SmartProfiler for Active Directory and M365 is designed to mitigate security risks in the AD and Microsoft 365 environments by performing an advanced assessment and implementing the real-time monitoring to capture threats in real-time. Active Directory is a primary source for Authentication and Authorization for users and business applications. Microsoft doesn’t provide out of the box tools that can be used to perform health & risk assessment of Active Directory environment. SmartProfiler CIS Assessment Requirements article explains the requirements before you can use SmartProfiler for CIS Assessments. SmartProfiler AD-OnPrem Security Tool can be used to perform Active Directory assessment for multiple AD forests and provide an assessment report which includes issues and recommendations to fix the issues. Whereas SmartProfiler for AVD Assessment is designed to find bottlenecks/issues in the existing AVD environment and help in finding the missing settings recommended by Microsoft for improving the performance of the AVD environment. AVD Assessment can also check if the configuration is consistent across the host pools.
Active Directory, Microsoft 365 and Azure Virtual Desktop will be protected, and a thorough assessment will ensure the Active Directory and Microsoft 365 are operating per CIS/NIST CSF 2.0 compliance standards. The AVD Assessment will ensure the AVD environment is operating as per best practices and recommendations by Microsoft.
The SmartProfiler for Active Directory, Microsoft 365, and AVD will perform an advanced assessment in your production environment and be able to uncover hidden issues in the environment. Once all the issues are uncovered the customer IT Team will work to resolve the issues identified to ensure smooth functioning of Active Directory, M365 and AVD components. The AD Real-Time Monitoring component of SmartProfiler will ensure that emerging threats are captured and notified as soon as possible.
Below table highlights the capabilities of each SmartProfiler product:
| Product | Capabilities |
| SmartProfiler for Active Directory | Active Directory Advanced Assessment (300 Checks) AD Permissions Analyzer AD Issues Fixer AD Real-Time Monitoring GPO Settings Checker CIS/NIST GPO Compliance Checker Advanced and customized reporting Domain Controllers security analyser AD Smart Queries |
| SmartProfiler for Microsoft 365 | Supports CIS V3.0 Tests. Additional Tests (139) Compliance and Security Assessment |
| SmartProfiler for AVD | Performance Improvement Assessment Misconfiguration Assessment Configuration Consistency Assessment across host pools. |
The following requirements need to be met in order to install and execute SmartProfiler products.
SmartProfiler for Active Directory requirements must be met as mentioned below:
SmartProfiler for Microsoft 365 requires Public Internet connection to connect to Microsoft 365 Tenants.
SmartProfiler for AVD requires Public Internet connection to connect to Microsoft Azure Tenants.
The infrastructure will be sized to meet the following performance characteristics for SmartProfiler.
| Hardware Component | CPU (Ghz) | Memory (GB) | Storage (GB) |
| A Virtual Machine running SmartProfiler application/Console. Note: The Console can be installed on multiple computers connecting to Real-Time Agent. Both Real-Time Agent and SmartProfiler console can be installed on the same computer. | 2 vCPUs | 16 GB | 10 GB |
| A Virtual Machine running SmartProfiler Real-Time Agent for processing Real-Time Alerts. | 2 vCPUs | 16 GB | 10 GB |
SmartProfiler executes PowerShell based scripts to perform assessment of target. You are required to disable Antivirus completely or exclude C:\Users\Public\SmartProfiler folder from Antivirus so SmartProfiler processes can execute the assessment flawlessly.
SmartProfiler makes use of Microsoft provided PowerShell Modules for running assessment. The SmartProfiler can install required PowerShell Modules automatically from within the console. However, to ensure the SmartProfiler can install PowerShell Modules automatically, it requires a working Internet Connection to PowerShell-Gallery.com web site.
If SmartProfiler is running on Windows Server Operating System, execute below PowerShell commands from an elevated PowerShell prompt:
If SmartProfiler is running on Windows Client System, execute below PowerShell commands from an elevated PowerShell prompt:
Microsoft 365 CIS Assessment can be done from both Windows Server or Windows client. Please execute below PowerShell commands in order to install required PowerShell modules for assessment.
SmartProfiler for AVD Assessment can install required PowerShell Modules automatically during the AVD Assessment execution.
