Active Directory Monitoring

Last updated: April 6, 2026

Active Directory Monitoring provides visibility into identity configuration, directory posture, and exposure risk within directory services. Cyrisma supports monitoring for both on-premises Active Directory and Microsoft Entra ID (Azure AD) to help organizations identify insecure configurations, risky identity conditions, and indicators of potential abuse.

This article explains what Active Directory Monitoring does, how each monitoring model works, what data is evaluated, and how to use the results effectively.

Video Guide: Configuration of AD Monitor Settings (On-Premise and Entra ID)

What Active Directory Monitoring Does

Active Directory Monitoring evaluates directory-level configuration and identity posture to identify conditions that increase the risk of:

  • Credential abuse

  • Privilege escalation

  • Lateral movement

  • Identity-based attacks

  • Compliance and audit gaps

The monitoring focuses on directory configuration and exposure, not endpoint vulnerabilities, authentication logs, or attack simulation.

Supported Monitoring Models

Cyrisma supports two Active Directory monitoring models:

  1. On-Premises Active Directory Monitoring

  2. Microsoft Entra ID (Azure AD) Monitoring

Each model evaluates identity posture using a different execution approach.

On-Premises Active Directory Monitoring

Execution Model

  • Execution: Agent-based monitoring

  • Agent requirement: Required

  • Agent placement: Installed on a Domain Controller

  • Credential usage: None for local evaluation

The agent evaluates Active Directory locally on the Domain Controller, providing direct visibility into directory configuration and structure.

What Is Evaluated

On-premises Active Directory Monitoring evaluates directory configuration and metadata, including:

  • User objects and account attributes

  • Computer objects and status indicators

  • Group structure and membership

  • Privileged group exposure

  • Password and account policy configuration

  • Trust relationships and delegation settings

  • Indicators of insecure or risky directory configuration

  • Directory object changes over time, which can highlight recent modifications that may introduce risk

The monitoring does not attempt authentication testing or exploit simulation.

Accuracy Considerations

  • Installing the agent directly on a Domain Controller provides the most accurate and complete results

  • Running AD monitoring from non-DC systems is not supported

  • Results reflect directory state at the time of monitoring execution

Microsoft Entra ID (Azure AD) Monitoring

Execution Model

  • Execution: Cloud-based evaluation via Microsoft integration

  • Agent requirement: Optional

  • Credential usage: Managed through Microsoft cloud APIs

Entra ID Monitoring evaluates identity posture using tenant-level configuration and metadata.

What Is Evaluated

Entra ID Monitoring evaluates identity and directory posture indicators, including:

  • Tenant configuration settings

  • User and administrator role assignments

  • Identity protection and access policy configuration

  • Indicators of weak or risky identity posture

The evaluation focuses on configuration state, not authentication events or endpoint activity.

Data Evaluated

Active Directory Monitoring evaluates directory configuration and metadata, including:

  • Users, computers, and groups

  • Privilege assignments and role exposure

  • Policy and configuration values

  • Indicators of directory changes and configuration drift

No endpoint file data, network traffic, or live authentication activity is collected.

Monitoring Frequency

  • Monitoring runs on a scheduled basis

  • Results represent directory state at the time of execution

  • Regular monitoring helps detect configuration drift and emerging identity risk

Common Limitations

  • On-premises monitoring requires an agent on a Domain Controller

  • Results are configuration-based and do not represent active attacks

  • Permissions and directory architecture can influence visibility

  • Hybrid environments may require both AD and Entra ID monitoring for full coverage

Best Practices

  • Install the monitoring agent directly on a Domain Controller for on-premises AD

  • Monitor both on-prem AD and Entra ID in hybrid environments

  • Review privileged group membership regularly

  • Pay close attention to recent directory changes

  • Address high-risk identity findings promptly