You can configure Netskope One DSPM to automatically sync with your Microsoft Entra ID (Entra ID). This allows you to control which specific employees are imported, map their Entra ID attributes (both default and custom) to Netskope One DSPM fields, and leverage these employee-specific values to trigger policies. 

This sync can be a one-time activity or scheduled to refresh Netskope One DSPM data on a regular cadence.

Examples of alerts possible via this feature include:

• Ensure no one in the Marketing department is running queries that return PII.
• Identify specific types of users selecting high volumes of records.
• Closely monitor the behavior of employees on PIP or have given notice.
• Automatically notify your security teams when data usage is detected for terminated employees.

More information on Entra ID is available here.

Configuring Initial Sync

1. Log into Netskope One DSPM as any user with the “Admin” role.
2. Navigate to User Identity > Employee Management.
3. On the top-right of the screen, click Connect to Directory Service.
4. The Directory Configuration modal is displayed, starting with Choose Directory.
5. Click on the Microsoft Entra ID icon to proceed. 

Configure the Directory Integration

To complete this step, you must configure an Entra ID service principal app registration dedicated to Netskope One DSPM’s use. We then need to grant the app registration the following permissions:

1. Application.Read.All
2. Group.Read.All
3. User.Read
4. User.Read.All

Now, provide the Netskope One DSPM platform with details on where and how to access your Entra ID. This includes optionally configuring Netskope One DSPM to sync regularly with your Entra ID so the former is always up-to-date with fresh employee data, including newly discovered Entra ID employees.

1. On the Provide Credentials tab, provide the following information:
   1. Name: this is used within Netskope One DSPM only and can be any friendly name of your choosing.
   2. Tenant ID: copy from App registration overview page Directory (tenant) ID field
   3. Client ID: copy from App registration overview page Application (client) ID field
   4. Client Secret: create a client secret and 
   5. Application ID: copy from App registration overview page Object ID field
2. If you do not wish to regularly sync your Entra ID, you can deselect the Sync Enabled toggle. Otherwise, configure the cadence & timing of your choosing.
3. Click the Next button. 
4. The Mapping tab is displayed.

Map Entra ID Attributes to Netskope One DSPM Fields

You can define mappings between Entra ID attributes and Netskope One DSPM fields on the Mapping tab.

For each discovered Entra ID attribute, the Netskope One DSPM Directory Field Name auto-populates to match. You can override these matches by selecting different source Entra ID attributes.

Best practice when mapping between systems:

• Map all Expected Database Usernames. If your Entra ID directory contains a database user name field or Expected DB Usernames field, we recommend mapping it to the Expected Username field. 
  • In the Entra ID attribute for Expected DB Usernames, include all possible username permutations (comma-separated), e.g., gwashington, washington,george.
    • This way, Usernames can be leveraged within Netskope One DSPM for the following downstream activities:
      • Linking your directory employees to the Usernames, which Netskope One DSPM discovers while scanning your Data Stores.
      • Over-privilege analysis for said linked employees.
      • Matching the database and/or employee user name within Policy Conditions triggers the creation of Alerts and Tasks.
• Be sure to map employee status.  This way, its value can also be leveraged within Netskope One DSPM to trigger the creation of Alerts & Tasks, such as flagging the continued activity of terminated employees.
• Remove unnecessary mappings.  If the Netskope One DSPM destination field is not required (marked with a red asterisk) or used in your Policy Conditions, we recommend you remove its mapping entirely by clicking the Delete icon.
• Do not map your Entra ID attributes more than once.

Once your mappings are set, click the Next button.

Include / Exclude Specific Employees

After setting up mapping, you will use the Include/Exclude Users tab to define which employees will be synced to Netskope One DSPM.

Within Entra ID, you can group users based on common or shared traits. In turn, you can configure Netskope One DSPM to import all employees, or just those within specific Entra ID Groups. For example, you might organize all employees with database access into an Entra ID Group named “Data Owners”, then configure Netskope One DSPM to import just those privileged employees.

You can use two methods to sync employee groups from Entra ID: manual sync (by selecting Sync Groups) or via CSV upload. Manual syncing supports up to 50,000 Entra ID Groups, and CSV upload supports unlimited Entra ID Groups. We recommend manual sync for groups less than 1000 and CSV upload for groups more than 1000.

Sync Groups:

1. Click Sync Groups. Close the modal and sync will run in the background. You will be notified when groups are loaded and ready to select.
2. The left side displays your Entra ID Group picklist.
3. Use the selectors and include and exclude buttons to decide which Entra ID Groups to include.

• If you wish to import all, select and include “Everyone”
• Otherwise, select one or more Entra ID Groups. For example above, only the "Netskope One DSPM-users" group members will be imported into Netskope One DSPM.

4. Once complete, click the Save button. 

CSV Upload:

1.  Click Upload CSV.
2.  Drag and drop or upload your CSV file. 
   1. For guidance on exporting groups and populating the CSV file, read Bulk download a list of groups in Microsoft Entra ID.
   2. The file should only contain the specific Entra ID Groups you want included in Netskope One DSPM's Employee Management feature.
   3. Note that any duplicate Entra ID Groups will be automatically de-duped during the sync.
3. Click SAVE to close the modal, and the sync will run and complete in the background.
4.  You'll see the Success banner once your Entra ID Groups have successfully uploaded.
5.  All uploaded groups will automatically import and sync to the Employee Management page.

Once complete, the Entra ID Configuration modal will auto-dismiss, and your included Entra ID employees will now be listed in Netskope One DSPM’s Employee Management screen, specifically within the All Employees tab. This will include any new columns from your mappings. Employees synced from Entra ID are kept separate from any database users discovered by the Netskope One DSPM platform.

Going forward, the employees listed in the Netskope One DSPM Employee Management screen will reflect the matching Entra ID Group configurations and be refreshed after every scheduled sync. More information on Entra ID Groups is available here.

The Un-Linked Users tab is used when mapping imported Employees to the Usernames which Netskope One DSPM has discovered. For more information on this feature, please visit here.

Sync Behavior & Maintenance

Details on your sync schedule are displayed at the top of the Employee Management screen. To make changes to any portion of your configuration, click the Edit icon to once again display the Entra ID Configuration modal.

Changes made within the source Entra ID will be available within Netskope One DSPM each time a sync is performed. If you delete an employee within your Entra ID, their corresponding record will still remain in Netskope One DSPM, but it will be styled on-screen to indicate this scenario.

If you no longer wish to utilize Entra ID integration, you can remove it by clicking the Delete icon. Note that doing so will remove all employees previously brought over from Entra ID, which may affect other platform parts, such as triggering policies.

Limitations

At this time, current limitations include:

• You can connect to a single Microsoft Entra ID.
• You can map a single database Username attribute.