Frequently Asked Questions

FAQs for SmartProfiler AD, M365, FSLogix, AVD and Entra ID

Here’s the list of frequently asked questions we have put together for each of our products and services. In case you still have any questions or require support on our products please feel free to connect with us using the contact us form or by sending an email to support@microsoft-assessment.Com.

SmartProfiler - General FAQ

  • What is SmartProfiler and benefits of using SmartProfiler?

    SmartProfiler Assessment is used to find critical, high, medium and security issues in your Active Directory and Microsoft 365 environments. It is important to understand that most of the tools can only perform security assessment for Active Directory & Microsoft 365. However, SmartProfiler Assessment is designed to perform both health & security assessment. For example, you can use SmartProfiler for AD Assessment to find out configuration and health issues alongside security issues that it uncovers in all AD Domains.

    The SmartProfiler is based on the MITRE, ANSSI, NIST and CIS Frameworks and is aimed at improving the health and security posture of multiple Active Directory forests by providing insights into Active Directory environment.

  • Do I need to install Agents on Target Systems?

    No. SmartProfiler connects to remote Systems using Dynamic Packs and collect required information. However, the Agent is required when monitoring Active Directory. For assessment for Active Directory, Microsoft 365, AVD and FSLogix the agent is not required.

  • Does SmartProfiler require SQL Database to Store data?

    No. SmartProfiler collects information in CSV files stored on SmartProfler computer. For Real-Time Agent Monitoring, SmartProfiler creates internal database.

  • Understanding SmartProfiler Licensing

    Note that SmartProfiler has been designed as a proactive engagement. There have been substantial changes in the inner working of SmartProfiler as part of the recent development. We have recently added new features as part of the SmartProfiler. However, these additional features with a licensing cost as summarized below:

    • Assessment License: Use Assessment License if you want to perform Cyber Security Assessment for Active Directory and Azure and then generate a report in Word format. The AD Assessment license includes below panes:
      • AD Discovery
      • Assessment Dashboard
      • Generate Report
      • AD Permissions Analyzer
      • AD Smart Queries
      • GPO Settings Checker
      • Compare Assessments
    • AD Issues Fixer License: The Issues Fixer License can be used to fix issues such as fixing Critical, High, Medium and Low issues.
    • Scheduler License: The Scheduler License can be used to schedule assessments and be able to get notifications if any issues occur. The Scheduler license includes below panes/modules:
      • Configure Alerts
      • Real-Time Console
      • Smart Scheduler
    • AD Permissions Fixer: AD Permissions Fixer can be used to fix permissions for Active Directory Organizational Units and Tier 0 Objects.
    • CIS/NIST Analyzer License: CIS/NIST Analyzer license can be used to analyze GPO Settings according to CIS Template.

    M365 CIS Assessment License: M365 CIS Assessment license can be used to perform assessment of Microsoft 365 Tenants based on the CIS Benchmark and additional tests designed by our M365 team.

  • Can anyone log on the SmartProfiler Application?

    No. SmartProfiler requires a username and password to log on to the application. The Username and password is created when the first tenant or AD Forest is registered. A Tenant or AD Forest can only be registered by supplying correct credentials such as Domain Admin account for registering AD Forest and Global Reader/Admin account for registering Microsoft 365 or Azure Tenants.

  • Does SmartProfiler connects to Public Internet for sending any information to DynamicPacks?

    SmartProfiler doesn’t connect to DynamicPacks or any other Public Endpoints for storing data. Even the license file is provided offline for activation.

  • Does SmartProfiler use PowerShell Designed by Microsoft?

    SmartProfiler uses PowerShell Modules designed by Microsoft. All PowerShell Modules used by SmartProfiler are available on PowerShell Gallery which is managed by Microsoft.

  • Can I see what all PowerShell Scripts are executed as part of SmartProfiler execution?

    We provide “Manage Modules” tab as part of SmartProfiler that can be used to check PowerShell code for each test. However, “Manage Modules” tab is only available in Licensed Version.

  • What data is stored in CSV files generated by SmartProfiler?

    CSV files only contain “Affected objects” data. For example, in the case of Microsoft 365 if a test needs to check list of users or admins that do not have MFA enabled then CSV file will only contain those affected users/admins. Similarly, if AD Assessment for SmartProfiler finds orphaned domain controllers in Active Directory Forest then only orphaned domain controllers will be listed in CSV file.

  • Is SmartProfiler secure when connecting to Target using PowerShell modules?

