Browse Docs
ONLINE DOCUMENTATION

User Group Membership Synchronization

Automatic user group synchronization is one of the most powerful features in DefensX. This article explains how DefensX synchronizes user group memberships, which methods are used in different environments, and how to control or protect group memberships when needed.

Our goal is to make group synchronization automatic, reliable, and maintenance-free, without requiring additional directory sync software.

Overview

In most enterprise environments, user groups are the foundation of access control and policy management. DefensX follows the same model.

However, synchronizing user group memberships is not trivial. Many solutions require:

  • directory-wide synchronization,

  • additional agents or services, or

  • ongoing maintenance, needing special firewall rules to open the ports

DefensX takes a different approach.

Key Principles

  • DefensX never synchronizes your entire directory (Active Directory or Azure AD).

  • Group synchronization only happens for users who actively log in to a device where the DefensX Agent is installed.

  • When a user starts using DefensX, their group memberships are detected and synchronized automatically, if possible.

This approach minimizes data collection, reduces complexity, and avoids unnecessary directory dependencies.

Limiting Synced Groups (Group Filters)

By default, users may belong to hundreds of groups, but most DefensX policies and reports only require a subset of them.

For this reason, DefensX allows you to define Group Filters under: Settings → Azure AD & Active Directory

Group Filters control which directory groups are visible and synchronized into DefensX.

Why Group Filters Matter

  • Reduces clutter in policies and reports

  • Improves performance and clarity

  • Ensures DefensX only stores the minimum required identity data

Tip
 If you are new to DefensX, you can skip Group Filters initially and configure them later. Once enabled, you can remove unused groups from DefensX with a single click.

Supported Group Synchronization Scenarios

DefensX uses different synchronization methods depending on the device and identity type:

Environment Sync method

Windows – Active Directory domain joined

Windows APIs (local)

Windows – Azure AD (Entra ID) device joined

Microsoft Graph API

macOS with Platform SSO

Microsoft Graph API

Hybrid Join environments

Configurable (AD or Azure AD preferred)

Active Directory Group Synchronization

DefensX does not communicate directly with Active Directory. It does not open LDAP or LDAP-TLS connections, does not store directory credentials, and does not require any firewall changes. DefensX also does not need to know which server is acting as the domain controller or what its IP address is.

All Active Directory interaction is handled indirectly by using regular Windows functions.

Primary Group Retrieval Flow

When a user logs in to a Windows computer that is joined to an Active Directory domain:

  • The DefensX tray application (DefensX.exe) starts automatically in the context of the logged-in user.

  • The tray application invokes a set of standard Windows security APIs as that user.

  • These APIs:

    • confirm that the device is domain-joined,

    • return the user’s security identifiers (SIDs) and group memberships associated with the current logon token.

At this stage:

  • Windows determines which domain controller to contact.

  • Authentication and directory communication are fully managed by the operating system.

  • DefensX receives only the final group membership list produced by Windows.

DefensX never re-authenticates the user, never performs directory queries, and never communicates with Active Directory servers on its own. It simply consumes the group information already resolved by Windows for the active user session.

Fallback When Active Directory Is Unreachable

Active Directory connectivity may be temporarily unavailable due to network issues, offline usage, or missing VPN connectivity. In these situations, the Windows API calls used by DefensX may fail to retrieve live directory data.

When this occurs, DefensX automatically switches to a fallback mechanism:

  • The tray application retrieves the user’s group memberships from Windows’ locally cached data.

  • This cached data represents the last successfully obtained group memberships from Active Directory.

  • The resulting group list is equivalent to what Windows exposes via commands such as whoami /groups

Cached group information may not include very recent directory changes, but it provides a consistent and valid representation of the user’s last known Active Directory state.

Periodic Refresh and State Recovery

Every 30 minutes, the DefensX tray application repeats the same synchronization workflow:

  • It first attempts to retrieve group memberships using the primary Windows API path.

  • If Active Directory connectivity has been restored:

    • Windows returns current group data,

    • DefensX detects any changes,

    • and the backend is updated accordingly.

This design ensures that:

  • group memberships are not removed due to temporary connectivity failures,

  • cached data is only used as a fallback,

  • and DefensX automatically converges to the most up-to-date Active Directory state once connectivity is available again.

Azure AD (Entra ID) Group Synchronization

For Azure AD (Entra ID) device-joined Windows computers (not workplace-joined), Windows does not expose user group memberships through local security APIs. Because of this limitation, the Active Directory method described earlier cannot be used.

