cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Microsoft Security Advisory 4056318

%3CLINGO-SUB%20id%3D%22lingo-sub-148999%22%20slang%3D%22en-US%22%3EMicrosoft%20Security%20Advisory%204056318%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-148999%22%20slang%3D%22en-US%22%3E%3CP%3EMicrosoft%20posted%20this%20advisory%20in%20the%20Office%20365%20Admin%20message%20center.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsecurity-updates%2Fsecurityadvisories%2F2017%2F4056318%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsecurity-updates%2Fsecurityadvisories%2F2017%2F4056318%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20advisory%20wants%20customers%20with%20AAD%20Connect%20older%20than%201.1.654.0%20to%20restrict%20the%20AD%20DS%20account%20used%20in%20AAD%20Connect.%20However%2C%20halfway%20in%20the%20article%2C%20Microsoft%20advises%20that%20this%20AD%20DS%20account%20be%20made%20a%20member%20of%20Enterprise%20Admins%2C%20Domain%20Admins%20and%20other%20groups%20with%20elevated%20privileges.%3C%2FP%3E%0A%3CP%3EVery%20confusing.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELooking%20for%20feedback%2Fguidance%20from%20this%20group.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThank%20you.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-148999%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-149283%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Security%20Advisory%204056318%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-149283%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3Bfor%20these%20references!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-149108%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Security%20Advisory%204056318%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-149108%22%20slang%3D%22en-US%22%3E%3CP%3EWhich%20part%20of%20the%20article%20are%20you%20referring%20to%3F%20The%20steps%20in%20the%20%3CSTRONG%3ELock%20down%20access%20to%20the%20AD%20DS%20account%3C%2FSTRONG%3E%26nbsp%3Bsection%20detail%20which%20objects%20will%20have%20permission%20ON%20the%20account%2C%20not%20to%20which%20group%20it%20needs%20to%20belong.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFellow%20MVPs%20have%20posted%20some%20more%20detailed%20instructions%20on%20how%20this%20should%26nbsp%3Bbe%20applied%3A%20%3CA%20href%3D%22http%3A%2F%2Fwww.expta.com%2F2017%2F12%2Fsecure-aad-connect-new-build-116540-and.html%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.expta.com%2F2017%2F12%2Fsecure-aad-connect-new-build-116540-and.html%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fpractical365.com%2Fblog%2Fmicrosoft-releases-advisory-for-azure-ad-connect-service-account-security-risk%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fpractical365.com%2Fblog%2Fmicrosoft-releases-advisory-for-azure-ad-connect-service-account-security-risk%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Emy Loanzon
Contributor

‎01-25-2018 01:33 PM - last edited on ‎07-27-2020 06:27 PM by

‎01-25-2018 01:33 PM - last edited on ‎07-27-2020 06:27 PM by

Microsoft Security Advisory 4056318

Microsoft posted this advisory in the Office 365 Admin message center.

 

https://docs.microsoft.com/en-us/security-updates/securityadvisories/2017/4056318

 

The advisory wants customers with AAD Connect older than 1.1.654.0 to restrict the AD DS account used in AAD Connect. However, halfway in the article, Microsoft advises that this AD DS account be made a member of Enterprise Admins, Domain Admins and other groups with elevated privileges.

Very confusing.

 

Looking for feedback/guidance from this group.

 

Thank you.

 

Labels:
283 Views
0 Likes
2 Replies
Reply
2 Replies
Best Response confirmed by Emy Loanzon (Contributor)
Vasil Michev

‎01-26-2018 12:19 AM

‎01-26-2018 12:19 AM

Solution

Re: Microsoft Security Advisory 4056318

Which part of the article are you referring to? The steps in the Lock down access to the AD DS account section detail which objects will have permission ON the account, not to which group it needs to belong.

 

Fellow MVPs have posted some more detailed instructions on how this should be applied: http://www.expta.com/2017/12/secure-aad-connect-new-build-116540-and.html

https://practical365.com/blog/microsoft-releases-advisory-for-azure-ad-connect-service-account-secur...

0 Likes
Reply
Emy Loanzon

‎01-26-2018 10:11 AM

‎01-26-2018 10:11 AM

Re: Microsoft Security Advisory 4056318

Thank you @Vasil Michev for these references!

0 Likes
Reply