    Since PowerShell Modules used by SmartProfiler are designed by Microsoft and since all “Connect-xxxxx” commands perform a secure connection to Microsoft 365, Active Directory and Azure Virtual Desktop Tenants, the data collected from above targets is transferred securely to the SmartProfiler machine.

  • Does SmartProfiler delete all data collected after preparing Assessment Report?

    There is no provision in SmartProfiler to delete all data once the assessment report is prepared. It is because some environments might take longer time to complete assessment and in case you need to see the affected objects list you will not be able to see it if you have already deleted the data. You will be required to perform assessment again if you need to see the affected objects list.

  • Does SmartProfiler Products interact with any other technologies in the production environment?

    No. SmartProfiler only communicates with the required technology components as below:

    • For Active Directory: SmartProfiler connects to Domain Controllers over port 389 using LDAP protocol.
    • For Microsoft 365: SmartProfiler connects to Microsoft 365 Tenants using HTTPS and Microsoft Graph PowerShell Modules.

    For AVD: SmartProfiler connects to Azure Tenants using HTTPS and uses Microsoft Azure AVD PowerShell Modules to perform assessment.

  • Network Communications Involved with SmartProfiler

    All communication to and from SmartProfiler Application - including the user interface and associated SmartProfiler Agent/Services are secured using the using the default LDAP/LDAPS traffic.

    • There are no unsecured external HTTP or HTTPS calls within the SmartProfiler applications (particularly for Microsoft 365 Assessment).
    • All communication with Azure and Microsoft 365 uses OAuth2 access tokens for Microsoft Graph, API operations and HTTPS for PowerShell operations.
    • SmartProfiler Application Rewrite Services communicates with Azure and Microsoft 365 Tenants using TLS 1.2 encrypted data channels.
    • Agents installed on the SmartProfiler computer communicate within an internal network and no data is sent out.
  • Location of Customer Data When Using SmartProfiler

    When a customer Installs and run the Assessment for Microsoft Active Directory, Microsoft 365, and Microsoft AVD, the data will be kept in the SmartProfiler computer. The SmartProfiler computer will have an internal database that will be used by the SmartProfiler Agents for processing. When an assessment report is generated, the process pulls the data located on the SmartProfiler computer.

  • Privacy and Protection of Customer Data

    At no point during the assessment the tool will connect to Public Internet or any FTP endpoints. All data is secured at rest using AES 256-bit encryption. Service account passwords and password hashes (while already encrypted at-rest) are additionally encrypted with AES 256-bit encryption using Microsoft Encryption.

  • Data Impact and Modeling

    The following table provides a list of frequently asked questions for Data Impact and Modeling.

    Does this solution require the use of company data?

    NO

    Does this solution require the use of employee data?

    NO

    Does this solution move large amounts of data?

    NO

    Does this solution introduce a new data model?

    NO

  • Are there any Risks using SmartProfiler and how SmartProfiler mitigates those Risks?

    No risks as the product will be implemented to mitigate the risks. However, SmartProfiler for Active Directory, Microsoft 365 and Azure AVD Assessment stores or provide an option to execute the assessment under below conditions:

    Product/Component

    Credential Requirement

    Can Use Locally Logged On or MS Prompt Login?

    Require Storing Credentials?

     

    SmartProfiler for AD Assessment

     

     

    Domain Admin

    OR Enterprise Admin

     

     

    Can use Locally Logged On Credentials

     

    Optional

     

     

    SmartProfiler AD Real-Time Service

     

     

    Normal Domain User

     

     

     

    Not Supported

     

    Require storing Normal Domain User Account credentials in SmartProfiler Database.

     

     

    SmartProfiler AD Assessment Scheduler

     

    Domain Admin OR Enterprise Admin

     

     

     

    Not Supported

     

    Require storing Domain Admin or Enterprise Admin Credentials in SmartProfiler database.

     

     

    SmartProfiler for M365 Assessment

     

    Global Reader OR Global Admin Account

     

     

    Can use Microsoft Login Prompt for Assessment

     

     

    Optional but helps in unattended assessment.

     

    SmartProfiler for M365 Assessment Scheduler

     

    Global Reader OR Global Admin Account

     

     

    Not Supported

     

     

    Require storing SPN Details such as Certificate Thumbprint for Scheduler Service.

     

     

    SmartProfiler for AVD Assessment

     

    Azure SPN Details

     

     

    Not Supported

     

     

    Require storing Azure SPN Details for unattended assessment.

     

     

SmartProfiler - Active Directory FAQ

  • What Tools and Options are available with SmartProfiler for Active Directory?

