the organization profile in Guardz (via M365 or Google Workspace sync).
βIssue: "SentinelOne agent does not report the user"
Check that the device is properly joined to the domain.
Ensure AD or Entra ID integration is active in SentinelOne.
βIssue: "User mapped incorrectly"
If manually assigned, Auto Association will not override manual mappings.
If incorrect, manually remove the user assignment and let the auto-mapping refresh in the next update cycle.
βIssue: "Multiple users logged into the same device"
Auto Association maps only the primary user login session. Shared devices may not have consistent user assignments.
Best Practices & Security Considerations
β Keep SentinelOne updated β Use S1 Agent v23.4.5 or newer to ensure Entra ID compatibility.
β Review Microsoft Entra policies β Avoid security restrictions that block API logins.
β Monitor mapped users in Guardz β Regularly check for accuracy and update manual assignments if needed.
β Use Manual Overrides for Shared Devices β If devices are shared across multiple users, manually assign users when needed.
Stay secure, stay protected! Guardz makes SentinelOne endpoint management easier than ever.