Forum Discussion

Brian_Sutton's avatar
Brian_Sutton
Copper Contributor
Aug 05, 2019

AD Connect MSOL_ User + Suspected DCSync Attack

We use AD Connect in order to replicate our on premise AD accounts to Azure AD.  The replication process is completed under the context of the 'MSOL_xxxxxxxx' user account.  The AD Connect applicatio...
Brian_Sutton's avatar
Brian_Sutton
Copper Contributor
Aug 05, 2019

EliOfek How do I exclude this account/machine from this alert?  I only see an option to Close the alert or to Suppress it (resumes after 7 days).  Thanks!

EliOfek's avatar
EliOfek
Icon for Microsoft rankMicrosoft
Aug 05, 2019

Brian_Sutton Go to the configuration section , into the exclusions tab.

  • kristofvm's avatar
    kristofvm
    Copper Contributor
    Jun 15, 2020

    EliOfek How do we do this in MCAS as all ATP exclusions are now greyed out?!

     

    The DCSync pre-configured policy doesn't seem to have an exclusion option. How should the AADConnect server be tagged to be excluded from the default Suspected DCSync attack (replication of directory services) policy ?

    • Michael Platt's avatar
      Michael Platt
      Brass Contributor
      Oct 26, 2020
      Looking where to exclude.
    • Daniel Naim's avatar
      Daniel Naim
      Icon for Microsoft rankMicrosoft
      Jun 17, 2020

      kristofvm 

       

      Hi,

      From your message I am not sure whether it's not available in MCAS or in AATP. you can either change the setting in AATP if the MCAS is disabled or vice versa - but not both.

       

      There are some customers who are part of our preview program for AATP alert policies in AATP. Once the preview program is completed we will move the experience to MCAS, but until then you should use the AATP portal for that.

      • Michael Platt's avatar
        Michael Platt
        Brass Contributor
        Oct 26, 2020

        Daniel Naim I can't find this exclusion in both systems.  Please help.

Resources