Breadcrumbs

Allow User Synchronization for Defender for Cloud Apps

Connector Applicability

Applies to Source Connectors

MS Defender for Cloud Apps

Applies to Destination Connectors

All

Assumptions

These instructions assume you have already setup a source connection in CI Sync for MS Defender for Cloud Apps using the CI Sync instructions here: or Add Azure to SaaS Agent.

Pre-Read

Syncfish recommend customers read the following documentation before changing the Connection Setting/s described below.

  1. Understanding the use of CI Sync Connection Settings

  2. Rule 2 - Defender for Cloud Apps CI-to-CI Relationships

Locating and Amending the Connection Setting in the CI Sync UI

  1. Navigate to the Settings page

  2. Under the Source Connections heading (list), locate your MS Defender for Cloud Apps connection.

  3. Click the Update link on the right hand side of the MS Defender for Cloud Apps connection.

  4. Scroll down and locate the Section Heading and view the Individual Settings.

CleanShot 2025-09-25 at 14.32.35@2x-20250925-043255.png

The screen shot is provided only as sample to assist when reading this page. The state of your own CI Sync UI will depend on whether you are starting from the CI Sync default position or if you have already amended one/more of the settings.

  1. Tick the Override default box/boxes and then use the sliders related to the individual settings. The following table elaborates any further information about these particular settings.

Setting

Type

Additional Notes

Allow User Synchronization

Slider

When enabled, this setting triggers the following:

Firstly, the setting exposes the Cloud App relationships to be selectable on the Relationships Page when creating a CI Sync Job via the Run UI.

CleanShot 2025-09-25 at 14.34.53@2x-20250925-043510.png

Next, when the synchronization job runs, CI Sync creates relationships in ServiceNow between the Business Application CIs (created from Cloud Apps read from Defender) and the users of those Business Applications (as discovered and determined by MS Defender for Cloud Apps). The relationships created are many-to-many (i.e. one business application can have many users using it, and one user can be user of many business applications).

User Correlation (matching) Information

By default, CI Sync correlates user names from Defender for Cloud Apps to the ServiceNow sys_user table using the sys_user.email address attribute.

The accuracy of correlation is governed by the following:

  1. Defender for Cloud Apps captures the user name of each person accessing a Cloud Application.

  2. In most cases the user name in Defender for Cloud Apps appears as an email address.

  3. However, in some cases the user name appears as a local login name with a “\computername” suffix.

For those users in Defender for Cloud Apps that do not have a valid email when compared to sys_user.email addresses, CI Sync will not be able to correlate and instead will skip those records.

For customers who experience this issue, please contact Syncfish to discuss options.

  1. After modify the settings, scroll to the bottom of the page, tick the “I consent…” checkbox and finally click the Save connection button.

  2. You can now run a sync job and the amended settings will be applied causing the CI Sync Data Sync rules to be modified accordingly.

Importantly

Make sure you consciously override the setting against either your TEST or PROD environment (i.e. your TEST vs PROD sync jobs).

For more information on how to use TEST vs PROD Connection Settings please read Understanding the use of CI Sync Connection Settings.

Syncfish strongly recommend making changes for TEST environment/sync jobs first. Only modify PROD related settings after thoroughly validating the intended results in TEST.