This article is based on SentinelOne community documentation about LDAP and Entra for the purpose of identifying user accounts.

This guide explains how Guardz automatically maps SentinelOne (S1) endpoints to users using LDAP and Entra ID (formerly Azure AD).

✅ Why is this important?

This feature is compatible with both Guardz Managed SentinelOne (S1) and BYO-S1 (Bring Your Own SentinelOne).

The Auto Association feature in Guardz maps SentinelOne endpoint data to known users in your organization profile (from Microsoft 365 & Google Workspace).

Guardz relies on SentinelOne’s ability to retrieve user login information from:
1️⃣ LDAP / Active Directory (AD) – No additional setup is required in Guardz.
2️⃣ Entra ID (Azure AD) – Requires specific permissions & conditions to function properly.

Once SentinelOne retrieves the logged-in user information, Guardz automatically assigns the endpoint to the correct user in your organization.

✅ Fully automated – No setup is required in Guardz.
✅ SentinelOne will pull user data automatically if AD integration is enabled in your environment.
✅ No configuration of an AD server is needed within Guardz.

💡 Note: Guardz does not provide technical support for LDAP-specific issues within SentinelOne.

⚠ Entra ID auto-association requires additional conditions to function correctly.

✅ SentinelOne Agent Version – The S1 agent must be v23.4.5 or later.
✅ Entra Graph API Access – Logins must not be throttled, blocked, or restricted by Microsoft security policies.
✅ User Login Method – Users must log in individually to their endpoints using M365 credentials (SSO).

💡 Common Issues & Fixes:
​
🚨 Issue: "User mapping failed for Entra ID"
🔧 Fix: Check Microsoft Entra policies that might block API access (e.g., rate limits or conditional access policies).

🚨 Issue: "SentinelOne agent not updating user association"
🔧 Fix: Ensure the SentinelOne agent is up-to-date (v23.4.5+ required).

SentinelOne updates Active Directory (AD) and Entra ID (Azure AD) at regular intervals based on:

1️⃣ Agent Startup – The SentinelOne agent loads on an endpoint.
2️⃣ User Login / Logout – When a user logs in or logs out of a device.
3️⃣ Periodic Refresh – The agent updates every 180 minutes (3 hours).

⏳ Important Note: Guardz only maps each user once. Subsequent changes to user data are NOT automatically updated.

🚀 Need to update user info manually?

🔹 Issue: "User not found" in Guardz
✅ Ensure the user exists in the organization profile in Guardz (via M365 or Google Workspace sync).

🔹 Issue: "SentinelOne agent does not report the user"
✅ Check that the device is properly joined to the domain.
✅ Ensure AD or Entra ID integration is active in SentinelOne.

🔹 Issue: "User mapped incorrectly"
✅ If manually assigned, Auto Association will not override manual mappings.
✅ If incorrect, manually remove the user assignment and let the auto-mapping refresh in the next update cycle.

🔹 Issue: "Multiple users logged into the same device"
✅ Auto Association maps only the primary user login session. Shared devices may not have consistent user assignments.

✔ Keep SentinelOne updated – Use S1 Agent v23.4.5 or newer to ensure Entra ID compatibility.
✔ Review Microsoft Entra policies – Avoid security restrictions that block API logins.
✔ Monitor mapped users in Guardz – Regularly check for accuracy and update manual assignments if needed.
✔ Use Manual Overrides for Shared Devices – If devices are shared across multiple users, manually assign users when needed.

🚀 Stay secure, stay protected! Guardz makes SentinelOne endpoint management easier than ever. 🔐