    • AD DISCOVERY: This option is used before executing the assessment. The AD Discovery needs to be completed before AD Assessment can be executed.
    • ASSESSMENT DASHBOARD: The Assessment Dashboard shows issues reported with other tests data such as affected objects list.
    • GENERATE REPORT: Use this option if you would like to generate an AD Assessment report.
    • AD PERM ANALYZER: Use this option if you would like to analyze permissions configured in the Active Directory forest for a single or all AD Domains.
    • AD ISSUES FIXER: AD Issues Fixer can be used to fix critical, medium, high, low and other issues reported during the AD Assessment.
    • DC SEC ANALYZER: DC SEC Analyzer option is to help you analyze security status of your Domain Controllers. All 51 tests for Domain Controllers will be shown for each domain controller.
    • GPO SETTING CHECKER: GPO Setting Checker can be used to check if a particular or a set of GPO Settings are applied in an AD Domain or not.
    • SMART SCHEDULER: If you would like to schedule the AD Assessment based on the schedule defined by you and receive notification if there are any issues.
    • CONFIGURE ALERTS: Use this option if you are planning to use Real-Time monitoring for Active Directory and would like to configure all alerts. The Real-Time monitoring executes every 5 minutes and notify via email if it finds any issues.
    • REAL-TIME CONSOLE: Use Real-Time Console to see issues and changed data.
    • NIST/CIS ANALYZER: Use this option to check CIS recommended GPO settings based on a CIS Template. All Settings can be checked for each AD Domain in the AD Forest.
    • AD SMART QUERIES: Use this option to run PowerShell commands and add your own query and run them against the AD Domains.

  • Are there any Firewall Ports that we need to open in order to install and run SmartProfiler?

    SmartProfiler for Active Directory, Microsoft 365 and AVD executes over specific ports. However, the SmartProfiler makes use of default communication ports and protocols for communicating with endpoints as explained in the table below. Please ensure to open these ports from the SmartProfiler computer to the target.

    Product

    Target

    Port

    Protocol

     

    SmartProfiler for Active Directory

     

     

    PDC Emulator of each AD Domain

     

    Active Directory Web Services

     

     

    389 or SSL

     

     

    9389

     

    LDAP or LDAPS

     

     

    LDAP or LDAPS

     

    SmartProfiler for M365

     

     

    Microsoft 365 Tenant

     

    443

     

    HTTPS

     

    SmartProfiler for AVD

     

     

    Microsoft Azure Tenant

     

    443

     

    HTTPS

  • Do I need to install Agents for SmartProfiler for Active Directory?

    The AD Real-Time Agent is a Windows Service which need to be installed in order to process alerts configured in the SmartProfiler Real-Time Console.

  • Understanding SmartProfiler Active Directory Licensing

    Note that SmartProfiler has been designed as a proactive engagement. There have been substantial changes in the inner working of SmartProfiler as part of the recent development. We have recently added new features as part of the SmartProfiler. However, these additional features with a licensing cost as summarized below:

    • Assessment License: Use Assessment License if you want to perform Cyber Security Assessment for Active Directory and Azure and then generate a report in Word format. The AD Assessment license includes below panes:
      • AD Discovery
      • Assessment Dashboard
      • Generate Report
      • AD Permissions Analyzer
      • AD Smart Queries
      • GPO Settings Checker
      • Compare Assessments
    • AD Issues Fixer License: The Issues Fixer License can be used to fix issues such as fixing Critical, High, Medium and Low issues.
    • Scheduler License: The Scheduler License can be used to schedule assessments and be able to get notifications if any issues occur. The Scheduler license includes below panes/modules:
      • Configure Alerts
      • Real-Time Console
      • Smart Scheduler
    • AD Permissions Fixer: AD Permissions Fixer can be used to fix permissions for Active Directory Organizational Units and Tier 0 Objects.
    • CIS/NIST Analyzer License: CIS/NIST Analyzer license can be used to analyze GPO Settings according to CIS Template.

    M365 CIS Assessment License: M365 CIS Assessment license can be used to perform assessment of Microsoft 365 Tenants based on the CIS Benchmark and additional tests designed by our M365 team.

  • What are the requirements for SmartProfiler for Active Directory?

    Installation of SmartProfiler Assessment Tool is very simple. If you have already downloaded or received the SmartProfiler Assessment ZIP file from our team, then extract ZIP to a temp folder and then double click on MSI file to install the SmartProfiler Assessment Tool.

    Requirements

    Some of the SmartProfiler requirements must be met as mentioned below:

    • SmartProfiler computer should be joined to Active Directory domain.
    • Microsoft Word and Excel needs to be installed on SmartProfiler computer in order to generate reports.
  • What PowerShell Modules are required by SmartProfiler for Active Directory?

