SmartProfiler for Entra ID is designed to mitigate security risks in the Azure Entra by performing an advanced assessment. Executing Entra ID CIS Assessment With SmartProfiler-SecID will ensure that your Entra ID environment is configured with recommended settings to avoid security risks. Whereas SmartProfiler for AVD Assessment is designed to find bottlenecks/issues in the existing AVD environment and help in finding the missing settings recommended by Microsoft for improving the performance of the AVD environment. AVD Assessment can also check if the configuration is consistent across the host pools.
ENTRA ID Assessment supports only STORED-CRED connection method.
STORED-CRED
The STORED-CRED Connection method can be used if you:
Note that you will still be required to use a Global Admin or Global Reader account if you plan to use STORED-CRED option and Global Reader or Admin account must be a non-MFA account.
To use the STORED-CRED option you are required to create an Entra App and assign the following permissions to the Entra App:
And “Reader” IAM role has been assigned to Entra App to the subscription.
Once you have met the above requirements, you can proceed with the next steps.
To register Entra ID Tenant with SmartProfiler-SecID, please expand Tenants and Settings Section in left pane and then click on “Add New Tenant” button as shown below:
Then in the register a new tenant window, select Microsoft Azure Entra ID SP v1.0 in the list of available technologies and provide the Tenant details as below:
SmartProfiler requires the following inputs for ENTRA ID Tenants:
If you have purchased ENTRA ID Assessment license, then click on Browse button to apply the license codes from the license file.
Note that the registration process for a Entra ID Tenant will actually check the status of the Entra ID domain entered and global admin account to ensure domain is verified and global admin account has access to the tenant.
Once done, click on “Add Tenant” button to add tenant under the management of SmartProfiler.
Note that you need to create an assessment view before the assessment can be executed. To create an Assessment View, expand Tenants and Settings section in left pane and then click on “Manage Settings” button:
And then click on “Create View” button. In the Create a New View Window, provide the following inputs:
Once you have provided details for a new Assessment View, click on “Create View” button to create the view.
Once the Tenant has been registered with SmartProfiler and you have created an Assessment View, you can expand “Assessment Views” section in the left pane to see your view, expand the Assessment View and then click on “Assessment Console” to open the assessment console as shown below:
After clicking on Assessment Console, you will see list of tests available in console.
To start the execution, select the credential from the credential dropdown:
And then click on “Execute Assessment” button to start the ENTRA ID Assessment.
In the Assessment Summary window, you can see the issues that were detected for Entra ID Tenant and impact and recommendation for each issue. When clicked on “Assessment Summary” button the summary window will populate all issues in each Entra ID Assessment category as shown below:
As you can see from the screenshot above, SmartProfiler has reported high, medium, low and non-compliance issues. It has also reported the items that have been passed successfully. If you need to see data for a test, click on test.
Here are the columns that are displayed as part of the Entra ID Assessment and their meaning:
Note: SmartProfiler for Entra ID includes all CIS Control tests for Entra ID foundation. However, some of the tests have been designed by our Entra ID experts to ensure every aspect of Entra ID Subscription is checked and reported as part of the report.
To generate a report for Entra ID Tenant, click on “Generate Report” item found under Assessment View in left pane
Note that SmartProfiler for Entra ID is capable of generating a Microsoft Word Report and an excel summary which contains the affected objects list for each test.
Click on the Browse button to specify the report location and check/uncheck various other options as explained below:
Once you have checked/unchecked required options, please click on “Generate Report” button. The process will take some time, and progress will be shown on the screen.
All CIS Tests that are covered by SmartProfiler can be found on CIS website. Note that SmartProfiler supports the latest CIS Version 3.1.0.
Try SmartProfiler, a unified tool to help with security evaluation across many Microsoft technologies.
Try SmartProfiler, a unified tool to help with security evaluation across many Microsoft technologies.