ManageEngine AD360 adds identity risk & MFA to combat breaches
ManageEngine has announced the general availability of new identity risk exposure management and local user multifactor authentication (MFA) features in its AD360 identity and access management platform.
The new features are intended to help security teams detect privilege escalation risks and secure unmanaged local accounts, two attack vectors that are frequently targeted by threat actors. These additions come amid continuing concern over identity-centric breaches, as reported in Verizon's 2025 Data Breach Investigations Report, which found that credential abuse was the initial access vector in 22% of breaches and highlighted ongoing exploitation of mismanaged local accounts and privilege chains.
Manikandan Thangaraj, Vice President of ManageEngine, said,
With this release, ManageEngine AD360 moves beyond traditional IAM by embedding identity threat defences into core identity operations. By turning identity data into actionable security insights, we're helping customers make IAM the first line of defence, not a check box.
The update to AD360 introduces risk exposure mapping using attack path analysis, as well as the ability to enforce MFA on local accounts. According to ManageEngine, these capabilities are designed to assist enterprises in closing attack paths that may otherwise go undetected, thereby advancing the role of identity management from basic access control to active security enforcement.
Risk exposure management
The identity risk exposure management feature operates using graph-based analysis to map lateral movement and privilege escalation paths within Active Directory (AD). By representing AD objects as nodes and privilege inheritance as lines, the system models and visualises attack chains in real time. It automatically prioritises risky AD configurations and provides IT staff with actionable remediation steps, enabling organisations to address threats proactively.
Local account MFA enforcement
The new local user MFA capability extends adaptive MFA protections beyond domain-joined devices, allowing enterprises to secure credentials on local accounts that reside on non domain-joined servers, assets in demilitarised zones (DMZ), and in test environments. This move is intended to mitigate risks associated with credential stuffing and persistence techniques, which have proven effective in attacks on unmanaged local accounts.
Machine learning-driven recommendations
ManageEngine has also incorporated machine learning (ML) into AD360 to support access recommendations. During both provisioning and periodic access review campaigns, the software now analyses permission patterns and suggests adjustments designed to enforce least privilege access. This is expected to reduce the incidence of excess entitlements and consequently limit attackers' ability to move laterally following an initial compromise.
Access certification and governance
Enhancements to the platform's access certification module include expanded entitlements for more comprehensive review coverage. The risk assessment capabilities now feature additional indicators for improved identity risk monitoring across both Active Directory and Microsoft 365 environments. ManageEngine states that these changes are aimed at improving compliance reporting and strengthening access governance across enterprise environments.
The newly added features in AD360 are intended to support compliance with NIST SP 800-207 for Zero Trust architecture, align with PCI DSS Version 4.0 Requirement 8, and facilitate controls for SOX, HIPAA and GDPR regulations.
AD360 is positioned by ManageEngine as a single-console, unified identity platform designed to provide visibility and control over enterprise identity infrastructure. The platform offers automated lifecycle management, secure single sign-on (SSO), adaptive MFA, risk-based governance, auditing, compliance and identity analytics, with built-in integrations and support for custom connectors to fit into existing IT environments.
