Enable Unconstrained Kerberos Delegation

Question

Hi there,&nbsp;By default the group ''Account Operators'' is often used, despite that Microsoft recommend it to keep it empty, but this group has wide permissions in the domain. All the users in Account Operators could enable the Unconstrained Kerberos Delegation on servers, because they are granted the GenericAll permission on these computer objects.&nbsp;I tried to find some additional information about it to see if ATA picks this up. I couldn't find it, but there could be a chance that I just overlooked it. So I was wondering if you guys would detect, when someone decided to turn this setting on?&nbsp;&nbsp;Here is the event log that will be generated.&nbsp;&nbsp;&nbsp;

eliofek · Answer

Deleted&nbsp;, as far as I know there is no such detection.
Tali Ash&nbsp;, Can you confirm?
&nbsp;
you can find a list of alert types in this link:
https://docs.microsoft.com/en-us/azure-advanced-threat-protection/suspicious-activity-guide
This is updated from time to time when we add more detections.

deleted · Answer

EliOfekDo you consider to add this detection rule to it?

eliofek · Answer

I will let&nbsp;Tali Ash&nbsp; comment on that as this is a product decision, and she might know if this is somewhere in the roadmap.

tali ash · Answer

Or Tsemah&nbsp;Can you please share with&nbsp;Deleted&nbsp;the relevant identity security posture reports?
Huy, what you are suggesting is covered by reports and not alerts, as it is more relevant for dangerous configurations in the environment,

or tsemah · Answer

Deleted&nbsp;I can confirm that this feature (Exposing which entity has an unsecure kerberos delegation such as Unconstrained or some variations of constrained\resource based delegations) is in private preview and i&nbsp;hope to share some information about its release soon.
If you would like to know more, you can contact me directly.

Forum Discussion

Enable Unconstrained Kerberos Delegation

Resources