In this scenario, DefensX retrieves user group memberships directly from Azure AD using Microsoft Graph API.

Requirements

Azure AD group synchronization requires the DefensX Azure AD Connector application (c846f97f-f3ae-48e6-8b94-f96ba4afbb8d) to be granted permissions in the tenant.

This configuration is completed under: Settings → Azure AD & Active Directory, you can also read the details in Configuring the AzureAD Integration article.

How It Works

When a user logs in to a Windows computer that is device-joined to Azure AD:

  • The DefensX tray application (DefensX.exe) starts in the context of the logged-in user.

  • The tray application retrieves Azure AD–related identity information from the local system, including:

    • Azure AD join status,

    • tenant ID,

    • user principal name (email address).

  • This information, along with a DefensX-issued token, is sent securely to the DefensX backend.

  • The backend uses the DefensX Azure AD Connector application to query Microsoft Graph API.

  • Azure AD returns the user’s group memberships, which are then synchronized into DefensX.

All directory communication occurs server-side using the granted Azure AD application permissions.

Hybrid Join Environments

In hybrid environments, users and groups are typically synchronized from on-premises Active Directory to Azure AD. Devices may be:

  • Active Directory domain-joined,

  • Azure AD device-joined,

  • or used interchangeably by the same user.

By default, DefensX behaves as follows:

  • On AD domain-joined computers, group memberships are retrieved using Windows APIs.

  • On Azure AD device-joined computers, group memberships are retrieved using Microsoft Graph API.

Common Challenges in Hybrid Setups

Hybrid environments often introduce additional complexity:

  • Users may log in from multiple devices with different join types.

  • User identifiers may differ between directories, for example:

  • Organizations may want Azure AD security groups to be the authoritative source, even when users log in to AD-joined machines.

A common request in these environments is to always use Azure AD groups, regardless of the device join state.

Prefer Azure AD for Group Memberships

To address this, DefensX provides the option: Prefer Azure AD for Checking Group Memberships in Hybrid Join Scenarios

This setting is available under: Settings → Azure AD & Active Directory

It can be safely enabled once the DefensX Azure AD Connector application has been granted permissions.

How It Works When Enabled

When this option is enabled:

  • Even if a user logs in to an Active Directory domain-joined computer:

    • DefensX identifies the corresponding Azure AD user,

    • group memberships are retrieved via Microsoft Graph API,

    • Windows-based Active Directory group retrieval is skipped.

  • Azure AD becomes the single source of truth for user group memberships across all devices.

This ensures:

  • consistent group memberships across AD-joined and Azure AD-joined devices,

  • visibility of the latest Azure AD security group changes,

  • elimination of discrepancies caused by one-way directory synchronization.

macOS with Platform SSO

Platform SSO for macOS (via Intune) allows users to sign in using Azure AD identities at the OS level.

When Platform SSO is enabled:

  • DefensX tray application detects the Azure AD user email on the Mac

  • Group memberships are retrieved via Microsoft Graph API

  • The behavior matches Azure AD device-joined Windows systems

This is the recommended configuration for automatic group synchronization on macOS.

Group Sync Protection

By default, DefensX enforces a single source of truth:

  • If a user is synchronized from AD or Azure AD,

  • any manually assigned groups in DefensX will be removed on the next successful sync.

This prevents situations like:

  • a user being a regular employee in AD,

  • but manually marked as a VIP in DefensX months earlier.

When Manual Memberships Are Required

For special cases, DefensX provides Group Sync Protection feature. To enable this feature for a group:

  • Go to User Groups

  • Open the three-dot menu for a group

  • Click Edit

  • Enable "Group Sync Protection"

Group Sync Protection

Behavior of Protected Groups

  • Users added (automatically or manually) are never removed by sync

  • Users can only be removed manually

  • Protected groups:

    • display a lock icon

    • appear first in group lists

This option is recommended when manual control must always override directory synchronization.

Deployment-Level Control

Each computer in DefensX belongs to a Deployment. By default, deployments have Sync User’s Group Memberships From Active Directory or Azure AD enabled.

This means:

  • When a user logs in, DefensX attempts to synchronize their group memberships automatically.

Disabling Group Sync Per Deployment

If you want to disable group synchronization for specific deployments entirely:

  • Go to Policies → Policy Groups

  • Open the Actions menu for the deployment

  • Click Edit

  • Change Sync User’s Group Memberships From Active Directory or Azure AD

This allows different deployments to use different synchronization behaviors.
Secure Industries, Inc 101 Avenue of The Americas, Floor 9 New York, NY 10013