Activate V7 and older were based on the assumption that access to the web portal was from a Trusted Network.  Activate V7 and older used Activate Anywhere as an application proxy to implement internet facing security features. 

Activate V8 is based on the concept of 'Zero Trust Security'. This means that no one is trusted by default from inside or outside the network.

The main portal now implements security features that are normally seen on internet facing web sites. These security features are based on current industry best practices.

Activate V8 is SSL only and allow communications must be over a secure SSL connection. Any connections to HTTP are automatically redirected to HTTPS.

All cookies are marked with appropriate same-site settings, secure and 'http only' settings.

The Default Content Security Policy prevents cross-site scripting and loading of malicious content. The default policy prevents the site being loaded into an iframe to protect against clickjacking style attacks. The default policy also defines the minimum requirements for Activate to operate. Removing existing default rights will break functionality.

The Default Content Security Policy can be changed at //Resources/Configuration/Web/ContentSecurityPolicy.

This guide may be useful if changing this: 

https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html

All content is encoded and checked for XSS style attacks.

Cross-Site Request Forgery (XSRF or CSRF)

A comprehensive cross site anti forgery mechanism based on .NET 6 is implemented by default. 

https://learn.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-6.0

This is required for Forms and Windows authentication.

The following headers are added by default to all installations. This provides industry best practice security. 

https://infosec.mozilla.org/guidelines/web_security#x-frame-options

Activate Anywhere is an application proxy and supported in V8. This has been rewritten to provide even high performance and security. 

This generates an industry standard JWT token that is used to authenticate directly with the main Activate Portal.

The main portal can be published directly to the internet (or via an application  gateway), if authorization is done using Azure OAuth.

Activate V8 will now verify that the contents of the file match the file extension. For example, a user trying to upload an executable file by renaming it to .zip would no longer work.

V8 SQL Connection Changes

V8 Web Security

Microsoft’s cloud platform providing infrastructure, networking, storage, and application services. In Activate, it’s used as the hosting environment or for integration with Microsoft 365 and Entra ID services.

Azure

DotNetVersion

Microsoft Entra Connect (formerly Azure AD Connect) is a tool that syncs on-premises Active Directory identities with Microsoft Entra ID, enabling hybrid identity and seamless access to cloud resources.

Microsoft_Entra_Connect

Active Directory (AD) is Microsoft’s directory service that stores and manages user accounts, devices, and permissions, enabling secure authentication and centralized access control within a Windows network.

Active_Directory

ActivateJobService

ActivateAdministrator

SupportedPowerShellVersions

SupportedOSVersions

SupportedSQLVersions

Name that identifies the instance of Activate.  This is only used by Administrators and isn't displayed to end users.

instance_name

An installation type of Activate where there is no local domain connection, all authentication, authorisation and identity management is handled by Entra ID.

Cloud_Only

Microsoft Entra ID (formerly Azure Active Directory) is Microsoft’s cloud-based identity and access management service, providing secure authentication, user lifecycle management, and access control for Microsoft 365 and other apps.

Microsoft_Entra_ID

A software switch that enables or disables functionality at runtime without redeploying code. In Activate, they are configured under //Resources/Configuration/FeatureFlags.

feature_flag

Microsoft module for managing Exchange Online, using modern authentication and REST API–based cmdlets for faster, more reliable automation of mailboxes, compliance, and organisation settings.

EXO_V3_PowerShell_Module

An Organizational Unit (OU) is a container in Active Directory used to organise users, groups, computers, and other objects within a domain. OUs help structure resources logically and apply group policies for easier management and administration.

A User Type is a template in Activate that defines rules, attributes, and behaviours for a category of users (e.g., Employee, Contractor), ensuring consistent user account setup and configuration.

User_Type

A resource object in Activate representing a physical or virtual Exchange Server

Exchange_Server_Resource

Defines the object type that the resource will emulate or operate as.

Class_parameter

Clonesthe selected inherited parameter to make a local copy to override the value

Override

Runs the Activate Provisioning Server and performs actions across target systems.

Orchestrator_Account

A complete, immutable log of identity-related events, including provisioning actions, access approvals, and policy evaluations.

Audit_Trail

An integration module that enables Activate to read/write data from external systems (e.g., provisioning accounts in Azure AD).

Connector

A periodic process where managers or data owners validate that users still require their existing access — critical for compliance.

Access_Certification_and_Review

A user-initiated process to gain access to new systems or roles, often requiring manager or system owner approval.

Access_Request

Any downstream application or service where identities need access (e.g., Active Directory, Okta, Salesforce).

Target_System

The authoritative system from which identity data is imported (e.g., HRIS like Workday or SAP SuccessFactors).

Identity_Source

An access control model that uses user, resource, or environment attributes (e.g., department = "HR", location = "US") to make access decisions dynamically.

ABAC_Attribute-Based_Access_Control

An access control model where users receive permissions based on assigned roles. This model helps enforce least privilege.

RBAC_Role-Based_Access_Control

A collection of entitlements assigned based on a user’s job function or department. Roles simplify access management and are often tied to policies (e.g., "Finance Analyst Role").

Role

A specific access right or permission within a system (e.g., "Read-only access to Salesforce Reports"). Entitlements can be grouped into roles.

Entitlement

The removal or disabling of user accounts and access when they are no longer required — for example, when an employee leaves the organization.

Deprovisioning

The automated process of creating accounts and granting access to systems or applications based on a user’s role or attributes.

Provisioning

A digital representation of a user (employee, contractor, service account, etc.) within an organization. Each identity is typically linked to a unique identifier, such as an email address or employee ID.

Identity

This is the process of bringing on a new user

Onboarding

Hierarchical Role-Based Provisioning automates user access by assigning roles based on organisational structure, ensuring users inherit the correct permissions and resources aligned to their position or function.

Hierarchical_Role-Based_Provisioning

A group email address that automatically forwards messages to all its members, allowing you to send emails to multiple recipients at once.

Distribution_List

An expression is a conditional statement using Activate expression syntax.

expression

AzureProductName

V8 Upgrade File Parameters Showing As Invalid

Activate Knowledge Centre

For Engineers

For Architects

For Service Desk

For C-Suite and Decision Makers

For Partners & Analysts

Welcome to Activate Knowledge Centre

What is Activate?

Key terms

System Overview