SmartProfiler for Active Directory & Entra ID Security Assessment Scenarios

SmartProfiler supports security, compliance & health assessments of Microsoft Active Directory, Azure Entra ID, Microsoft 365 CIS Assessment, Azure CIS Assessment and AVD Assessment. A public internet connection can be used for doing security and compliance assessment of Microsoft 365, Azure, and AVD. Managing the assessment of several Active Directory forests for clients or organizations presents a challenge.

Multiple assessment scenarios are supported by SmartProfiler for AD & Entra ID Security. SmartProfiler for AD & Entra ID Security helps make the security assessment for many AD Forests easier for end users, MSPs, CSPs, and those who manage many AD Forests for clients.

We have been communicating with clients all over the world to learn how they manage their AD forests assessments. A Managed Service Provider (MSP) might, for instance, be maintaining Active Directory forests on behalf of its clients using a management box connected to every Active Directory Forest, or the client may have supplied their own management box, which is used to manage their infrastructure. In order to administer Active Directory and other application servers, a management box is typically utilized to connect to the client network. Below mentioned scenarios apply to:

• A customer who would like to run assessment for their own AD Forest and Entra ID.
• MSPs/CPSs who are managing multiple AD Forests and Entra ID for their customers.
• Service Providers who provide shared IT Services to their customers.

Option-A: Assessment is executed and managed by Customer IT Team using Locally Logged on Credential as it is shown in the figure below.

In case of Option-A:

1. Customer IT Team installs the Assessment Tool on a computer running in AD Forest.
2. Assessment computer is part of AD Forest.
3. It has necessary PowerShell modules installed.
4. Microsoft Word and Excel are installed for reporting.
5. When registering AD Forest:

-Enter AD Forest FQDN

-Leave username and password blank since assessment will be executed using locally logged on credentials.

• Customer IT Team logs onto Assessment Computer:

-You must log on to Assessment Tool computer using one of the following credentials:

1. Domain Admin: If there is only single AD Domain in AD Forest.
2. Enterprise Admin: If there are multiple AD Domains in AD Forest.

Note: If you do not wish to run Domain Controller tests which require either a Domain Admin or Enterprise Admin account then can log on using a Domain User account.

• Executes the assessment:

1. Select “locally logged on credentials” option.
2. Assessment is executed using the locally logged on credentials.

• Generate the report in Microsoft Word format:
• Schedule assessment (optional).

Note: Option-A is the default option that we generally use for all customers who have single AD Forest and would like to do an assessment of their own AD Forest.

Option-B: Assessment is executed and managed by Customer IT Team using Credential option:

In case of Option-B:

• Customer IT Team installs the Assessment Tool on a computer joined AD Forest.
• Assessment computer is part of AD Forest being assessed.
• It has necessary PowerShell modules installed.
• Microsoft Word and Excel are installed for reporting.
• When registering AD Forest:

1. Enter AD Forest FQDN
2. Enter credential:

-Domain Admin: If there is only single AD Domain in AD Forest.

-Enterprise Admin: If there are multiple AD Domains in AD Forest.

-Domain User: If you do not wish to use Domain Controller tests which require either Domain Admin or Enterprise Admin account.

• Customer IT Team executes the assessment:

1. Select credential for assessment. Assessment is executed using the credential selected.

• Generate the report in Microsoft Word format:
• Schedule assessment (optional).

Option-C: Assessment for customer AD Forests is executed by MSP/CSP IT Team from a management box:

?In case of Option-C:

• There is one management box
• Management Box has connectivity to all Customer’s AD forests (network).
• Management box is part of AD Domain (MSP/CSP AD Forest) or in Workgroup.
• Make sure to configure “your” DNS so Customer AD forests are reachable.
• SmartProfiler Assessment tool is installed on the Management box.
• Necessary PowerShell Modules are installed.
• Microsoft Word and Excel are installed for reporting.
• When registering AD Forests:??

1. Provide credentials to connect to each Customer AD Forest from Management Box:
2. If there is single AD Domain, then provide Domain Admin.
3. If there are multiple AD Domains, then provide Enterprise Admin.

• When executing Assessment:1. Execute assessment using the credentials for each Customer AD Forest.2. Assessment data for each customer AD forest is stored on management box as below:
• \Data\{Customer-AForest1}
• \Data\{Customer-AForest2}
• Using Assessment’s Master console:

1. Can see assessment results for all AD Forests.
2. Can generate report for selected AD Forest.
3. Can schedule assessment for each AD Forest (optional).

Note: Assessment data for all customer AD Forests is collected and saved on Management Box where SmartProfiler is installed.

Option-D: Assessment is managed/executed by MSP/CSP IT Team from separate management box for each Customer AD Forest.

In case of Option-D:

• Your management box doesn’t have connectivity to all customer AD Forests.
• Customer provides a separate management box for connecting to their AD Forest or environment.
• Customer’s management has all PowerShell modules installed.
• SmartProfiler tool is installed.
• Log on to customer management box where SmartProfiler is installed:

1. Using Domain Admin: If there is only single AD Domain in AD Forest.
2. Using Enterprise Admin: If there are multiple AD Domains in AD Forest.

Note: If you do not wish to run Domain Controller tests which require either a Domain Admin or Enterprise Admin account then can log on using a Domain User account.

• Register AD Forest:

1. Provide AD Forest FQDN of customer.
2. Leave username and password fields blank.

• You run assessment from Management box and then:

1. Select Tick box “Push Assessment result To” provide file server details.
2. Assessment results for each customer AD Forest pushed to a Central File Server. For example, \\FileServer\AssessmentResults\CustomerAD1 ?\\FileServer\AssessmentResults\CustomerAD2, and so on.

• If assessment is scheduled then data for each customer AD Forest will be automatically pushed to File Server.
• Assessment Master Console (which is installed on File Server or another management box) connects to File Server and pulls assessment results for each Agency and lets you generate assessment reports.

Note: In case of Option-D, each management box should have access to central File Server or “your” management box.

Thanks for reading!