Skip to main content
All CollectionsSecurity Controls
Guardz Cloud Directory Posture: Setup & Security Best Practices
Guardz Cloud Directory Posture: Setup & Security Best Practices

Track the security posture and activity of users.

Updated this week

πŸ“Œ Introduction

The Cloud Directory Posture is a critical security feature that continuously scans user activities, login patterns, and mailbox configurations across Google Workspace and Microsoft 365.

βœ… Key Benefits:

  • πŸ” Detects abnormal login locations & suspicious mailbox rules.

  • πŸ›‘οΈ Provides real-time security alerts for potential account takeovers.

  • πŸš€ Serves as the foundation for multiple Guardz security controls.

πŸ“Œ Available in: Starter, Pro, and Ultimate Plans

πŸ’‘ First Time Setup?
Before using Cloud Directory Posture, you must integrate your cloud provider:


πŸ“Œ Navigating Cloud Directory Posture in Guardz

πŸ”Ή Where to Find It

1️⃣ Log into Guardz.
2️⃣ Navigate to Security Controls > Cloud Directory Posture.
3️⃣ In this dashboard, you can:

  • View all integrated cloud applications.

  • See the number of active users.

  • Manage Approved Locations.

πŸ”Ή Single Customer View Features

In Single Customer view, you can:
βœ… Change license allocations.
βœ… Activate the "Approved Locations" tool.
βœ… View and edit the list of Approved Locations.


πŸ“Œ Approved Locations & Abnormal Logins

πŸ”Ή How Does Guardz Identify Suspicious Logins?

  • Guardz analyzes historical login data for 7 days to establish a normal login benchmark.

  • If a login occurs outside the approved norm, it is flagged as abnormal.

  • Abnormal logins help detect potential account compromise & unauthorized access.

πŸ”Ή Managing Approved Locations in Guardz

1️⃣ Go to Security Controls > Cloud Directory Posture.
2️⃣ Click Edit to modify Approved Locations.
3️⃣ Approved Locations are tracked by:

  • IP Addresses πŸ“

  • Countries 🌍

  • Cities πŸ™οΈ

πŸ’‘ You can add or remove locations anytime to refine detection accuracy.

βœ… Removing a location:

  • Logins from that location will no longer generate an issue.

  • Existing issues related to that location will be closed.

βœ… Adding a location:

  • You can specify either an IP address or City/Country.

  • For broader control, add an IP range (e.g., 1.1.1.1/24) or allow an entire country.

🚨 Each newly added location requires a reason (system benchmark vs. admin approval).


πŸ“Œ FAQ: Cloud Directory Security Insights

πŸ”Ή Why does an issue state β€œMFA Missing Member” even though MFA is enabled?
βœ… Answer: The user may need to create a password specifically for MFA authentication.
​

πŸ”Ή How often does the MFA scan run?
βœ… Answer: The scan runs every 2 hours, and immediately when new users are added within the tenant. If a user is deleted within the tenant, it can take up to 2 hours for the user to be removed within Guardz.
​

πŸ”Ή How does Guardz determine the benchmark for normal logins?
βœ… Benchmark Rules:

  • Guardz pulls login activity from the last 7 days upon initial setup.

  • If a login occurs 3+ times from the same location, it becomes an approved benchmark location.

πŸ”Ή Why can’t I enable Audit Logs in Microsoft 365?
βœ… Cause: Microsoft 365 Basic License does not support Audit Logs. You must upgrade to a higher-tier license.
​

πŸ”Ή How does Guardz classify suspicious login severity?
βœ… Risk Level Criteria:

Risk Level

Condition

πŸ”΄ Critical

Admin user logs in from a high-risk country

🟠 High

Login from a suspicious country OR Admin login from an unrecognized location

🟑 Medium

Other detected anomalies (e.g., unusual devices)

πŸ”΅ Info

If all detections meet a known security benchmark

πŸ“Œ Benchmarks that Reduce False Positives:
βœ” User-Agent Consistency – If a user logs in 100+ times from the same User-Agent in 30 days, it is considered safe.
βœ” Device Agent Matching – If a known device logs in from a known IP, it is marked safe.
βœ” IP Reputation Score – If the IP’s reputation score is 0, it is safe.


πŸ“Œ Best Practices for Cloud Directory Security

βœ” Regularly update Approved Locations to prevent unnecessary login alerts.
βœ” Use Guardz MFA Enforcement to secure all accounts.
βœ” Monitor login trends for potential account compromise attempts.
βœ” Investigate & resolve abnormal login alerts quickly.


Did this answer your question?