SmartProfiler is a Desktop Application designed to perform security, health and risk assessment of Microsoft 365, Active Directory and Azure Virtual Desktop tenants. When performing an assessment of technologies, the SmartProfiler requires necessary permissions to the Assessment target. Below table provides a guidance on what permissions to be made available when running assessment for each technology:
| Technology/Target | Permissions Needed | Remark |
| Microsoft 365 Tenant | Global Reader Account OR Global Admin Account Global Reader and Global Admin Account to be a Non-MFA Account If Global Reader Account is used, then it should be part of following Microsoft 365 Roles: Global Reader Message Center Privacy Reader Message Center Reader Reports Reader Security Reader Usages Summary Report Reader Note: It is recommended that Global Reader Account is part of all Microsoft 365 Reader Roles. Note: Please check Security Questions and Answers as to understand when to use Global Reader and Global Admin account for assessment. | When executing SmartProfiler for Microsoft 365 you need to provide a Global Reader Account / Global Admin Account to connect to Microsoft 365 Tenant and collect required data for assessment. Non-MFA Global Reader / Global Admin Account is needed to run unattended assessment. |
| Microsoft 365 Tenant | Admin Consent for Microsoft.Graph module for below Read Permissions: • DeviceManagementApps.Read.All •DeviceManagementConfiguration.Read.All •DeviceManagementServiceConfig.Read.All • Directory.Read.All “AuditLog.Read.All”, “Reports.Read.All”, “Policy.Read.All”, “Directory.Read.All”, “IdentityProvider.Read.All”, “Organization.Read.All”, “Securityevents.Read.All”, “ThreatIndicators.Read.All”, “SecurityActions.Read.All”, “User.Read.All”, “UserAuthenticationMethod.Read.All”, “Mail.Read”, “MailboxSettings.Read”, “DeviceManagementManagedDevices.Read.All”, “DeviceManagementApps.Read.All”, “UserAuthenticationMethod.ReadWrite.All”, “DeviceManagementServiceConfig.Read.All”, “DeviceManagementConfiguration.Read.All”, “SharePointTenantSettings.Read.All”, “AccessReview.Read.All”, “RoleManagement.Read.All” | Note that Mobile Device Management Category includes 22 tests which require Admin Consent (read permission) by using a Global Admin account before tests in Mobile Device Management category can show results. The Admin Consent is also required for Microsoft Graph module. |
| Active Directory Forest – AD Assessment | Domain Admin Account if Active Directory Forest is running with a Single Domain.Enterprise Admin Account if Active Directory Forest is running with multiple AD Domains in order to access all AD Domains. | All Domain Controllers in each domain must be reachable to perform a complete assessment. Note: The Active Directory Assessment can be executed using a Normal Domain User account. In that case the 56 Domain Controllers tests will not be executed. |
| Active Directory Forest – AD Assessment Scheduler | Domain Admin Account if Active Directory Forest is running with a Single Domain.Enterprise Admin Account if Active Directory Forest is running with multiple AD Domains in order to access all AD Domains. | The AD Assessment Scheduler Service requires a Service Account that is member of Domain Admins or Enterprise Admins. Note: The Active Directory Assessment Scheduler Service can be executed using a Normal Domain User account. In that case the 56 Domain Controllers tests will not be executed. |
| Active Directory Forest – Real-Time Monitoring | SmartProfiler Active Directory Real-Time Monitoring requires a normal Domain User account to execute and process all Active Directory Real-Time Alerts. | The Real-Time Service Account must be configured with Password Never Expires attribute. |
| Azure Virtual Desktop Tenant | Create Azure AD Application (SPN) in Azure Tenant.SPN to have Owner Permission on Subscription where host pools are hosted.Session Hosts have Azure Script Extension Enabled to execute scripts remotely. | SPN details are required before AVD Assessment can be performed: Azure Subscription IDAzure Tenant IDSPN ID (Application ID)SPN SecretSPN Display Name |
The below diagram shows how SmartProfiler Active Directory components connect with each other and communicate to Domain Controllers.
