The Office 365 Securlet has been activated, but some users are still missing from the CloudSOC user list. However, we can see events in Investigate for these users, but the CloudSOC user section shows as not available.

There are a couple of reasons why CloudSOC did not automatically create the user:

• The users do not have valid Office 365 Subscriptions. Therefore the system did not import them.
• The users may have different OneDrive.Owner Principal Names and Mail Attributes. CloudSOC will create the user profiles based on the mail attribute.
• The users domain is not part of the Primary or Secondary domains of the CloudSOC tenant

The Office 365 Securlet will still scan the activities and perform the content inspection for users with different OneDrive.Owner Principal Names and Mail attributes; however, if the CloudSOC admin target a policy for these users, the admin can manually add these users to CloudSOC.