In 2026, Active Directory remains at the heart of the now hybrid identity infrastructure of most large companies and is still widely used as an on-premises identity provider, even when organisations migrate to the cloud. 

Wavestone incident response teams note that 38% of attacks begin with identity compromise (vs. 20% in 2024). More broadly, attackers frequently exploit on-premises identities to move laterally into cloud environments (Microsoft Digital Defence Report 2025 [1]). 

In a context where the hybridisation of identities increases an already vast attack surface, companies must be able to understand the challenges and equip themselves effectively. 

Through this new 2026 overview of Active Directory security tools, we offer you: 

1. An updated map of Active Directory security tools 
2. An overview of major market trends (consolidation, transition to platforms, cloud hybridisation) 
3. Feedback on operational implementation challenges and key success factors 

An overview of AD 2026 security tools, which has been further enhanced  

By analysing the market, we have identified four main use cases for these tools: 

1. Analysis and audit 
2. Hardening and maintaining security  
3. Detection 
4. Response and reconstruction 

A listing of publishers and tools offering features that meet one or more of these four use cases was conducted. It was designed to be as comprehensive as possible, including tools from the best-known and most widely used players on the market as well as those from lesser-known players, proprietary tools and open-source tools, tools with a wide range of features and tools offering a more limited set of features. All relevant tools were thus included in a list, with various information for each one (reputation, description of the tool and use cases covered, hosting, etc.). 

The following overview selected a number of publishers from this list, for the functional coverage they offer and their large use within organisations. 

The Microsoft Entra ID logo is added to tools that offer the possibility of integrating it into their operations in addition to on-premises AD coverage. This is a strong trend in the market. 

1. A dynamic market undergoing consolidation 

The Active Directory market has undergone several changes since 2022, with different major transactions. The aim is most often for publishers to complement their offering or to cover a new need for Active Directory security. 

Among other things, we can note : 

Acquisition of PingCastle by Netwrix [2] : PingCastle, renowned for its expertise in AD security auditing, strengthens Netwrix’s offering. This acquisition enables Netwrix to expand its portfolio with a lightweight, quick-to-deploy tool that is popular with technical teams, while reaffirming its commitment to providing a unified platform covering the entire AD security lifecycle. 

Acquisition of Attivo by SentinelOne [3] : Attivo, a specialist in identity security and lateral movement detection, strengthens SentinelOne’s offering by integrating advanced AD protection capabilities into a unified platform combining EDR, XDR and identity security. 

Acquisition of BrainWave by Radiant Logic [4] : Radiant Logic strengthens identity and governance analysis capabilities. By combining BrainWave’s detailed rights mapping with Radiant Logic’s identity federation, the offering becomes more comprehensive in addressing AD challenges. 

Integration of Stealthbits by Netwrix [5] : By merging with Stealthbits, Netwrix has integrated historical Active Directory auditing and detection components (StealthAUDIT, StealthDEFEND, etc.), strengthening its offering in the protection of identities and sensitive data and moving towards a unified platform focused on AD security. 

2. From specific tools to centralised platforms 

In 2022, our overview of Active Directory security tools mentioned “specialised tools, each addressing part of the equation.” [6]. In 2026, we are seeing the emergence of centralised platforms capable of covering several needs around Active Directory and, often, Entra ID. This dynamic is primarily driven by publishers seeking to broaden their value proposition and differentiate themselves with comprehensive platforms rather than specialised tools offering specific features. 

Some publishers build their platforms through successive acquisitions, such as Netwrix (AD auditing, data protection, vulnerability discovery, PingCastle, etc.) or SentinelOne (EDR/XDR enhanced by Attivo on identity), while others are gradually enhancing their existing offerings to provide modular suites, whether they are administration/monitoring tools such as ManageEngine ADAudit Plus or Quest Change Auditor, which add AD auditing, hardening and detection components across the entire Active Directory ecosystem. 

The promises made by publishers are clear: 

• Centralisation of data (accounts, groups, rights, security events) 
• Unified view of attack paths between AD and Entra ID 
• Simplified management for security, infrastructure and IAM teams via consolidated consoles and dashboards 

From the customer’s point of view, the benefits are obvious, but the reality may be more nuanced: 

• Consolidation can reduce the number of tools and simplify integrations, but it does not eliminate the need for AD expertise or specialised tools (e.g. for post-incident reconstruction). 
• Environments often remain multi-vendor, with a mix of global platforms (XDR, CNAPP, Identity Security) and targeted AD tools, particularly in large groups or organisations that are already heavily equipped. 

