Using MCAS to track down unconstrained delegation

Brass Contributor

Just wondering if anyone has had any success using MCAS to track down where unconstrained delegation is used, as the first step in figuring out how to unravel it by transitioning to constrained delegation?

 

Ultimately what I am seeking is a mapping of what accounts/principals are impersonating other identities to other services.

 

The Active Directory app data (from Azure ATP) has at least some of this information as "Resource Access" events, and by sorting through them it is possible to identify unconstrained delegation access in the "Activity Objects". The field is "IsResourceAccountTrustedForUnconstrainedDelegation: True".

 

Challenges that I am facing;

1. There is no way to filter for IsResourceAccountTrustedForUnconstrainedDelegation == True, at least not that I can figure out.

2. The MCAS PS module doesn't appear to be able to search on this logic either

3. Exporting data from the MCAS UI does not include the activity objects field. 

 

So, overall it's really great to have this data available, but it's really stifling to not be able to extract it when there are thousands of records that need to be summarised.

 

0 Replies