Integrate your Active Directory with BlueXP classification

You can integrate a global Active Directory with BlueXP classification to enhance the results that BlueXP classification reports about file owners and which users and groups have access to your files.

When you set up certain data sources (listed below), you need to enter Active Directory credentials in order for BlueXP classification to scan CIFS volumes. This integration provides BlueXP classification with file owner and permissions details for the data that resides in those data sources. The Active Directory entered for those data sources may be different than the global Active Directory credentials you enter here. BlueXP classification will look in all integrated Active Directories for user and permission details.

This integration provides additional information in the following locations in BlueXP classification:

  • You can use the "File Owner" filter and see results in the file’s metadata in the Investigation pane. Instead of the file owner containing the SID (Security IDentifier), it is populated with the actual user name.

  • You can see full file permissions for each file and directory when you click the "View all Permissions" button.

  • In the Governance dashboard, the Open Permissions panel will show a greater level of detail about your data.

Note Local user SIDs, and SIDs from unknown domains, are not translated to the actual user name.

Supported data sources

An Active Directory integration with BlueXP classification can identify data from within the following data sources:

  • On-premises ONTAP systems

  • Cloud Volumes ONTAP

  • Azure NetApp Files

  • FSx for ONTAP

  • Non-NetApp CIFS file shares (not NFS file shares)

  • OneDrive accounts

  • SharePoint accounts

There is no support for identifying user and permission information from Database schemas, Google Drive accounts, Amazon S3 accounts, or Object Storage that uses the Simple Storage Service (S3) protocol.

Connecting to your Active Directory server

After you’ve deployed BlueXP classification and have activated scanning on your data sources, you can integrate BlueXP classification with your Active Directory. Active Directory can be accessed using a DNS Server IP address or an LDAP Server IP address.

The Active Directory credentials can be read-only, but providing admin credentials ensures that BlueXP classification can read any data that requires elevated permissions. The credentials are stored on the BlueXP classification instance.

For CIFS volumes/file shares, if you want to make sure your files “last accessed times” are unchanged by BlueXP classification classification scans, we recommend that the user has Write Attributes permission. If possible, we recommend making the Active Directory configured user part of a parent group in the organization which has permissions to all files.

  • You must have an Active Directory already set up for the users in your company.

  • You must have the information for the Active Directory:

    • DNS Server IP address, or multiple IP addresses


      LDAP Server IP address, or multiple IP addresses

    • User Name and Password to access the server

    • Domain Name (Active Directory Name)

    • Whether you are using secure LDAP (LDAPS) or not

    • LDAP Server Port (typically 389 for LDAP, and 636 for secure LDAP)

  • The following ports must be open for outbound communication by the BlueXP classification instance:

    Protocol Port Destination Purpose

    TCP & UDP


    Active Directory




    Active Directory

    LDAP over SSL



    Active Directory

    Global Catalog



    Active Directory

    Global Catalog over SSL

  1. From the BlueXP classification Configuration page, click Add Active Directory.

    A screenshot that shows clicking the button to add an Active Directory server into BlueXP classification.

  2. In the Connect to Active Directory dialog, enter the Active Directory details and click Connect.

    You can add multiple IP addresses, if required, by clicking Add IP.

    A screenshot of the dialog where you define the Active Directory you want to integrate with BlueXP classification.

    BlueXP classification integrates to the Active Directory, and a new section is added to the Configuration page.

    A screenshot showing the new Active Directory integrated in BlueXP classification.

Managing your Active Directory integration

If you need to modify any values in your Active Directory integration, click the Edit button and make the changes.

You can also delete the integration if you no longer need it by clicking the More button button and then Remove Active Directory.