Gartner recommended critical IAM capabilities in AD360

• Identity life cycle management and fulfillment: Streamline the identity management of users, including those of temporary employees or contractors, using automated user life cycle management for provisioning, role changes (reprovisioning), and deprovisioning user accounts.
• Entitlement management: Eliminate redundancy and human errors and improve business processes by automating entitlement management.
• Approval-based workflows: Build purpose-oriented business workflows. Create the required levels of approval by including the rights of the stakeholders. Define the approval flows for business processes, such as user account creation, modification, or permissions management.
• Real-time change auditing: Get audit reports on privileged user activity, insider threat detection, and root cause analysis. Monitor and be notified about logons activity and ACL or password changes. Also, audit Azure AD, removable storage, workstations, servers, files, and folders. Generate out-of-the box reports for mandates like the GDPR, SOX, PCI, HIPAA, FISMA, and GLBA.
• Policy and role management: Set up role-based access control to define and assign granular roles for stakeholders, enforce the principle of least privilege, and distribute duties of privileged accounts to prevent privilege escalation.
• Access certification: Review user access rights with detailed reports and ensure they comply with the internal security policy.
• User authentication methods: Avoid impersonation attacks using biometrics and other advanced authentication methods. Step up your security by implementing MFA to access endpoints and applications.
• Adaptive authentication: Enforce risk-based adaptive authentication using factors such as user location, IP address, time of previous logon, or device footprint.
• SaaS application enablement: Set up SAML 2.0-based SSO for hundreds of enterprise SaaS applications, like Salesforce, ServiceNow, and Slack.
• Nonstandard application enablement: Configure custom scripts that facilitate identity provisioning for in-house applications. Go beyond mainstream target systems like AD, Azure AD, and Office 365 and extend AD360’s IAM capabilities to ServiceNow, Salesforce, and other third-party applications.
• Access requests: Enable self-service group management through which users can request membership to AD groups to gain access to a set of specific IT resources. By enabling an approval workflow for self-service group management, application and resource owners can control who gets to be a member of a particular group.
• Reporting and ML-based user behavior analytics: Detect, investigate, and mitigate threats, such as malicious logins, lateral movement, malware attacks, and privilege abuse, with ML-based user behavior analytics; remediate these threats and more with automated responses.
• Ease of deployment: No prerequisites or complicated deployment. Start managing identities in your on-premises, cloud, or hybrid IT environment within minutes.
• API target enablement: Facilitate the sharing of data between AD360 and any third-party application or web service with REST APIs.
• High availability: Ensure high availability in case of system and application failures. High availability is achieved through automatic failover; when the AD360 service running on one machine fails, another instance of the AD360 service running on a different machine will automatically take over.

• ADManager Plus: AD, Exchange, and Microsoft 365 management and reporting.
• ADSelfService Plus: Self-service password management, and SSO and MFA implementation.
• ADAudit Plus: UBA-driven auditing and threat detection for AD, file servers, and Windows Servers.
• Exchange Reporter Plus: Reporting, auditing, monitoring, and content searching for Exchange Server, Exchange Online, and Skype for Business.
• M365 Manager Plus: Management, reporting, auditing, monitoring, automation, and alerting for Microsoft 365 services.
• Recovery Manager Plus: Enterprise backup and restoration for AD, Microsoft 365 and Exchange, Azure, and Google Workspace servers.

Perform AD and Azure AD security auditing:

• Audit critical changes in your Windows environment, such as modifications to AD users, groups, GPO settings, the schema, FSMO roles, sites, and other objects.
• Monitor changes to local administrative group memberships, local users, user rights, local policies, scheduled tasks, and processes on your member servers.
• Gain full visibility into Azure AD changes, such as modifications to users and devices, group memberships and roles, applications, and licenses.
• Track successful and failed logons, account lockouts, logons from disabled accounts, MFA-enabled logon failures, and more.

