Forum Discussion
Brian_Sutton
Aug 05, 2019Copper Contributor
AD Connect MSOL_ User + Suspected DCSync Attack
We use AD Connect in order to replicate our on premise AD accounts to Azure AD. The replication process is completed under the context of the 'MSOL_xxxxxxxx' user account. The AD Connect applicatio...
EliOfek
Microsoft
Aug 05, 2019Brian_Sutton Yes it is, you should exclude the account or the machine from this alert for now.
(Until we will have some news on this, we are working on a feature around this case, but it will take time to see results ...)
Brian_Sutton
Aug 05, 2019Copper Contributor
EliOfek How do I exclude this account/machine from this alert? I only see an option to Close the alert or to Suppress it (resumes after 7 days). Thanks!
- EliOfekAug 05, 2019
Microsoft
Brian_Sutton Go to the configuration section , into the exclusions tab.
- kristofvmJun 15, 2020Copper Contributor
EliOfek How do we do this in MCAS as all ATP exclusions are now greyed out?!
The DCSync pre-configured policy doesn't seem to have an exclusion option. How should the AADConnect server be tagged to be excluded from the default Suspected DCSync attack (replication of directory services) policy ?
- Michael PlattOct 26, 2020Brass ContributorLooking where to exclude.