    You can also install PowerShell modules and tools manually by executing the commands below on SmartProfiler computer:

    For Active Directory Forest:

    If SmartProfiler is running on Windows Server Operating System:

    • Add-WindowsFeature -Name RSAT-AD-PowerShell
    • Add-WindowsFeature -Name GPMC
    • Add-WindowsFeature -Name RSAT-DNS-Server
    • Add-WindowsFeature -Name RSAT-ADDS-Tools

    If SmartProfiler is running on Windows Client Operating System:

    • Add-WindowsCapability -Online -Name ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
    • Add-WindowsCapability -Online -Name GroupPolicy.Management.Tools~~~~0.0.1.0
    • Add-WindowsCapability -Online -Name Dns.Tools~~~~0.0.1.0

    Make sure to execute the above commands in an elevated PowerShell prompt.

  • What's the time taken to run Active Directory Assessment?

    It depends on the number of objects such as users, computers, groups and Group Policy Objects. The SmartProfiler for Active Directory assessment has been tested in a large Active Directory environment containing:

    • 125K users
    • 45k Groups
    • 800 Group Policy Objects
    • 400 Organizational Units

    It took 3 hours for AD Assessment to run. Note that every user object is also checked for abusable permissions.

     

  • SmartProfiler for Active Directory Communication Architecture

    The below diagram shows how SmartProfiler Active Directory components connect with each other and communicate to Domain Controllers.

    The SmartProfiler AD Real-Time Agent (installed as Windows Service) communicates to Domain Controller over default port and Protocol (LDAP:389). Even the Active Directory Assessment communicates over the same protocol. Real-Time and AD Assessment Agents do not connect to Public Internet for any communication. SmartProfiler uses Internal Database to store required data for real-time monitoring and assessment. The data type is volatile and keep changing based on the alert data fetched from Active Directory. No data is stored on Public Internet.

  • Does Active Directory Assessment require PS Remoting enabled on the Domain Controllers?

    PS Remoting needs to be enabled on all Domain Controllers in order to run the Active Directory tests that belong to Domain Controllers. There are 60 tests that need to be executed to check security status of all domain controllers. These tests are checked to ensure Domain Controllers do not have any risks.

    Note: Even the AD Discovery process will require PS Remoting.

SmartProfiler - Microsoft 365 FAQ

  • What version of CIS Controls are supported by SmartProfiler for Microsoft 365?

    SmartProfiler for Microsoft 365 supports latest CIS Controls designed for Microsoft 365 - Version 3.1.0. The list of tests included in the CIS Version 3.1.0 for Microsoft 365 can be found on this page.

  • Can SmartProfiler for Microsoft 365 CIS Assessment execute under the Global Reader Account?

    SmartProfiler for Microsoft 365 CIS Assessment can execute 90% tests using the Global Reader Account provided Global Reader Account is member of all required Microsoft 365 Roles. The SharePoint tests (12 of them) cannot be executed using the Global Reader Account. If you would like to execute SharePoint tests as part of the assessment, then we recommend using a Global Admin account. Global Reader Account cannot access SharePoint portal sites and settings as it a technical limitation imposed by Microsoft.

  • My Customer/Organization security Team is not allowing the SmartProfiler for Microsoft 365 to run using a Global Admin Account? What can be done in this situation?

    In these circumstances, we advise utilizing a Global Reader Account to run the assessment initially. This account will be able to run 90% of the tests automatically and will also produce a report. Please notify the Security Team that a Global Admin account is required in order to run SharePoint tests. If Security Team agrees to run the assessment using a Global Admin account, then select just “SharePoint Tests” in the execution console and then execute.

  • Is there any command that we can use to grant Microsoft.Graph API Permissions to Microsoft 365 Tenant?

    Grant Consent Option can be used to grant admin consent to Microsoft.Graph from within the SmartProfiler Assessment Execution Console. In case consent needs to be granted manually before executing the assessment, please use below PowerShell Command:

    Connect-MgGraph -ContextScope Process -Scopes "AuditLog.Read.All", "Reports.Read.All", "Policy.Read.All", "Directory.Read.All", "IdentityProvider.Read.All", "Organization.Read.All", "Securityevents.Read.All", "ThreatIndicators.Read.All", "SecurityActions.Read.All", "User.Read.All", "UserAuthenticationMethod.Read.All", "Mail.Read", "MailboxSettings.Read", "DeviceManagementManagedDevices.Read.All", "DeviceManagementApps.Read.All", "UserAuthenticationMethod.ReadWrite.All", "DeviceManagementServiceConfig.Read.All", "DeviceManagementConfiguration.Read.All", "SharePointTenantSettings.Read.All", "AccessReview.Read.All", "RoleManagement.Read.All"

    In the next step the process will check if the Admin Consent has already been granted to Microsoft.Graph. If not granted, then you will be presented with a prompt.

