SpyCloud Guides
spycloud.comGet a demo
Start typing to search…

Identity Guardians

Identity Guardians are SpyCloud’s way of making compromised password detection and remediation frictionless for enterprises. Instead of relying on manual checks and guesswork, Identity Guardians automate the process of testing exposed credentials against your user directories — protecting against both password reuse and cycling.

🔍 Why Identity Guardians?

Most organizations today rely on directories like:

  • Active Directory (AD) – Microsoft’s on-premises directory
  • Entra ID (formerly Azure AD) – Microsoft’s cloud-based directory
  • Okta – Cloud identity provider (can leverage AD or run standalone)

Traditionally, security teams had to:

  1. Log in to a portal,
  2. Pull records with exposed passwords,
  3. Manually check those passwords against directory accounts.

✅ This works for small-scale exposure.

❌ But it doesn’t scale, misses older credentials, and burns analyst hours.

⚡ What Identity Guardians Do

Identity Guardians close this gap by continuously and automatically:

  • Checking all credentials (fresh and historical) against live directories
  • Running specialized checks (ADG only) like:
    • NIST compliance
    • IDLink-powered matches
    • Banned password lists
    • Fuzzy variations
    • Shared password detection

The result: better coverage, less manual toil, faster remediation.

🧰 The Identity Guardians Lineup

🛡️

ACTIVE DIRECTORY GUARDIAN

Automates credential resets or disable high-risk accounts – acting on malware exposures in as little as 5 minutes from discovery. ADG offers the most flexible scanning and remediation options.

🛡️

ENTRA ID GUARDIAN

Extend automated credential protection to Microsoft’s cloud-based directory services. Runs natively in Azure. Perfect for cloud-first orgs, supports continuous scanning & password reset automation.

🛡️

OKTA WORKFORCE GUARDIAN

Integrates with Okta Workforce Identity to enforce password hygiene and prevent account compromise. Ideal if you run Okta Directory or LDAP.

💡 Key Benefits

SpyCloud Identity Guardians empower Identity and Access Management (IAM) teams to prevent identity threats by acting on breach, malware, and phishing credential exposures before criminals can. Instead of relying on outdated password policies or manual resets, Identity Guardians deliver continuous monitoring and automated remediation of verified credential exposures – aligned with NIST 800-63B and Zero Trust principles.

  • Continuous defense against account takeover
  • Coverage across on-prem, cloud, and hybrid setups
  • Automated remediation (reset, disable, notify)
  • Proven customer results:
    • 90% reduction in employee ATO cases (Global Airline)
    • 1,000+ analyst hours saved (EBSCO Industries)
    • 3,400 employees notified of password reuse in 3 months (Top Travel Company)

🧭 Choosing the Right Identity Guardian

With multiple Identity Guardians available, the right fit depends on your directory setup. Use this guide to match your environment to the right Identity Guardian.

🗂️ Identity Guardian Decision Matrix

EnvironmentRecommended Guardian(s)Why?
AD OnlyADGSimplest use case. Full feature set (Exact, Fuzzy, IDLink, NIST, Shared).
AD + Entra ID (Hybrid) – All Accounts SyncedADGPasswords replicate between AD & Entra, so ADG gives max control.
AD + Entra ID (Hybrid) – Some Cloud Only AccountsADG + Entra ID GuardianADG covers synced users; Entra covers cloud-only users.
Entra ID OnlyEntra ID GuardianCloud-native, continuous scanning in Azure.
Okta with AD as DirectoryADG + Okta Reset OptionPasswords live in AD; ADG scans them. Use Okta reset for smooth user experience.
Okta with Okta Directory/LDAPOkta Workforce GuardianSimplest Okta-native use case.

🌐 Hybrid Environments: Best Practices

Hybrid is the new normal — and our Identity Guardians play well together.

  • AD + Entra ID

    • Use ADG for its broader scan types (fuzzy, banned, NIST, shared).
    • Add Entra ID Guardian if you have cloud-only accounts.
    • Bonus: Entra ID Guardian replaces legacy “Azure scanning” in ADG (v7.3).

  • AD + Okta

    • Passwords still sit in AD → scan with ADG.
    • For remediation, leverage Okta password reset integration.

  • Multi-cloud directory mix

    • Deploy the right Identity Guardian in each directory.
    • Centralize reporting for visibility across environments.

✅ Pro Tips

  • Run scans daily (or continuously where supported).
  • Use as many password check types as possible (fuzzy, IDLink, banned).
  • Push for automated remediation at least for exact matches.
  • Right-size quota and scope for your environment.
  • For ADG, enable Shared Password Audit for maximum insight.

🚀 Bottom Line

No matter your mix of on-prem, cloud, or hybrid, there’s a Identity Guardian to match. The key is to deploy where your passwords live, then automate remediation to shut down ATO risk before attackers get a chance.

Updated 2 months ago