Safety Guide for AD Security Under On-Premises Environment

Pallavi Varanasi Cloud Security Expert - CloudCodes Software
  • November 22nd, 2020

Is the Active directory keeping you up at night? Does the fear of AD security had snatched your night’s sleep? This is quite a common thing in a large and most crucial distributed system of your enterprise. Not only disaster recovery but, Active Directory security is also at the top of the business data protection priority list. Many IT companies face a struggle in holding the recent list of MS Office 365 individuals or groups because of the self-service working nature. They are the one who has the right to work with the organization sources via an on-premises gateway. Now the trouble is that continuous creation of a new O365 group leads to the addition of new gateway users for data sources. However, these issues could be mitigated through the implementation of the same Active Directory groups. These groups will be used for authentication of data warehouses or the analysis services within the on-premises network.

Major 3 AD Security Measures to Be Undertaken

As per the summary of the Microsoft feature, AD groups have been activated since November 2015. The following points will guide enterprises in implementing the groups of Active Directory under the Power BI premises information gateway:

1. Setting Up the Reporting Groups – Permissions should be granted to each and every data source with a model report group & reader rights. This will help in completely leveraging AD security and minimizing maintenance. The single reporting will be limited to the enterprise domain, as per the tabular model design used to serve. After this, populate the reporting group of the company domain with recent AD groups, which are utilized for role-based authentication. In this manner, when associates will create a new O365 group to organize integration, their authentication in the service of Power BI will be seamless. This will not demand any IT involvement and reports will be instantly created, just after the creation of the group.

Note – The administrator of the server needs to be permitted with each and every organization’s domain group.

2. Permit the Mail Enabled Security Groups – Another AD security solution utilizes groups on the business gateway. This can be determined by enabling the ‘mail-enabled’ permission of the security group. As per Microsoft, a security group that is having mail-enabled property within it can be utilized for distributing messages and granting permissions to access resources in the Active Directory. The procedure to enable email is straightforward and demands only an email message to be assigned to the O365 group. This will enable the firm gateway to control the Member’s property under the Azure AD group section for the individual. In this manner, a person will always have to authenticate himself, if he or she is a member of the permitted Azure AD group list. This needs to be enabled for all the security groups and performed recursively for each Active Directory group.

3. Synchronization With Azure Active Directory – The last point for AD security synchronizes the local system Active directory with Azure AD. This requires the latest edition of DirSync (known as Azure AD Connect) to establish a connection between both. The administrator needs to carefully select the organizational units that are to be synced with Microsoft Azure Active Directory. The organizational units will be the one where the security group resides.

Note – The existence of subgroups is mandatory in a unique set of organizational units. It is so because the reporting group or sync would not be having those members.

Ensure that synchronization is completed with Azure AD. Check that group synchronizing has successfully taken place and they are having a “Mail-enabled” property. When the syncing procedure gets completed, the administrator will be able to assign individual enterprise domains as a reporting role on the on-premise data source.


The AD security will be no more nightmare when organizations will apply listed protection measures. These approaches will keep data secure even at night and provide prevention against Cyber threats. No leakage of Active directory content will take place if each and every measure is applied at its correct place.