> For the complete documentation index, see [llms.txt](https://docs.balkan.id/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.balkan.id/iam-risk-analyzer/segregation-of-duties-iam-risk-analyzer/iam-risk-analysis-active-directory.md).

# IAM Risk Analysis - Active Directory

### Overview

This section outlines how Segregation of Duties (SoD) policies across Microsoft Active Directory are implemented, configured, validated, and operationalized within BalkanID IAM Risk Analyzer.

The objective is to transition organizations from periodic directory access reviews and static privilege audits to a continuous governance program where identity risks are automatically detected, analyzed, and remediated throughout the identity lifecycle.

Microsoft Active Directory functions as the core authentication and authorization infrastructure for enterprise environments. Authorization is primarily governed through: groupd, organizational units, Group Policy Object administartion etc

While this model enables centralized identity administration, it can introduce privilege escalation paths, segregation conflicts, and identity lifecycle risks when administrative roles, group memberships, and delegation privileges are assigned without centralized governance.

BalkanID IAM Risk Analyzer continuously evaluates Active Directory identity relationships to detect:

* Segregation of Duties conflicts
* Privileged group governance violations
* Residual administrative privileges
* Identity lifecycle failures
* Service account governance risks

The result is a centralized risk view that allows organizations to enforce least privilege, effective access governance, and secure identity lifecycle controls.

### Implementation

**Phase 1:** Policy Definition & Baseline Establishment

Objective: Define and validate SoD policy scope across Microsoft Active Directory administrative privileges, group memberships, and delegation configurations.

Activities include:

Identify identity governance areas in scope:

* Domain and forest administrative roles
* Privileged security groups
* User and group lifecycle management
* Organizational Unit delegation
* Group Policy Object administration
* Service account permissions
* Authentication and trust relationships

Define baseline toxic privilege combinations aligned to Active Directory governance best practices.

Categorize SoD rules by risk severity.

Validate rule logic against:

* Security group memberships
* Nested group relationships
* Delegated OU permissions
* GPO management privileges
* Service account configurations

Outcome

A formally approved Active Directory SoD policy library ready for configuration within BalkanID IAM Risk Analyzer.

**Phase 2:** Rule Configuration in BalkanID IAM Risk Analyzer - Finding Rule for SoD  detection \
\
User-Generated Insights can be used for writing SoD Rules and can be aggregated into a finding for actionable risk alerts. Findings provide a broader risk context and are used to trigger automated workflows.

Example:

***Use Case 1*****:** Domain Administrator vs Account Lifecycle Administration

Active Directory allows privileged administrators to manage both domain-wide administrative privileges and routine account lifecycle operations.

When a single identity holds both Domain Admin privileges and user or group lifecycle administration permissions, the user can create accounts and elevate privileges without independent oversight.

Risk Impact

* Unauthorized privilege escalation
* Reduced accountability over identity lifecycle actions
* Increased insider threat risk

<div align="left" data-full-width="true"><figure><img src="/files/hjURkqTdcP95iqM9IQOA" alt=""><figcaption></figcaption></figure></div>

***Use Case 2***: GPO Administration vs Security Group Management

Group Policy Objects enforce security configuration across systems and users.

If a single identity can both modify GPO policies and control security group memberships, that identity can influence the scope of policy enforcement.

Risk Impact

* Ability to weaken security controls
* Increased misconfiguration risk
* Potential bypass of monitoring policies<br>

<figure><img src="/files/Cay38WWyOiMajLuryx2H" alt=""><figcaption></figcaption></figure>

SoD Detection:

<figure><img src="/files/AOB5m76sKp0QHat5jxc5" alt=""><figcaption></figcaption></figure>

### Baseline SoD Rule Library&#x20;

| **Rules**                                                     | **Category**                                                                        |
| ------------------------------------------------------------- | ----------------------------------------------------------------------------------- |
| SoD- Domain Administrator vs Account Lifecycle Administration | <p></p><ul><li>Segregation of Duties</li><li>Privileged Access Governance</li></ul> |
| SoD - GPO Admin vs Security Group Management                  | <p></p><ul><li>Segregation of Duties</li><li>Configuration Governance</li></ul>     |
| Objects with Constrained Delegation Configured                | <p></p><ul><li>Kerberos Delegation</li><li>Lateral Movement Risk</li></ul><p></p>   |

### Control Mapping

| Framework      | Control ID     | Control Title                  |
| -------------- | -------------- | ------------------------------ |
| SOC 2          | CC6            | Logical Access Controls        |
| SOC2           | CC6.2          | Provisioning and Deprovisoning |
| ISO 27001      | A.9            | Access Control                 |
| ISO 27001      | A.6            | Segregation of Duties          |
| NIST SP 800-53 | AC-5           | Separation of Duties           |
| NIST SP 800-53 | AC-2           | Account Management             |
| NIST SP 800-53 | AC-6           | Least Privilege                |
| SOX            | Logical Access | Access to financial systems    |

## Conclusion

Microsoft Active Directory serves as a critical control foundation for enterprise authentication and authorization. Effective governance of privileged groups, delegated permissions, and identity lifecycle processes is essential for maintaining a secure directory infrastructure.

The findings identified highlight areas where directory controls may not be sufficiently designed or operating effectively, particularly in areas related to privileged access governance, privilege residue, and lifecycle management.

Implementing continuous identity risk monitoring through BalkanID IAM Risk Analyzer enables organizations to detect and remediate these risks, strengthening directory governance and reducing audit and security exposure.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.balkan.id/iam-risk-analyzer/segregation-of-duties-iam-risk-analyzer/iam-risk-analysis-active-directory.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.