What is a one sentence summary of your feature request?
Find user principal name (UPN) in local user environment on device and use it for mapping local account to user in Azure Active Directory.
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
When attempting to synchronize Netwrix EPP with Azure Active Directory (AAD) to apply policies based on AAD groups, I encountered a critical issue:
EPP is unable to properly map local users (identified by the EPP agent on endpoints) to their corresponding AAD user accounts.
According to the support team, EPP maps users by comparing the local username on the device to the left-hand portion of the AAD User Principal Name (UPN), i.e., the part before the “@” symbol.
However, this method is not reliable for AAD-joined Windows devices, as the local username is typically derived from the user’s Display Name (e.g., “John Smith”), which rarely matches the UPN prefix (e.g., “j.smith”). As a result, the mapping often fails, preventing policies from being applied correctly.
To ensure proper mapping, the EPP agent should instead retrieve the actual UPN from the Windows registry, specifically from:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IdentityStore\LogonCache.
On macOS devices, this issue is partially mitigated, as local usernames can be set manually. However, enforcing strict naming conventions across all macOS endpoints is not practical in larger environments. Therefore, relying on local username matching remains an unreliable approach if consistent DLP policy enforcement is required.
How do you currently solve the challenges you have by not having this feature?
The only alternative is to manually manage user groups in EPP, but this is extremely time consuming given the size of the organization.