The SmartProfiler AD Real-Time Agent (installed as Windows Service) communicates to Domain Controller over default port and Protocol (LDAP:389). Even the Active Directory Assessment communicates over the same protocol. Real-Time and AD Assessment Agents do not connect to Public Internet for any communication. SmartProfiler uses Internal Database to store required data for real-time monitoring and assessment. The data type is volatile and keep changing based on the alert data fetched from Active Directory. No data is stored on Public Internet.
The SmartProfiler for Microsoft 365 uses default ports (HTTPS) for communicating with Microsoft 365 Tenants. The SmartProfiler M365 Execution Console implements built-in agent that executes the tests using Microsoft Graph PowerShell Module. The following section in the document explains execution sequence for each technology including Microsoft 365.
The SmartProfiler for Microsoft AVD uses default ports (HTTPS) for communicating with Azure AVD Tenants. The SmartProfiler AVD Execution Console implements built-in agent that executes the tests using Microsoft Graph PowerShell Module. The following section in the document explains execution sequence for each technology including Azure AVD.
All communication to and from SmartProfiler Application – including the user interface and associated SmartProfiler Agent/Services are secured using the using the default LDAP/LDAPS traffic.
The below process shows how SmartProfiler collects data from target. A target can be a Microsoft 365 Tenant, Active Directory Forest, or an Azure Virtual Desktop Tenant. The execution
SmartProfiler utilizes the Power of Microsoft PowerShell Scripting language. The PowerShell modules, designed by Microsoft, are used to collect Microsoft 365 Tenant, Active Directory and Azure Virtual Desktop Tenants. SmartProfiler provides an execution framework. When you click on “Execute Assessment” button on SmartProfiler, the following events take place:
Note: Please check Security Questions and Answers in this document to understand when to use Global Reader and Global Admin Account for assessment in this document.
Note: In case you need to see all the PowerShell scripts are executed as part of the execution, you can switch to “Manage Modules” tab in SmartProfiler to see the PowerShell code that executes.
SmartProfiler doesn’t require a database before the assessment can be executed. All data collected during execution is stored in CSV files on the location machine where SmartProfiler is installed under C:\Users\Public\SmartProfiler\SmartProfilerAssessment\Data folder.
The CSV data is collected for each test, and it creates a file for each test. For example, when executing “Test Microsoft 365 Users Licenses”, it creates CSV file by name “Test-Office-365-Users-Licenses-<Tenant Name>_DATA.CSV” file to store data for the test.
The data stored in CSV files are required for following purposes:
Once the Assessment is completed you can safely delete the above folder and uninstall SmartProfiler from the machine. Please see the “Security Questions and Answers” section in this document before you decide to delete data.
Important: SmartProfiler will NOT delete data from above folder if the product is uninstalled. You are required to delete \Data folder manually if you wish to delete all data gathered by SmartProfiler.
When a customer Installs and run the Assessment for Microsoft Active Directory, Microsoft 365, and Microsoft AVD, the data will be kept in the SmartProfiler computer. The SmartProfiler computer will have an internal database that will be used by the SmartProfiler Agents for processing. When an assessment report is generated, the process pulls the data located on the SmartProfiler computer.
At no point during the assessment the tool will connect to Public Internet or any FTP endpoints. All data is secured at rest using AES 256-bit encryption. Service account passwords and password hashes (while already encrypted at-rest) are additionally encrypted with AES 256-bit encryption using Microsoft Encryption.
The following table provides a list of frequently asked questions for Data Impact and Modeling.
| Does this solution require the use of company data? | NO |
| Does this solution require the use of employee data? | NO |
| Does this solution move large amounts of data? | NO |
| Does this solution introduce a new data model? | NO |
Technical Issues related to SmartProfiler for AD and M365 will be supported by DynamicPacks Team during the business hours and all security incidents will be supported during business and non-business hours. Product Technical Issues, AD Real-Time related issues, support for customization, support for implementation and assessment of Active Directory and M365.
Application to SmartProfiler AD Real-Time Monitoring which will be installed on a single virtual machine running in production IT environment. There is no HA requirement for the application. Real-Time monitoring instances keep sending an email of availability of its components. If a component is not available or AD Real-Time Service stops an email will be sent to IT Team.
