Forum Discussion
Brian_Sutton
Aug 05, 2019Copper Contributor
AD Connect MSOL_ User + Suspected DCSync Attack
We use AD Connect in order to replicate our on premise AD accounts to Azure AD. The replication process is completed under the context of the 'MSOL_xxxxxxxx' user account. The AD Connect applicatio...
kristofvm
Jun 15, 2020Copper Contributor
EliOfek How do we do this in MCAS as all ATP exclusions are now greyed out?!
The DCSync pre-configured policy doesn't seem to have an exclusion option. How should the AADConnect server be tagged to be excluded from the default Suspected DCSync attack (replication of directory services) policy ?
Daniel Naim
Microsoft
Jun 17, 2020
Hi,
From your message I am not sure whether it's not available in MCAS or in AATP. you can either change the setting in AATP if the MCAS is disabled or vice versa - but not both.
There are some customers who are part of our preview program for AATP alert policies in AATP. Once the preview program is completed we will move the experience to MCAS, but until then you should use the AATP portal for that.
- Michael PlattOct 26, 2020Brass Contributor
Daniel Naim I can't find this exclusion in both systems. Please help.
- Daniel NaimOct 28, 2020
Microsoft
Michael Platt What does Setting > Exclusions shows you?