Architecture
Adaxes is a standalone software solution that acts as a proxy between users and your Active Directory, Microsoft Entra ID, Exchange, and Microsoft 365. It means that native tools are still in place, so, if you need, you can always revert to using them and have direct access to your environment the same way as before.
All the Adaxes magic, such as automation rules, approval-based workflows, role-based permissions, data standards enforcements, etc. is only applied when executing operations through Adaxes. This means Adaxes can co-exist with other solutions like HR or payroll systems that directly interact with AD, Exchange, or Microsoft 365, without affecting these systems in any way.
No directory pollution
Adaxes does not pollute Active Directory or Microsoft Entra ID in any way. It doesn't store any of its data in your directory and tenant, doesn't change native permissions, and doesn't extend the schema.
Cross-domain management
Adaxes can manage as many domains as you need. Both, Active Directory and Microsoft Entra domains are supported. In fact, Adaxes blurs the line between AD and Entra ID – objects scattered around different cloud tenants and different on-prem forests with no trust relationships can be managed from the same place in the same fashion. The same automation rules, approval workflows, scheduled tasks, etc. can be applied across your entire environment.
All operations in managed domains are executed via service accounts. A Windows Service Account for Active Directory and a Microsoft Entra application account for the cloud. This allows you to centrally delegate rights via Adaxes and enables users from one domain to perform operations in other totally unrelated domains.
Load balancing and fault tolerance
You can set up multiple Adaxes service instances that share common configuration. This enables you to distribute the load across multiple servers and provides a failsafe mechanism - if one Adaxes service goes down, others will be there to handle its workload. The same goes for the Web interface. Multiple instances can be placed behind a load balancer for an optimal browsing experience.
Extensibility
Adaxes doesn't limit you to just what's provided out-of-the-box. You can extend and customize the built-in functionality to exactly match the specific needs of your organization.
It is possible to supplement automated workflows with your own scripts to cover any scenario. On top of that, Adaxes has multiple APIs that enable you to create integrations with third-party software or develop custom clients for Adaxes. For more details see Adaxes SDK.
Communication encryption
With Adaxes, there are no security compromises. All communications between Adaxes service and Adaxes clients (Administration console, Web interface, etc.) always use an encrypted channel.
Security-sensitive communications between Adaxes service and Active Directory use LDAPS or Kerberos encryption, and you have the option to enable LDAPS for all communications. Other systems, such as Microsoft Entra ID, Exchange, and Microsoft 365 use encrypted channels at all times.
Secure public access
Adaxes Web interface can be exposed to the Internet by placing it in the DMZ while having all other components installed in the internal network. To secure user access to the Web interface, you can enable SSL for all communication between the Web interface and the users' web browsers. Even if SSL is not enabled, all security sensitive data sent by users to the Web interface is encrypted with 1024-bit RSA.
To prevent possible brute force attacks on your directory through the publicly exposed Web interface, Adaxes provides a robust brute force protection mechanism.