No risks as the product will be implemented to mitigate the risks. However, SmartProfiler for Active Directory, Microsoft 365 and Azure AVD Assessment stores or provide an option to execute the assessment under below conditions:
| Product/Component | Credential Requirement | Can Use Locally Logged On or MS Prompt Login? | Require Storing Credentials? |
| SmartProfiler for AD Assessment | Domain Admin OR Enterprise Admin | Can use Locally Logged On Credentials | Optional |
| SmartProfiler AD Real-Time Service | Normal Domain User | Not Supported | Require storing Normal Domain User Account credentials in SmartProfiler Database. |
| SmartProfiler AD Assessment Scheduler | Domain Admin OR Enterprise Admin | Not Supported | Require storing Domain Admin or Enterprise Admin Credentials in SmartProfiler database. |
| SmartProfiler for M365 Assessment | Global Reader OR Global Admin Account | Can use Microsoft Login Prompt for Assessment | Optional but helps in unattended assessment. |
| SmartProfiler for M365 Assessment Scheduler | Global Reader OR Global Admin Account | Not Supported | Require storing SPN Details such as Certificate Thumbprint for Scheduler Service. |
| SmartProfiler for AVD Assessment | Azure SPN Details | Not Supported | Require storing Azure SPN Details for unattended assessment. |
To mitigate the risks for credentials and to ensure no one can use the credentials used by the SmartProfiler, the credentials for Active Directory, Microsoft 365 Tenant (if stored) and Email Sender will be stored in an encrypted format. Solution will use two-layer-encryption mechanism in which, in turn, protects against compromises.
| Policy | Compliance | Reason for non-compliance |
| Access Control Policy | Compliant | |
| Asset Management Policy | Not Applicable | |
| Availability Management Policy | Compliant | |
| Budget and Accounting for IT Services Policy | Not Applicable | |
| Compliance Policy | Not Applicable | |
| Contact with Authorities and Special Interest Groups | Not Applicable | |
| Data Protection Policy | Compliant | |
| Email Security Policy | Compliant | |
| End User Security Policy | Not Applicable | No end user data is touched. |
| HR Information Security Policy | Not Applicable | |
| Information Security Incident and Problem Management Policy | Not Applicable | |
| Information Security Management System Policy | Not Applicable | |
| Information Systems Acquisition, Development, and Maintenance Policy | Not Applicable | |
| ISMS Manual | Not Applicable | |
| IT Service Continuity Policy | Not Applicable | |
| Network Security Policy | Not Applicable | |
| Operations Management Policy | Not Applicable | |
| Physical and Environmental Security Policy | Not Applicable | |
| Risk Manual | Not Applicable |
Q. Does SmartProfiler perform any write operations to Target?
A. No, SmartProfiler is a read-only product and at no point during assessment a write operation is performed to the target.
Q. Does SmartProfiler connects to Public Internet for sending any information to DynamicPacks?
A. SmartProfiler doesn’t connect to DynamicPacks or any other Public Endpoints for storing data. Even the license file is provided offline for activation.
Q. Does SmartProfiler use PowerShell Designed by Microsoft?
A. SmartProfiler uses PowerShell Modules designed by Microsoft. All PowerShell Modules used by SmartProfiler are available on PowerShell Gallery which is managed by Microsoft.
Q. Can I see what all PowerShell Scripts are executed as part of SmartProfiler execution?
A. We provide “Manage Modules” tab as part of SmartProfiler that can be used to check PowerShell code for each test. However, “Manage Modules” tab is only available in Licensed Version.
Q. What data is stored in CSV files generated by SmartProfiler?
A. CSV files only contain “Affected objects” data. For example, in the case of Microsoft 365 if a test needs to check list of users or admins that do not have MFA enabled then CSV file will only contain those affected users/admins. Similarly, if AD Assessment for SmartProfiler finds orphaned domain controllers in Active Directory Forest then only orphaned domain controllers will be listed in CSV file.