Perform user activity monitoring:

• Track privileged user activities; monitor the active and idle time spent by employees at their workstations; monitor user logons; and be notified about sudden, atypical user login behavior, such as an unusual login time, by tracking deviations from the baseline.

Perform real-time file access auditing:

• Monitor privilege abuse by tracking accesses in real time to see who changed which file or folder, when, and from where across Windows, NetApp, EMC, Synology, Huawei, and Hitachi file systems.

Reduce password reset-related help desk calls:

• Enable self-service password resets and account unlocks regardless of whether users are in the office, on the move, or at home.
• Remind users of their upcoming AD password or account expiration date via email, SMS, or push notifications. Send multiple notifications at regular intervals so alerts don’t go unnoticed, ensuring users change their passwords before they expire.

Enhance password security:

• Greatly enhance security by using factors like IP address, business hours, device used, or geolocation to enforce access control decisions automatically.
• Add MFA for cloud application, VPN, virtual desktop infrastructure, machine (Windows, Mac, and Linux), Outlook Web Access (OWA), and Exchange Admin Center logins.
• Enforce fine-grained password policies with stronger password settings to privileged users.
• Prevent employees from using passwords that have previously been exposed.

Enable data backup and recovery:

• Back up all AD objects, like users, groups, GPOs, OUs, Exchange attributes, DNS records, computers, and contacts, at regular intervals and restore them either partially or completely.
• Track, locate, and revert any unwanted modifications to AD objects, DNS configurations, mailbox items, and other Exchange- and M365-related attributes.
• Roll back your entire AD and Azure AD, individual objects, or even specific attributes to a previous backup point and undo all changes made after that point.
• Hold backup data for a defined retention period, and discard the oldest full backup to save storage space.
• Perform recovery operations without having to restart domain controllers (DCs), ensuring the DCs are continuously available.

Enhance AD password management:

• Reset passwords in bulk across AD, Exchange Server, Microsoft 365, Google Workspace, and Lync or OCS environments.
• Automate periodic password changes for users, set unique passwords for multiple users at once, and perform password management from built-in reports.

Detect and resolve AD account lockouts faster with real-time alerts:

• Get instant notifications when critical user accounts are locked'out with details such as locked out time and which machine they used.
• Analyze and troubleshoot account lockouts effectively by tracking down the source of authentication failure.

Create an approval-based workflow for password reset requests:

• While enabling self-service for employees, redirect help desk tickets to your IT service provider and define who should review and approve the tickets.
• Stay in control of AD automation by receiving notifications via email or SMS about the execution of any automated task.

Track employee activity in real time:

• Track when employees log on and log off in real time, and detect privilege abuse by monitoring user activity.
• Keep a close eye on users in your enterprise by continuously auditing user accounts to discover improper, accidental, or even malicious changes.
• Ensure accountability by maintaining a foolproof record of all file accesses and modifications along with all AD object modifications and user login information.

Perform identity life cycle management:

• Provision, modify, and deprovision accounts and mailboxes for multiple users at once across AD, Exchange servers, Microsoft 365 services, and G Suite from a single console.

Perform privilege management:

• Protect important files and groups containing business-critical information and prevent accidental or intentional misuse of privileged resources by being vigilant about users' access rights. Elevate the access rights only for trusted users and check on them regularly using predefined reports.
• Set up a secure environment where trusted users are temporarily granted permission to access certain files, folders, and groups, and ensure users have only the required rights.
• Generate and export reports on access permissions for all NTFS folders and files and their properties for Windows file servers and NetApp servers to quickly view and analyze file-level security settings applied to critical files and folders in their environments.

Perform user life cycle management and automation:

• Effortlessly generate a list of inactive user accounts, disabled user accounts, and expired user accounts in the form of reports and delete or disable these accounts in bulk instantly.
• Automate critical tasks, specify how often you want automations to run, and view a history of automations to keep track of the status of all automations. View when the automation was run, the total number of tasks it includes, which of them are pending, and which of them have been executed.