    You need to check the box “Consent on behalf of your organization” and then click on “Accept” button to continue.

  • What’s the time taken to perform Microsoft 365 CIS Assessment?

    For 8000 mailboxes we have seen Assessment Taking one hour to finish.

  • Understanding SmartProfiler for Microsoft 365 Licensing

    Note that SmartProfiler has been designed as a proactive engagement. The licensing as summarized below:

    • M365 CIS Assessment License: M365 CIS Assessment license can be used to perform assessment of Microsoft 365 Tenants based on the CIS Benchmark and additional tests designed by our M365 team.
    • M365 Issues Fixer License: The Issues Fixer License can be used to fix issues such as fixing Critical, High, Medium and Low issues.
    • M365 Scheduler License: The Scheduler License can be used to schedule assessments and be able to get notifications if any issues occur.
  • What are the requirements for SmartProfiler for Microsoft 365?

    Installation of SmartProfiler Assessment Tool is very simple. If you have already downloaded or received the SmartProfiler Assessment ZIP file from our team, then extract ZIP to a temp folder and then double click on MSI file to install the SmartProfiler Assessment Tool.

    Requirements

    Some of the SmartProfiler requirements must be met as mentioned below:

    • SmartProfiler computer should have connectivity to Microsoft 365 Tenant.
    • Microsoft Word and Excel needs to be installed on SmartProfiler computer in order to generate reports.
    • Necessary PowerShell Modules have been installed and permissions have been given to SmartProfiler for executing all tests.
  • What PowerShell Modules are required by SmartProfiler for Microsoft 365?

    You can also install PowerShell modules and tools manually by executing the commands below on SmartProfiler computer:

    Microsoft 365 CIS Assessment can be done from both Windows Server or Windows client. Please execute below PowerShell commands in order to install required PowerShell modules for assessment.

    • Install-Module -Name MicrosoftTeams -Scope CurrentUser -Force -MinimumVersion '4.4.1' -AllowClobber
    • Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser -Force -MinimumVersion '2.0.5' -AllowClobber
    • Install-Module -Name MSOnline -force -AllowClobber
    • #Install-Module -Name AzureAD -force -AllowClobber
    • Install-Module –Name Microsoft.Online.SharePoint.PowerShell -RequiredVersion 16.0.24322.12000 -Force -AllowClobber
    • Install-module -Name AzureADPreview -Force -AllowClobber
    • Install-Module -Name Microsoft.Graph.Intune -Force -AllowClobber
    • Install-Module -Name Microsoft.Graph -Scope CurrentUser -Force -MinimumVersion '1.9.6' -AllowClobber
    • Install-Module -Name Microsoft.Graph.Identity.DirectoryManagement -Force -AllowClobber
    • Install-Module -Name Microsoft.Graph.Identity.SignIns -Force -AllowClobber
    • Install-Module -Name Microsoft.Graph.Users -Force -AllowClobber
    • Install-Module -Name Microsoft.Graph.Applications -Force -AllowClobber
    • Install-Module -Name PnP.PowerShell -Force -AllowClobber

     

  • What Tools and Options are available with SmartProfiler for Microsoft 365?

    • M365 Assessment Console: Execution Console for executing CIS and SmartProfiler Tests.
    • ASSESSMENT DASHBOARD: The Assessment Dashboard shows issues reported with other tests data such as affected objects list.
    • M365 Assessment Scheduler: Assessment Scheduler to run Microsoft 365 Assessment and notify if any issues occur.
    • M365 Issues Fixer: A single console to fix Critical, High, Medium, and Low issues in Microsoft 365 Tenants.

  • SmartProfiler Microsoft 365 Communication Architecture

    The SmartProfiler for Microsoft 365 uses default ports (HTTPS) for communicating with Microsoft 365 Tenants. The SmartProfiler M365 Execution Console implements built-in agent that executes the tests using Microsoft Graph PowerShell Module. The following section in the document explains execution sequence for each technology including Microsoft 365.

Ask Questions

Please drop us a message and we will get back to you as soon as we can.

    Copyright © DynamicPacks Technologies

    Translate »

    Table of Contents

    Index