Product: Huntress Managed Identity Threat Detection and Response (ITDR, formerly MDR for Microsoft 365)
Environment: Huntress Portal
Summary: Explains how and when to use the identity refresh button to synchronize users from your Microsoft 365 tenant to a Huntress organization
To function correctly, Huntress Managed ITDR needs to know about the users in your Microsoft 365 tenant. Under normal circumstances, Huntress automatically synchronizes with Microsoft to ensure this information is up-to-date and correct. However, there are certain scenarios where it can be desirable to manually trigger a refresh; this document explains when and how to do this.
How user creation works in Huntress
Microsoft 365 user accounts get created in Huntress in one of two ways:
- A nightly refresh job runs every 24 hours which fully synchronizes user information between the Microsoft 365 tenant and Huntress. This sync is a “pull” from Microsoft; Huntress never makes changes to Microsoft 365 users outside of remediation actions.
- When events appear for a user that doesn’t yet exist in Huntress (most likely because it was created since the last nightly sync), we will create an identity “just in time”. However, these identities don’t have full information until the next nightly refresh takes place.
The nightly refresh updates Huntress with the following information needed for our Managed ITDR product to work:
- User Name
- Microsoft User Principal Name (UPN)
- MFA status
- Account activation status
- On-Premises Sync status
- Current Microsoft license
When to manually refresh identities
Each organization in Huntress that is connected to a Microsoft 365 tenant has a button labeled “Refresh identities” (see below) that can be used to force a synchronization manually. Pressing this button performs exactly the same refresh that is normally performed nightly. This can be useful in the following situations:
- You’ve made changes to one or more user identities in Entra / AD and want to see those changes reflected in Huntress immediately
- There are new users that you have recently created that don’t exist in Huntress or don’t have complete information populated yet
- If the information you see in Microsoft doesn’t match what you see in Huntress
Under normal circumstances, this is not necessary; Huntress detection and response will work on new identities without manual refresh. We suggest that the sync button only be used in the case that there’s a specific issue you need to address.
How to manually synchronize identities
- Open the M365 dashboard:
- Select “View all Users”:
- Press the “Refresh Identities” button:
- The UI will update when the refresh is complete.