Q. Can SmartProfiler for Microsoft 365 CIS Assessment execute under the Global Reader Account?
A. SmartProfiler for Microsoft 365 CIS Assessment can execute 90% tests using the Global Reader Account provided Global Reader Account is member of all required Microsoft 365 Roles. The SharePoint tests (12 of them) cannot be executed using the Global Reader Account. If you would like to execute SharePoint tests as part of the assessment, then we recommend using a Global Admin account. Global Reader Account cannot access SharePoint portal sites and settings as it a technical limitation imposed by Microsoft.
Q. My Customer/Organization security Team is not allowing the SmartProfiler for Microsoft 365 to run using a Global Admin Account? What can be done in this situation?
A. In these circumstances, we advise utilizing a Global Reader Account to run the assessment initially. This account will be able to run 90% of the tests automatically and will also produce a report. Please notify the Security Team that a Global Admin account is required in order to run SharePoint tests. If Security Team agrees to run the assessment using a Global Admin account, then select just “SharePoint Tests” in the execution console and then execute.
Q. Is SmartProfiler secure when connecting to Target using PowerShell modules?
A. Since PowerShell Modules used by SmartProfiler are designed by Microsoft and since all “Connect-xxxxx” commands perform a secure connection to Microsoft 365, Active Directory and Azure Virtual Desktop Tenants, the data collected from above targets is transferred securely to the SmartProfiler machine.
Q. Does SmartProfiler delete all data collected after preparing Assessment Report?
A. There is no provision in SmartProfiler to delete all data once the assessment report is prepared. It is because some environments might take longer time to complete assessment and in case you need to see the affected objects list you will not be able to see it if you have already deleted the data. You will be required to perform assessment again if you need to see the affected objects list.
Q. Does SmartProfiler Products interact with any other technologies in the production environment?
A. No. SmartProfiler only communicates with the required technology components as below:
Q. Is there any command that we can use to grant Microsoft.Graph API Permissions to Microsoft 365 Tenant?
A. Grant Consent Option can be used to grant admin consent to Microsoft.Graph from within the SmartProfiler Assessment Execution Console. In case consent needs to be granted manually before executing the assessment, please use below PowerShell Command:
Connect-MgGraph -ContextScope Process -Scopes “AuditLog.Read.All”, “Reports.Read.All”, “Policy.Read.All”, “Directory.Read.All”, “IdentityProvider.Read.All”, “Organization.Read.All”, “Securityevents.Read.All”, “ThreatIndicators.Read.All”, “SecurityActions.Read.All”, “User.Read.All”, “UserAuthenticationMethod.Read.All”, “Mail.Read”, “MailboxSettings.Read”, “DeviceManagementManagedDevices.Read.All”, “DeviceManagementApps.Read.All”, “UserAuthenticationMethod.ReadWrite.All”, “DeviceManagementServiceConfig.Read.All”, “DeviceManagementConfiguration.Read.All”, “SharePointTenantSettings.Read.All”, “AccessReview.Read.All”, “RoleManagement.Read.All”
In the next step the process will check if the Admin Consent has already been granted to Microsoft.Graph. If not granted, then you will be presented with a prompt as shown below:
You need to check the box “Consent on behalf of your organization” and then click on “Accept” button to continue.
Q. Are there any Firewall Ports that we need to open in order to install and run SmartProfiler?
A. SmartProfiler for Active Directory, Microsoft 365 and AVD executes over specific ports. However, the SmartProfiler makes use of default communication ports and protocols for communicating with endpoints as explained in the table below. Please ensure to open these ports from the SmartProfiler computer to the target.
| Product | Target | Port | Protocol |
| SmartProfiler for Active Directory | PDC Emulator of each AD Domain Active Directory Web Services | 389 or SSL 9389 | LDAP or LDAPS LDAP or LDAPS |
| SmartProfiler for M365 | Microsoft 365 Tenant | 443 | HTTPS |
| SmartProfiler for AVD | Microsoft Azure Tenant | 443 | HTTPS |
Q. Can anyone log on the SmartProfiler Application?
A. No. SmartProfiler requires a username and password to log on to the application. The Username and password is created when the first tenant or AD Forest is registered. A Tenant or AD Forest can only be registered by supplying correct credentials such as Domain Admin account for registering AD Forest and Global Reader/Admin account for registering Microsoft 365 or Azure Tenants. For any questions related to SmartProfiler security please contact us at [email protected] or [email protected].