In this context, the challenge is not simply to “choose a platform”, but rather to put together a coherent whole, ensuring that: 

• The AD/Entra ID scope is well covered throughout the entire lifecycle (prevention, detection, response, reconstruction). 
• The tools can feed existing processes (SOC, crisis management, PRA, IAM). 
• Dependence on a single publisher is assessed and controlled. 

3. Cloud hybridisation 

With the rise of Entra ID and SaaS applications, identity hybridisation has become the norm: AD accounts and groups are synchronised to the cloud, and the same credentials are used to access on-premises and cloud resources. Numerous recent incidents show that attackers are exploiting these hybrid architectures to pivot between AD and Entra ID, taking advantage of poor configurations or weak alignment between the two worlds. [7] 

This translates into several concrete needs: 

• Joint supervision of AD and Entra ID: ability to correlate signals from the on-premises directory (changes, anomalies, lateral movement attempts) and the cloud (Entra ID Protection signals, connection anomalies, conditional access, etc.).  
• Security policy alignment: hardening of AD (configuration, delegation, privileged accounts) in line with conditional access policies, MFA and Zero Trust requirements.  
• Hybrid reconstruction capabilities: in the event of AD compromise, reconstruction and restoration must integrate Entra ID dependencies (synchronisation, service accounts, applications) to avoid side effects on the cloud, and vice versa. 

Publisher are gradually positioning themselves on this hybridisation. Some are expanding their AD audit engines to include Entra ID (on-premises to cloud) and offer a unified view of identity vulnerabilities: Netwrix Auditor now allows Entra ID to be monitored in parallel with Active Directory with a single view of hybrid threats. Tenable Identity Exposure extends its exposure indicators to specific Entra ID risks, and Semperis Directory Services Protector correlates AD and Entra ID changes in a single console to reduce the hybrid attack surface. 

Other tools start in the cloud (Entra ID, SaaS) and move down to on-premises AD (cloud to on-premises), using a hybrid identity threat detection and response approach: Microsoft Defender for Identity provides a consolidated inventory of AD and Entra ID identities and new detection capabilities on hybrid components (Entra Connect, AD FS, etc.), while CrowdStrike Falcon Identity Threat Protection analyses hybrid accounts present in both AD and Entra ID/Azure AD. 

Operational implementation still has room for improvement 

The Active Directory security market is seeing growing and structured adoption of sophisticated tools. In many organisations, functional coverage is now adequate, or even advanced, across the various aspects of AD security (auditing, hardening, detection, backup). 

However, technological maturity contrasts with operational implementation that is still incomplete. AD disaster recovery plans (DRPs) often remain theoretical, untested, or disconnected from the backup and reconstruction tools deployed. Regular reviews (of privileges, delegations, approval relationships) are still rarely industrialised: they often depend on a few experts, with a limited level of automation. 

The effectiveness of implementation is also impacted by the constant evolution of the ecosystem, between the platformisation of tools and the hybridisation of identities. The challenge for the coming years will therefore be to align tools (both existing and future) with robust, documented and tested processes: 

1. Clarify responsibilities between infrastructure, IAM, security and SOC teams, 
2. Formalise and automate recurring controls (rights reviews, configuration validation, restoration tests). 

Only then will investments in Active Directory security tools, both on-premises and in the cloud, enable true resilience to be achieved. 

Methodology overview 

We have identified four main categories for grouping tools: 

Analysis and audit: 

• Account and Privilege: Inventory of accounts, groups and associated rights to detect excessive or non-compliant privileges. 
• AD Discovery: Exploration of the AD structure (OUs, GPOs, objects) to deduce the architecture, relationships and dependencies. 
• Vulnerability Discovery: Identification of security vulnerabilities (configuration, obsolete accounts, weak passwords, etc.). 
• Attack Path Discovery: Modelling potential attack paths to privileged accounts. 

Hardening and management: 

• Password Management: Management of password policies, synchronisation, password auditing (strength, reuse, compromise, etc.). 
• Rights & Privilege Management: Delegation, access control, role and permission management. 
• GPOs Management: Creation, analysis, modification of group policy objects. 
• Change Management: Change tracking, traceability, change management and migration tools. 

Monitoring: 

• Threat Detection: Proactive detection of suspicious behaviour, privilege escalation, lateral movement. 
• Security Incident Detection: Identification of security incidents, real-time alerts, event correlation. 
• Backup and Recovery: 
• AD Backup & Recovery: Partial or complete backup of AD objects, rapid disaster recovery. 
• Investigation & Forensics: Post-incident analysis, traceability of malicious actions, evidence collection. 

