Skip to content

Active Directory Response Integration

Overview

In environments where Microsoft 365 (O365/Azure AD/Entra ID) is integrated with an on-premises Active Directory (AD), user disablement actions must be performed on the internal AD server to be effective. Disabling a user only in Azure AD may be temporary, as the on-prem AD server can overwrite this change during synchronization.

To support this, our Managed Detection and Response (MDR) platform enables secure communication with your internal AD server using a customer-hosted virtual machine (VM) as a proxy. This guide walks you through the steps to enable and configure AD response.

How It Works

  • Your customer VM acts as a secure proxy between our MDR platform and your internal AD server.
  • The VM hosts a server that receives commands from our production environment over a VPN connection.
  • When a detection requires user disablement, the VM executes the action on your AD server.

Getting Started

To enable AD response, complete the following steps:

1. Update Your Customer VM

  • Ensure your VM is updated with the latest server components that support AD response functionality.

2. Configure the VM for AD Response

  • Open a browser and navigate to https://<VM IP>.

  • Log in using the default credentials:

    Username: admin

    Password: <You can find this in the customer portal by navigating to Onboarding → Virtual Machine at defense.actzero.ai>

    ⚠️ Important: Change the default password immediately after logging in.

    ADR VM Config

3. Set Up Active Directory Integration

  • After logging in, go to the Active Directory Integrations page. ADR Integrations Page

  • Ensure the VM can reach your AD server on:

    • Port 636 for LDAPS (recommended)
    • Port 389 for LDAP (if SSL is disabled)

  • Provide credentials for an AD user with permission to disable other users. This user must be a member of the Account Operators group (domain admin rights are not required).

    ADR Edit Integration

  • The VM will validate the connection and credentials before saving the configuration.

  • You may configure multiple domain controllers. The VM will attempt each one until the user is found and disabled.

Once the integration is successful, the VM will report its status to the MDR platform. This will automatically create an Active Directory connector.

ADR Integrations Report

Response Preferences

After the connector is created, you can choose your preferred response mode in the customer portal:

  • On Demand: Requires manual approval for each action.
  • Auto Response: Automatically disables users upon detection.

ADR Integrations Response

Hybrid Response Mode

In hybrid environments, detections can trigger both Azure AD and on-prem AD disable actions. If no AD connector is configured, only the Azure AD action will be performed.

The system identifies users by email address and attempts to match them in AD using both email and username fields.

Troubleshooting & Failure Scenarios

AD response actions may fail for the following reasons:

1. Unable to Connect to Customer VM

  • The VM is offline or unreachable.

2. User Not Found

  • The Base DN in your AD integration does not include the user.

3. Disable Action Failed

  • The AD user account used for integration lacks the necessary permissions.