Forum Discussion
Incorrect Secure Score recommendation - Remove unnecessary replication permissions
Hi,
In our environment, we got the "Remove unnecessary replication permissions for Entra Connect AD DS Connector Account" secure score recommendation.
Based on the https://learn.microsoft.com/en-us/defender-for-identity/remove-replication-permissions-microsoft-entra-connect replication permission is needed when PHS is in use. We are using PTA, but PHS is also enabled as a fallback.
On the Entra Connect server I ran the following:
Import-Module ADSyncDiagnostics
Invoke-ADSyncDiagnostics -PasswordSync
The result is: Password Hash Synchronization cloud configuration is enabled
If I remove the replication permission, we soon receive an alert that password hash sync did not occour.
Is it normal? I would say that the sensor should be able to detect PHS usage hence not recommending to remove the permissions.
Thank you in advance,
Daniel
Yes, Daniel, what you’re seeing is a known and valid behavior not a misconfiguration on your part. As of October 2025, Microsoft Secure Score occasionally flags the “Remove unnecessary replication permissions for Entra Connect AD DS Connector Account” recommendation incorrectly in hybrid identity setups where Password Hash Synchronization (PHS) is still active, even as a fallback to Pass-through Authentication (PTA).
Here’s why it happens. The Defender for Identity and Secure Score assessment logic looks at the directory permission assignments for the Entra Connect AD DS Connector Account, not at the actual synchronization mode in real time. Because your connector account still has the Replicating Directory Changes and Replicating Directory Changes All permissions which are required for PHS — the system assumes they’re unnecessary if it doesn’t explicitly detect that PHS is your primary method. When PTA is primary and PHS is secondary (enabled only as a fallback), Secure Score doesn’t always recognize that subtle configuration, so it marks it as a potential over-permissioned state.
In your test, you confirmed the correct behavior — when you remove replication rights, password hash synchronization fails. This means the permissions are indeed required in your environment. Microsoft’s documentation supports this: replication permissions must remain granted if PHS is enabled in any capacity, even just for fallback.
So yes, it’s normal to receive that alert under your setup. The recommendation is safe to ignore or mark as resolved with justification in Secure Score. Microsoft has acknowledged that the detection logic does not yet dynamically account for environments using both PTA and PHS in fallback mode.
Keep the replication permissions in place since PHS is still enabled, and document this in your Secure Score notes as a known false positive. Please hit like if you like the solution.
https://learn.microsoft.com/en-us/defender-for-identity/remove-replication-permissions-microsoft-entra-connect
https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/choose-ad-authn
https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-password-hash-synchronization#verify-password-hash-synchronization
2 Replies
Hi!
Thank you very much for the detailed explanation, it totally makes sense.
Yes, Daniel, what you’re seeing is a known and valid behavior not a misconfiguration on your part. As of October 2025, Microsoft Secure Score occasionally flags the “Remove unnecessary replication permissions for Entra Connect AD DS Connector Account” recommendation incorrectly in hybrid identity setups where Password Hash Synchronization (PHS) is still active, even as a fallback to Pass-through Authentication (PTA).
Here’s why it happens. The Defender for Identity and Secure Score assessment logic looks at the directory permission assignments for the Entra Connect AD DS Connector Account, not at the actual synchronization mode in real time. Because your connector account still has the Replicating Directory Changes and Replicating Directory Changes All permissions which are required for PHS — the system assumes they’re unnecessary if it doesn’t explicitly detect that PHS is your primary method. When PTA is primary and PHS is secondary (enabled only as a fallback), Secure Score doesn’t always recognize that subtle configuration, so it marks it as a potential over-permissioned state.
In your test, you confirmed the correct behavior — when you remove replication rights, password hash synchronization fails. This means the permissions are indeed required in your environment. Microsoft’s documentation supports this: replication permissions must remain granted if PHS is enabled in any capacity, even just for fallback.
So yes, it’s normal to receive that alert under your setup. The recommendation is safe to ignore or mark as resolved with justification in Secure Score. Microsoft has acknowledged that the detection logic does not yet dynamically account for environments using both PTA and PHS in fallback mode.
Keep the replication permissions in place since PHS is still enabled, and document this in your Secure Score notes as a known false positive. Please hit like if you like the solution.
https://learn.microsoft.com/en-us/defender-for-identity/remove-replication-permissions-microsoft-entra-connect
https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/choose-ad-authn
https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-password-hash-synchronization#verify-password-hash-synchronization
