The Enterprise Security Workshop IAM and SIEM in action

• Identity at the Core: The First Line of Cyber Defense
• Why IAM Matters.?
• Challenges with manual provisioning, access sprawl, and audit failures
• Hybrid environments = fragmented identity controls
• Regulatory pressure: SOX, GDPR, RBI, HIPAA, NIST
• Need for automation, visibility, and lifecycle governance
• Identity Lifecycle with AD360

Joiner – Event-Driven Orchestrated Provisioning

• HR system/API triggers a new user creation
• Orchestration handles:
• AD user + Microsoft 365 user creation from a single template
• Group memberships, OU placement, manager setting
• Mailbox creation, license assignment via M365 templates
• Highlight: No manual steps – full joiner flow driven by orchestration rules

Mover – Dynamic Attribute and Access Updates

• Detect changes in user attributes (e.g., department/role/location)
• Automatically update:
• Group memberships
• Microsoft 365 licenses
• Title/Manager info
• Highlight: Event-driven workflow ensures access always aligns with role – no manual intervention

Leaver – Zero-Touch Offboarding with Notifications

• Triggered by HR system or scheduled action
• Orchestration disables account, removes from groups, revokes licenses
• Moves user to "Terminated Users" OU
• Sends alerts to HR, IT, and team leads
• Scheduled deletion after retention period
• Highlight: Policy-based offboarding with no missed steps
• Governance in Microsoft 365

Focus on risk management and audit in Microsoft 365 environments

Key Highlights:

• View and audit inactive mailboxes, unused licenses, login anomalies
• Automate license management and mailbox delegation reports
• Track OneDrive sharing violations and mailbox permission changes

Use Case: Track if terminated users still have access to M365 apps or shared mailboxes

Goal: Show how ADManager and M365 Manager Plus together offer hybrid identity governance

 

• SharePoint Governance Snapshot

Focus on one key governance/visibility feature

Use Case:

• Track and alert on sensitive document access or anonymous sharing
• Generate permissions matrix reports for critical sites
• Identify site ownership gaps or stale access

Highlight: This complements AD360’s compliance reporting, especially in collaboration-heavy environments

• ADAudit Plus: Real-Time Monitoring for IAM Integrity

IAM-Relevant Use Cases:

• Track privilege escalations (e.g., user added to Domain Admins)
• Detect unauthorized access attempts, account lockouts, logon anomalies
• Audit changes to users, groups, OUs, GPOs – critical for compliance
• Monitor file access activities on file servers for insider threats
• Use prebuilt compliance reports (SOX, GDPR, NIST)
• Get alerted when a user is moved to a privileged OU
• Prove compliance in seconds with audit trails
• Identifying the Insiders using User Behavior Analytics (UBA)

Key Message: ADAudit Plus acts as a real-time forensic engine for your identity infrastructure.

• ADSelfService Plus: IAM Starts at the User’s Fingertips

IAM-Relevant Features:

• Password Reset & Account Unlock Portal (via Web/App/Mobile)
• Multi-Factor Authentication (MFA) for:
• Windows logon
• VPN access
• Self-service portal access
• Self-Update of Attributes reduce IT dependency, stay compliant
• Password Expiry Notifier reduce account lockouts & last-minute rush
• Single Sign-On (SSO) to enterprise applications

Key Message: ADSelfService Plus empowers users while boosting security posture

• Compliance Reporting and Unified Visibility

Tie everything together under governance and compliance

Topics:

• Mapping AD360 features to SOX, GDPR, and NIST mandates
• Risk Assessment for AD
• Certificate Campaign
• Cross-product reporting for:
• Inactive users
• Stale group memberships
• Orphaned M365 mailboxes
• Over-permissioned SharePoint users
• Alerting and audit trails

Wrap-Up (5 min)

• Auditing (ADAudit Plus) = Visibility & Control
• Self-service (ADSelfService Plus) = Productivity & Protection
• Together, they close major IAM gaps beyond provisioning

• Provision User in AD + M365 (ADManager Plus + M365 Manager Plus)
• Use a pre-built user creation template in ADManager Plus:
• Creates Thomas AD account
• Adds to OU: Marketing
• Assigns to groups: MarketingUsers, CampaignWriters
• Provisions Microsoft 365 account and assigns Teams + Outlook license

Outcome: One-click creation across AD + M365 with correct access and license

• Self-Service Enrollment + MFA (ADSelfService Plus)
• Simulate Thomas logging into the ADSelfService Plus portal
• Sets up password
• Registers MFA (OTP/SMS/Authenticator)
• Updates contact number and photo

Outcome: First login secured, helpdesk avoided, MFA in place

• Audit Access & Group Changes (ADAudit Plus)
• Simulate:
• First login activity logged
• View real-time alert for group assignment
• Highlight audit trail showing who created Thomas and what changes were made

Outcome: All activities traceable — security + compliance ready

• M365 & SharePoint Oversight (M365 Manager Plus + SharePoint Manager Plus)
• M365 Manager Plus:
• Show a mailbox report for Thomas (last login, delegated access)
• SharePoint Manager Plus
• Show permission matrix for Thomas on a Marketing Site
• Identify if any document is shared externally

Outcome: Visibility into what he has access to, both in M365 and SharePoint

• Wrap-Up (1–2 minutes)
• Recap flow:
1. Provisioned
2. Secured with MFA
3. Audited in real-time
4. M365 & SharePoint access governed

Use Case Deep Dive

• Cybersecurity visibility gaps
• Importance of identity-driven security in today’s threat landscape
• Centralized Log Management and Real-time SIEM
• Detecting Anomalies with Behavioral Analytics

• Detecting critical AD changes: GPO, OUs, group membership, privileged accounts
• Hybrid visibility with Azure AD and Microsoft 365 log integration
• Navigating SOX, GDPR, HIPAA with Log360’s built-in compliance templates
• Security of SaaS applications: Exchange Online, SharePoint, OneDrive, Teams

• Configure a correlation rule to detect credential stuffing attempts using event patterns from domain controllers.
• Analyze a user flagged by UEBA with high risk score. Determine cause, behavior deviation, and recommend action
• A user who normally accesses only finance folders is now modifying files in executive folders and logging in after hours.
• An admin group was modified without an approved request, and audit logs must be investigated to find who made the change and when.
• Find a non-admin user accessed sensitive SharePoint files they weren’t assigned to.
• An internal audit is scheduled, and your team must produce a GDPR/SOX-aligned report showing data access, modification, and permission trails.
• A hybrid AD user account is compromised. The attacker has accessed critical files, changed permissions, and attempted lateral movement across on-prem and cloud environments.