Forum Discussion
Exclude account from secure score 'Remove non-admin accounts with DCSync permissions'
Microsoft
Have you tried to exclude entities based on specific detection rules? This will allow you to exclude users/devices/IPs for a particular detection rule or alert type in MDI.
Please navigate to security.microsoft.com > Settings > Identities > Exclusions by detection rule.
Hi esatyaman thanks for the reply. I failed earlier to match the 'Remove non-admin accounts with DCSync permissions' with 'Suspected DCSync attack (replication of directory services)' as you pointed out. I did enable the exclusion and will wait (and report) if this is the exclusion that works. (and removed the user from 'Global excluded entities')
Thanks!Did this work for your for the secure score metric? It's annoying me as well. Arian_van_der_Pijl
Well, unfortunately it doesn't seem to work. I excluded the MSOL_EntraSync account -> Exclude entities by detection rule -> Suspected DCSync attack (replication of directory services) but it still shows in the 'exposed entities' in Secure Score -> 'Remove non-admin accounts with DCSync permissions'.
So esatyaman do you happen to have any further suggestions? thanks in advance.Because it's my test environment at home (on-premises) I shut it down when not in use but I guess I have waited long enough to conclude the results 🙂
Related:
Also the Secure Score for Identity Protection 'Remove the attribute 'password never expires' from accounts in your domain' does list several 'HealthMailbox-xxx' accounts as 'exposed entities'. Accounts are from local AD with local Exchange Servers. Can't find a matching exlusion either. But first at least trying to solve this exclusion 🙂