Enhance password security:

• Enable SSO and MFA for all SAML-based applications, which allows users to use just one set of credentials to access all their commonly used applications.
• Leverage a multi-platform password synchronizer to automatically synchronize Windows AD and Azure AD password resets, changes, and account unlocks for user accounts across multiple other platforms, such as Google apps, M365, Salesforce, Zoho, Zendesk, and ServiceNow.

Roll back AD changes:

• Undo any changes made to AD that are detected by ADAudit Plus through periodic backups of AD data. Roll back AD objects, like users, groups, GPOs, OUs, Exchange attributes, DNS records, computers, and contacts, to an earlier state and undo any changes performed.
• Compare backup snapshots across multiple versions to get an overview of all previous values and the current value of an AD object before you perform any restoration.
• Perform recovery operations without having to restart DCs, ensuring continuous availability for the DCs.

Manage mailboxes:

• Configure remote mailboxes in Exchange while creating new AD accounts for users individually or in bulk using a CSV file.
• Add multiple email addresses for users while ensuring they all map to the same mailbox; enable or disable Exchange services attributes, including Outlook Mobile Access, OWA, POP3, and IMAP4; and set delivery restrictions on the size of the emails users send and receive.
• Easily set or reset the "send on behalf" and forwarding addresses.
• Change the storage limits of users' mailboxes.
• Migrate mailboxes in bulk to the required Exchange server and delegate the migration task accordingly. Set mailbox rights in bulk using templates, and manage Exchange Servers 2003, 2007, 2010, and 2013.

Enforce better cloud security with granular password policies:

• Create and manage password policies for multiple cloud applications, including Exchange Online, from a centralized console—no more jumping between multiple cloud applications every time your organization's IT security policy changes.
• Extend AD password policy controls to cloud applications, like Exchange Online; enforce tighter password policies on privileged accounts and implement more lenient password policies on normal user accounts.
• Extend the granular password policy controls that govern AD to cloud applications, and ensure that the passwords for all accounts have the same complexity rules, expiration dates, etc. This makes password management easier for both end users and administrators, and it greatly reduces password-related issues.

Back up mailbox items, perform granular restorations, and stay compliant with retention policies:

• Back up mailboxes and mailbox items, such as emails, calendar entries, contacts, journals, notes, posts, tasks, draft emails, deleted items, junk mail, outgoing emails, permanently deleted items, and all group mailboxes, and archive mailboxes from both on-premises Exchange Server and Exchange Online tenants.
• Restore entire mailboxes or specific mailbox items to the same mailbox they were backed up from or to a different mailbox in the same Exchange Online tenant or Exchange organization. Export an entire mailbox to PST format for archival.
• Define a retention period for your backups, and automatically discard older backups and stay compliant with retention policies.

Perform user management:

• Manage Exchange Server and AD from a single console with runtime mailbox provisioning, deprovisioning, and delegation; set mailbox rights in bulk using templates; and apply multiple Exchange policies, like a sharing policy, a role assignment policy, a retention policy, a Unified Messaging policy, and an ActiveSync policy, all at once.
• Create dynamic distribution groups and configure all their attributes at once, provision new resource mailboxes in Exchange and Microsoft 365, and modify resource mailboxes in Exchange.
• Generate a list of inactive users from ADManager Plus through scheduled reports, automate the process of removing M365 licenses, and control license-related costs.

Enhance password security:

• Extend AD password policy controls to cloud applications, like Exchange Online; enforce tighter password policies on privileged accounts and implement more lenient password policies on normal user accounts.
• Add an extra layer of protection for Microsoft 365 users by enabling MFA. In addition to Windows credentials, users logging in for Microsoft 365 SSO can be required to use other authentication factors, such as verification codes, Duo Security, biometric authentication, or Google Authenticator.

