Manually Mapping Detect for O365 and Network Accounts

There are 2 ways to link accounts, automatically using AD context, which we recommend, or manually by specifying the domains to map to specific realms.

Read on AD context auto mapping here

The manual mapping works by linking cloud & network accounts that have the same username by mapping Kerberos realms to cloud domains.


How to configure

Go to Settings -> Cognito Saas -> Account Association.

If a cloud domain is the same as a Kerberos realm, you will still need to map these together.




Network Accounts

Network Accounts are found in Detect by analyzing the client field in Kerberos transaction logs. (These can be inspected in Recall).

The format in Kerberos is primary/instance@realm:

  • Primary: If the Principal represents a user in the system, the primary is the username of the user. Alternatively, for a host, the primary is specified as the string, "host".

  • Instance: The instance can be used to further qualify the primary, for example, user/

  • Realm: This is your Kerberos realm, which is usually a domain name in upper case letters. For example, the machine is in the ABC.COM Kerberos realm.

Accounts are represented in Detect as "Primary@realm", which will map closely to an email address.

O365 Accounts

O365 accounts are linked to the UserPrincipalName in Azure AD.



Was this article helpful?
0 out of 0 found this helpful

Download PDF


Article is closed for comments.