Forum Discussion
Exclude account from secure score 'Remove non-admin accounts with DCSync permissions'
Did this work for your for the secure score metric? It's annoying me as well. Arian_van_der_Pijl
Well, unfortunately it doesn't seem to work. I excluded the MSOL_EntraSync account -> Exclude entities by detection rule -> Suspected DCSync attack (replication of directory services) but it still shows in the 'exposed entities' in Secure Score -> 'Remove non-admin accounts with DCSync permissions'.
So esatyaman do you happen to have any further suggestions? thanks in advance.
Because it's my test environment at home (on-premises) I shut it down when not in use but I guess I have waited long enough to conclude the results 🙂
Related:
Also the Secure Score for Identity Protection 'Remove the attribute 'password never expires' from accounts in your domain' does list several 'HealthMailbox-xxx' accounts as 'exposed entities'. Accounts are from local AD with local Exchange Servers. Can't find a matching exlusion either. But first at least trying to solve this exclusion 🙂
- esatyaman
Microsoft
Hi Arian,
The recommendations mentioned in the secure score under implementations needs to be met in order to resolve this.
If all are met and you are still seeing this, please open a support ticket to Microsoft.
This is a recommendation for a good security posture rather than a security alert.
Ref: https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-non-admin-accounts-dcsync