Enable M365 backup and recovery:

• Back up all the files and folders in your OneDrive for Business environment and restore them to any of their backed up versions instantly. Users experience no downtime in Microsoft 365 services while their OneDrive data is backed up.
• Preview content, attachments, and documents from Microsoft 365 backups before restoring them.
• Store your Microsoft 365 backups on-premises or in your Azure Blob Storage and Azure file shares.
• Back up just the changes made to mailboxes and sites since the last backup cycle.

Track files and folders in real time:

• Monitor privilege abuse by tracking accesses in real time to see who changed which file or folder, when, and from where across Windows, NetApp, EMC, Synology, Huawei, and Hitachi file systems.

Detect and respond to internal threats:

• Set up a threshold for baseline parameters of user behavior; if the threshold is breached, it may be an indicator of a rogue insider or a hacked account. In such cases, apart from being alerted, you can also set up an incident workflow as a first response to counter these attacks.

Perform identity life cycle management:

• Reset or change user account passwords in bulk, and automate other identity management processes, like provisioning, deprovisioning, and bulk user management.

Enhance password security:

• Enhance your network's security by setting up MFA for endpoint and application logins using methods such as fingerprint authentication or a time-based OTP. You can also set strong password policies to ensure that a weak password doesn't compromise the security of your entire network.

Healthcare sector

Secure confidential PHI:

• Review security incident reports, track changes in real time at the attribute level, spot undesired changes and revert them to the correct value immediately, and track and audit user access to systems that contain protected health information (PHI).
• Find and track sensitive ePHI, monitor file accesses and modifications, and report on overexposed sensitive files.

Achieve HIPAA compliance:

• Ensure effective information security control through continuous and thorough monitoring.
• Always stay in the know with over 200 preconfigured reports to view changes made in the system, track user actions, access data logs, and modify data.
• Prove healthcare compliance with GDPR and HIPAA standards with around-the-clock monitoring and instant email alerts.

Administer granular password policies:

• Enforce fine-grained password policies for OUs and groups, and implement a stringent password policy for privileged users who have access to PHI.
• Prevent users from setting passwords that are dictionary words, easy-to-crack patterns, or passwords that have been compromised due to data breaches.

Implement MFA:

• Enforce MFA for different users based on domain, OU, or group memberships, all while ensuring a seamless login experience.

Privilege assignment and monitoring:

• Assign only the required level of access to a patient's health information to doctors, nurses, health insurance executives, and others who are directly responsible for that patient.
• Identify and get alerts on telltale signs of privilege abuse, such as unusually large volumes of file modifications or attempts to access critical files.
• Spot privilege escalation attacks by monitoring and auditing changes made to security groups.

Monitor access to sensitive financial data:

• Get information regarding who changed which file or folder, when, and from where, along with failed attempts to change a file, across your Windows, NetApp, EMC, Synology, Huawei, and Hitachi file systems.
• Keep tabs on data access rights by monitoring folder owner and permission changes, and be alerted about changes to critical files and folders via email and SMS.
• Prevent inappropriate access to financial data by leveraging ADAudit Plus' machine learning capabilities to spot unusual volumes of file changes and changes occurring at unusual times.

Analyze and refine share permissions with NTFS reports:

• Gain complete visibility and prevent unauthorized access to NTFS partitions and shares with preconfigured access permissions reports for folders, files, and server shares.
• See which users and groups have access to folders in a specified path with predefined reports on AD access control permissions for users and groups.
• Track failed attempts to access or modify files and folders, which are often the first sign of a security threats, with around-the-clock auditing.

Spot suspicious user behavior:

• Leverage machine learning and statistical analytics to create a baseline of normal behavior specific to each user and get instant alerts when deviations from this norm are observed.
• Detect anomalies instantly in user logons, account lockouts, and permission changes, and actively respond to threats by configuring automatic responses to incidents.
• Leverage continuous privileged user activity monitoring to audit administrator activity, track privileged user access to critical data, and detect privilege escalation and lateral movement patterns.

Compliance management:

• Stay compliant using out-of-the-box, automated reports for regulations such as FISMA, NIST, GPG 13, CJIS, ISO20000, ISO 27001, GDPR, CPRA, and LGPD.

