On-Premise Active Directory Agent

Table of contents

1. Overview

2. Installation

3. Configuration

   • Heartbeat Mode

   • API-only mode

4. Two ways to running the agent

   • Using TUI (Terminal User Interface)

   • Running as Windows Service (Headless)

5. Service management and troubleshooting

Overview: BalkanID Active Directory Agent

The BalkanID Active Directory (AD) Agent is a high-performance, cross-platform service designed to securely extract and manage identity data from on-premises Active Directory environments. Written in Go, the agent runs within the customer’s network and acts as a controlled bridge between on-prem AD and the BalkanID identity governance platform.

The agent exposes a RESTful API that enables BalkanID to query and manage Active Directory objects such as users, groups, group memberships, and related metadata—without requiring direct inbound access to the customer’s directory infrastructure.

How the AD Agent Works

The AD Agent is deployed on a machine that has network access to the target Active Directory forest. Once configured, it communicates with BalkanID using one of two supported operating modes:

• API-Only Mode (Recommended) In API-only mode, the agent runs as a standalone REST service. BalkanID can directly invoke the agent’s APIs to retrieve or manage Active Directory data. This mode is typically used in environments where inbound access is permitted or when the agent is leveraged for custom workflows.

• Heartbeat Mode In this mode, the agent establishes an outbound connection to BalkanID at regular intervals (“heartbeats”). During each heartbeat, the agent:

  • Authenticates using the configured API key

  • Sends extracted data to BalkanID every 2 hours

  This mode is ideal for environments with strict firewall rules, as it requires no inbound connectivity to the on-prem network.