Skip to content
Contact us Customer portal Sign in
  • There are no suggestions because the search field is empty.

Microsoft 365 tenant users

How Safetica syncs, identifies, and manages users from your Microsoft 365 tenant.

 

✍️To begin syncing users from Microsoft 365, you first need to connect your tenant. Learn more about connecting a Microsoft 365 tenant here.

✍️After your tenant is connected, user syncing typically completes within 5–10 minutes.

 

Where to find users synced from your Microsoft 365 tenant

In the user tree

After you connect an M365 tenant, its users and security groups will appear in the user tree under the Cloud users team. You will find 2 entities there:

  • Tenant users: Users found in your Microsoft 365 tenant. All cloud users are listed here, even if they already appear somewhere else in the user tree, so you may see duplicates.
  • External users: Users that are not part of your Microsoft 365 tenant. When they handle files in your tenant (e.g., sharing, downloading, or uploading), their actions are recorded under the External user entity. There can be 3 types of external users:
    • Anonymous users: Unnamed users that opened an anonymous link. Safetica does not know their identity.
    • External users: Users not licensed in your Microsoft 365 tenant, but whose identity Safetica can determine (e.g., you share a file to an email address outside your tenant. The address is then verified via a link. This way, Safetica can identify the user by that email address).
    • Guest users: Users who are not licensed in your Microsoft 365 tenant, but were invited to it under their own accounts from different tenants. 

 

In the Users section

Tenant users also appear in the Users section.

Tenant security groups appear in the Users > Teams tab.

❗Teams imported from Entra ID are highlighted with a blue tree icon. These teams cannot be edited in any way (can't be removed, moved, renamed, and you can't add/remove users or child teams).

 

 


How to protect and control external users

To protect all external users at once: Create a policy and apply it to the External user entity.

To protect individual guest users: First, make the guest user part of your tenant by assigning them an M365 licenseThen assign them a Safetica license. After that, you can protect and control them the same as any other tenant user.

 

 

How Safetica identifies users

Understanding how Safetica recognizes users is important, especially in environments that use both on-premises Active Directory and Microsoft Entra ID.

 

User identity types

Safetica identifies users based on security identifiers (SIDs) reported by devices. There are two types:

  • On-premises SID (format: S-1-5-21-...): Assigned by your local Active Directory. Reported when a user signs in with an AD domain account.
  • Cloud SID (format: S-1-12-1-...): Assigned by Microsoft Entra ID. Reported when a user signs in with an Entra ID (cloud) account.

Each time a device reports user activity, Safetica looks at the SID to determine which user object to associate it with.

 

How Entra ID sync links identities

When you configure Entra ID sync in Safetica (via your Microsoft 365 tenant), Safetica pulls user information from Entra ID. If a user in Entra ID is also linked to an on-premises AD account (via Microsoft Entra Connect), Safetica can pair both SIDs to a single user object.

A correctly paired user object will have both fields populated:

  • cloud_sid - the Entra ID SID
  • onprem_sid - the Active Directory SID

This paired object will appear under Cloud users in the correct team, and can be used for policies and auditing.

 

What end up in the Unknown folder

The Unknown folder contains user objects that Safetica could not match to any synced Entra user. This can happen in several scenarios:

  • Entra users reported before sync was enabled: If a device reports a user signing in with their Entra ID account, but that user has not yet been synced into Safetica via the Entra sync, a new user object is created in Unknown. Once you enable Entra sync and that user is pulled in, the object should be matched and moved into Cloud users.
  • AD/domain users and local users: Cloud-hosted Safetica supports organizational sync only through Entra ID. There is no Active Directory sync feature. If a device reports a user signing in with a local Windows account or an on-premises AD domain account that is not linked to an Entra ID identity, that user object will land in Unknown and stay there. There is no mechanism to automatically move these to a team. For local accounts, each local account on every computer creates its own separate user record, even if the name is the same across devices.
  • Same person, different identity types on different machines without Entra sync: If the same person signs into one computer with their AD account (producing an on-premises SID) and into another computer with their Entra ID account (producing a cloud SID), and Entra sync is not active, Safetica will create two separate user objects. Without Entra sync, Safetica has no way to know they belong to the same person. However, if Entra sync is enabled and the user is included in it, the sync should pair both SIDs to a single user object and prevent this duplication.