Privilege assignment and monitoring:

• Assign only the required level of access to sensitive documents to officials based on their authority.
• Identify and get alerts on telltale signs of privilege abuse, such as unusually large volumes of file modifications or attempts to access critical files.
• Spot privilege escalation attacks by monitoring and auditing changes made to security groups.

Implement MFA:

• Enforce MFA for different users based on domain, OU, or group memberships, all while ensuring a seamless login experience.

Administer granular password policies:

• Enforce fine-grained password policies for OUs and groups, and implement a stringent password policy for privileged users who have access to sensitive personal information.
• Prevent users from setting passwords that are dictionary words, easy-to-crack patterns, or passwords that have been compromised due to data breaches.

Back up and recover your data:

• Keep all your critical information and AD configurations backed up in case they need to be restored.
• Perform recovery operations without having to restart DCs, ensuring continuous availability for the DCs.

• User behavior analytics : "AD360 comes with a strong set of auditing features...The focus is on optimizing administrative processes and identifying critical entitlements, orphaned accounts, and fraudulent user behavior. Part of this are the UBA capabilities that are [in] AD360. Based on that, the behavior of users can be monitored and outliers can be identified easily. The technology is based on ML algorithms."
• Approval workflows: "Workflows finally help in managing access beyond the IT team. AD tasks can result in tickets that are used in multi-stage workflows. This also allows for creating user request portals for various types of users, approvals of entitlement requests by the responsible managers, or approvals for controlled access to file shares."
• Task automation: "AD360 delivers more in-depth integration with the supported target environments, e.g. by supporting the creation of Microsoft Exchange mailboxes and automating other types of typical tasks in these environments. Thus, it also can serve as an extension to standard IGA tools by delivering in-depth management of AD and some of the connected systems."

The application server

AD360's application server comprises of a Tomcat server that:

• Manages AD360's individual components: AD360's various components are in constant communication with each other. This ensures that if you make any changes to one of the components, such as modifying the domain settings or admin credentials, the changes are synced across all the other components.
• Provides a holistic reporting view: AD360 gives you a bird's-eye view of your entire IT environment by gathering information and reports from all the components and displaying them in a centralized console using easy-to-read charts and graphs.
• Sends out email alerts: The AD360 server communicates with email servers to send alerts on license expiration, product downtime and startup, product updates, and more.

Communication process between modules

• To log in to the web client, users have to verify themselves as detailed in the authentication section below.
• Whenever the user tries to view a report or update the administration settings (domain configuration, admin credentials, reverse proxy, auto-update, and more), the client sends a request to the AD360 web server. Communication between the client and the AD360 web server can be secured by enabling HTTPS after applying an SSL certificate.
• Based on the request received from the client, the AD360 web server swings into action. It makes a REST API call to the respective components to fetch the reports or, if there's an update in the administration settings, it stores the necessary details in the product database and then makes a REST API call to the integrated components to sync the changes across all of them.

User roles and their authentication

AD360 supports two user roles:

• Administrators
• Technicians

Administrator login

• An administrator account is verified using product authentication, and the credentials are stored in the database and encrypted with the bcrypt algorithm.
• When the user tries to log in, the AD360 web server uses the Java Authentication and Authorization Service to fetch the credentials stored in the database.
• If the credentials entered by the user and those fetched from the database match, the user will be successfully logged in.

Technician login

• A technician’s identity is verified using domain authentication.
• Once the user enters their credentials, the AD360 web server uses LDAP to communicate with AD.
• The user will be granted access to the product once AD verifies the user.
• Additionally, the administrator can also enable SSO with AD or smart card authentication for technician logins.

Technology used

• The client side of the application is developed using Ember.js.
• The server-side framework is developed using Jakarta Servlet.
• AD360 uses Java Database Connectivity to connect to pgSQL and MS SQL databases. It also allows servers to communicate using HTTP or HTTPS.