For each of the tools classified, a badge (Microsoft Entra ID logo) is added when the tool offers the possibility of integrating Microsoft Entra ID into its operation. 

Conclusion

The 2026 overview is based on an analysis of 180 tools, compared to 150 in 2022. It was constructed using a similar approach to that of 2002. It is based on a listing of tools on the market. On this basis, and in line with recurring themes in Active Directory security, a categorisation has been established to facilitate reading. 

The list of tools mentioned is not intended to be exhaustive, as the list of tools that can contribute directly or indirectly to Active Directory security is vast. This overview is therefore a summary of the main existing tools, particularly those that Wavestone consultants encounter most often in large organisations (considered, studied, tested or deployed). 

References

[1] Microsoft Digital Defense Report 2025 | Microsoft 

[2] Netwrix Acquires PingCastle | Netwrix 

[3] SentinelOne, Inc. – SentinelOne Completes Acquisition of Attivo Networks 

[4] Radiant Logic Signs Definitive Agreement to Acquire Brainwave GRC – Radiant Logic | Unify, Observe, and Act on ALL Identity Data 

[5] Netwrix annonce sa fusion avec Stealthbits | Netwrix 

[6] Radar des outils pour renforcer la sécurité d’Active Directory – RiskInsight 

[7] Microsoft Incident Response lessons on preventing cloud identity compromise | Microsoft Security Blog 

Cet article Overview of Active Directory security tools – version 2026  est apparu en premier sur RiskInsight.

In this article, we will expose the cyber-resilience challenge of Entra ID, explain why native features are incomplete and present the result of a PoC conducted on an open-source tool, Microsoft 365 DSC, to backup and recover Entra ID’s data.

The challenge of cyber-resilience in managed Cloud services

With Entra ID, the directory management strategy is in line with the Cloud paradigm. It means that the various network, storage, computer, OS and application layers are handled by Microsoft, leaving the customer to focus solely on his identity data.

This fundamental difference has an impact on the resiliency of the service. Indeed, the creation of snapshots to back up the integrality of the system, which is a common practice on AD, is not native on a managed service such as Entra ID. Thus, in order to face a disaster recovery scenario linked to malicious activities, we can only rely on native Microsoft functionalities: the identity lifecycle model, RBAC administration model and import/export capabilities.

The incomplete soft delete model

To ensure resilience, Cloud services are widely using a soft delete mechanism. Its main purpose is to recover data in the event of an accidental deletion. For example, in Azure Recovery Service Vault, the soft delete is the last safeguard in the event of intentional or unintentional deletion of the vault. Combined with immutability parameters, the vault cannot be erased regardless of admin permissions.

In Entra ID, the concept of soft delete exists but is insufficient to ensure data resilience for two reasons. On the one hand, there is neither role distinction between soft-delete and hard-delete nor Recovery role, i.e. the permissions required to delete an object are sufficient to allow for permanent deletion. On the other hand, the life cycle of objects in Entra ID (create, manage, delete) is governed by the same role:

• The role User Administrator can both create and hard-delete a user
• The role Cloud Application Administrator can register an application, configure all aspects of the application and hard-delete the application
• The role Cloud Device Administrator can add a device, configure all aspects of the device and unregister a device

The impact of a deletion on Entra ID

This design makes the User Administrator, Privileged Authentication Administrator, Cloud Application Administrator, Application Administrator, Cloud Device Administrator, Intune Administrator and Windows 365 Administrator roles all the more critical, as their compromise can lead to the permanent loss of identity data. The impact of such a deletion can be a loss of access to applications and data, a loss of permissions, and an inability to administrate.

Although the deletion of hybrid users synchronized with an on-premise AD is reversible, information such as role assignment will be lost, threatening the rights and access model. This is not the case for Cloud identities, which are generally part of the Control Plane. As part of the Enterprise Access Model, the Control Plane includes the most sensitive access, leading to a global compromise of an Information System.