Scenario

What happens in Safetica

User signs in with Entra ID account, Entra sync is active

✅Matched to the correct synced user object under Cloud users.

User signs in with Entra ID account, Entra sync is not yet active

New user object created in Unknown. Should be matched and moved into Cloud users once Entra sync is enabled and that user is pulled in.

User signs in with AD domain account, linked to Entra via Entra Connect, Entra sync active

✅Matched to the paired user object (which has both on-premises and cloud SIDs).

User signs in with AD domain account, no Entra sync or user not in Entra

New user object created in Unknown. Stays there. No AD sync available in cloud-hosted Safetica.

Same person uses AD account on one machine and Entra account on another, no Entra sync

❗Two separate user objects are created. Without Entra sync, Safetica has no way to link the two identities.

User signs in with a local Windows account

Each local account on every computer will have its own separate record, even if the username is the same across devices.

 

 

Duplicate user objects

Why duplicates appear

Duplicate user objects are created when the same person is reported to Safetica under more than one identity. The most common causes are:

  1. Safetica Client was installed to devices before Entra sync was configured, so users were reported under identities that could not yet be matched.
  2. A user signs into different devices using different identity types (e.g., AD on one, Entra on another) without Entra sync active. If the Entra sync with Entra Connect was enabled before this happened, this should be prevented and they should be paired to the same user.
  3. Non-persistent or cloned virtual machines (not currently supported) may produce unexpected or duplicate user objects.

 

What Entra ID sync does not do

It is important to understand the boundaries of Entra sync:

  • It does not merge two existing user objects into one.
  • It does not delete or hide leftover duplicate objects from the Unknown folder.
  • It does not move historical activity records from a duplicate object to the synced one.
  • It does not provide Active Directory sync. Only Entra ID sync is supported in cloud-hosted Safetica.

After sync is enabled, new activity will be recorded under the correctly paired user object. But any objects and records created before sync will remain as they are.

❗Safetica does not currently support automatic merging of duplicate user objects or their associated activity records. If a user was active under two separate objects before sync was enabled, the historical records will remain split across both objects.

 

 

Non-persistent and virtual desktop environments

❗Cloned and non-persistent environments (e.g., Citrix, VMware Horizon, Azure Virtual Desktop) are not currently supported by Safetica. User identification in these environments may produce unpredictable behavior, including duplicate or unorganized user objects.

Non-persistent virtual desktops (e.g., Citrix, VMware Horizon, Azure Virtual Desktop) or cloned machine images are frequently wiped and recreated. This creates additional challenges for user identification:

  • Each time a new VM instance starts, it may report users under their on-premises AD identity before Entra sync can match them. This can create new duplicate user objects in the Unknown folder on an ongoing basis.
  • Cloned machine images may produce additional unrecognized or duplicate user objects, though the exact cause may vary by environment.
  • Because these machines are destroyed after use, diagnostic logs may not be available to troubleshoot identity issues after the fact.

❗If you need to use Safetica in such an environment, be aware that results might be inconsistent. At a minimum, make sure Entra sync is fully configured and verified before deploying Safetica Clients to these devices, as this may reduce (but not eliminate) duplicate user issues.

 

 

Read next

Introducing Safetica Cloud Protection

How to connect your Microsoft 365 tenant

How to synchronize a subset of Microsoft 365 users

Activating and deactivating Microsoft Outlook protection

Activating and deactivating Microsoft Exchange protection

Activating and deactivating Microsoft SharePoint protection