In a disaster recovery scenario, some assets are more critical than others and should be backed up as a priority. These include:

• Control Plane users, groups and roles assigned
• Enterprise Applications (service principals) with critical permissions over Azure or Microsoft 365
• Administrative workstations

Comparison of backup open-source methods

To reduce the likelihood of Entra ID malicious data loss risk, the implementation of a backup solution seems essential, at least for the Control Plane in order to maintain control over your Information System and rebuild. We have therefore analyzed 3 open-source methods for ensuring data backup:

• Microsoft Graph PowerShell: this is the PowerShell library for Microsoft Graph APIs. You can build your own script(s) to export and import Entra ID objects attributes that fit with organization needs
• Microsoft Entra Exporter: this is a PowerShell module that export a local copy of some Entra ID attributes (Users, Applications, Service Principals, Roles, etc.) into JSON file
• Microsoft 365 Desired State Configuration (DSC): this is a PowerShell module for declarative configuration, deployment and management of Microsoft 365 services

Backing up Entra ID objects with Microsoft 365 DSC

In this part, we will explain how we tested the open-source solution Microsoft 365 DSC and share the results and conclusions we got.

Our PoC

Microsoft 365 DSC enables the management of the configuration and state of Microsoft 365 services following a declarative approach. By defining the desired state rather than specific steps, it simplifies the management of complex cloud configurations and ensures consistency across the environment.

In the context of a PoC, the test population deployed in our test tenant is as follows:

• 30 Cloud Only Users (randomly generated by Microsoft as part of the test’s tenant creation process)
• 10 Security Groups (randomly assigned to Users)

The purpose of this PoC is to identify the benefits and limitations of the solution through a series of tested and documented uses cases:

The process required configuring a service account with the right permissions (User.ReadWrite.All, Group.ReadWrite.All) in Entra ID to interact with Microsoft Graph API for data export and import.

These permissions enabled the service account to retrieve the necessary configuration and data from Entra ID and later re-import it.

Result of the PoC Microsoft 365 DSC

As a result of these tests, we were able to gather conclusive information on the solution’s benefits and limitations. On the positive side:

• Granular Configuration Selection: The solution allows precise targeting of configurations for backup, enabling users to select specific settings.
• Recovery without deletion: During recovery, current users and groups are retained, preventing accidental deletion.
• Overwrite of Outdated Attributes: Backed-up attributes replace the old ones.
• Language of the Data Storage: Data is stored in JSON format, making it easy to manipulate and modify backup files.
• Automation Capabilities: Once the necessary tools are installed, the solution is easy to automate.
• Monitoring and Alerts: Microsoft 365 DSC can be used to monitor data consistency and receive alerts in the event of suspicious changes
• Snapshot Versions management: It enables easy maintenance and administration of multiple snapshot versions
• Detailed Logging Functionality: It offers the possibility to generate highly detailed logs, providing records of all operations for enhanced oversight.

Despite these advantages, the study revealed several limitations:

• Incomplete Data in Backup: The backup process does not capture all attributes, leading to potential loss of important information.
• Backup Size Limit: The backup size is capped at 11MB, which may be insufficient for larger configurations or datasets.
• Deactivation Status Not Captured: Snapshots do not store deactivation statuses for users, potentially re-enabling disabled users during recovery.
• Unencrypted Data and Credentials: Security concerns arise from data and credentials being stored unencrypted, posing risks to sensitive information.
• Object IDs’ Loss: During imports, object IDs are lost, causing recreated objects to have new IDs, which can lead to duplicate entries in subsequent imports.
• Privileged Service Principal: The service principal involved has elevated privileges, increasing the risk of security vulnerabilities if not properly managed.

It is important to note that this tool does not really support “restoration” as it is possible to re-create objects, but it does not ensure service restoration and continuity. The reason being that it currently cannot restore links between new ID objects and applications, which is an issue native to Entra ID.

Our opinion about Microsoft 365 DSC

Microsoft 365 DSC is a great tool when it comes to basic uses and documentation as it is simple to use and to deploy on test environments. It is also quite efficient as a monitoring tool thanks to its version control and detailed logs. However, it is not adapted to large environments because of the limited scalability, the poor user experience and security issues related to configurations and credentials. It can also lead to inconsistencies or duplication as object IDs that can be referenced elsewhere are unrecoverable.

Additional solutions may be required such as scripting for handling configuration files and ensuring the consistency of the modifications, as well as well-defined encryption and backup processes. Therefore, we recommend always carefully evaluating the specific needs, planning additional developments and mainly using the solution for supervision and testing purposes.

Given the limitations of Microsoft’s open-source tools, it could be worthwhile to explore what third-party vendors, such as Semperis or Quest who are pure players on the subject, have to offer. These alternatives might address some of the challenges related to scalability, reliability and security, providing options that better suit larger environments. It is important to remain open to these possibilities and evaluate them based on the specific requirements of your organization.

Cet article Resilience Entra ID est apparu en premier sur RiskInsight.