Exclude account from secure score 'Remove non-admin accounts with DCSync permissions'

Iron Contributor

I do (i think :)) have a legit MSOL_522f75393cfe account which needs the DCSync permissions (Entra Connect) so how can I exclude this account from being detected to this rule?


I can find some 'exceptions';
Microsoft Defender | Settings | Identities | Actions and exclusions | Global excluded entities
https://security.microsoft.com/settings/identities?tabid=globalExclude&tid=e681ca77-e7ac-448f-b649-6... 

I put the account there so it has the 'Exclude entities from all detection rules' option.

Is this the only way (i prefer not to exlude the account but only an exception of the detection) to exclude an account?

5 Replies

Hi @Arian_van_der_Pijl,

 

Have you tried to exclude entities based on specific detection rules? This will allow you to exclude users/devices/IPs for a particular detection rule or alert type in MDI.

 

Please navigate to security.microsoft.com > Settings > Identities > Exclusions by detection rule.

 

esatyaman_0-1709217316783.png

 

Hi @esatyaman thanks for the reply. I failed earlier to match the 'Remove non-admin accounts with DCSync permissions' with 'Suspected DCSync attack (replication of directory services)' as you pointed out. I did enable the exclusion and will wait (and report) if this is the exclusion that works. (and removed the user from 'Global excluded entities')
Thanks!

Did this work for your for the secure score metric? It's annoying me as well. @Arian_van_der_Pijl 

Well, unfortunately it doesn't seem to work. I excluded the MSOL_EntraSync account -> Exclude entities by detection rule -> Suspected DCSync attack (replication of directory services) but it still shows in the 'exposed entities' in Secure Score -> 'Remove non-admin accounts with DCSync permissions'.
So @esatyaman do you happen to have any further suggestions? thanks in advance.

Because it's my test environment at home (on-premises) I shut it down when not in use but I guess I have waited long enough to conclude the results 🙂

 


Related:
Also the Secure Score for Identity Protection 'Remove the attribute 'password never expires' from accounts in your domain' does list several 'HealthMailbox-xxx' accounts as 'exposed entities'. Accounts are from local AD with local Exchange Servers. Can't find a matching exlusion either. But first at least trying to solve this exclusion 🙂

Hi Arian,

The recommendations mentioned in the secure score under implementations needs to be met in order to resolve this.
If all are met and you are still seeing this, please open a support ticket to Microsoft.

This is a recommendation for a good security posture rather than a security alert.

Ref: https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-non-admin-accounts-dcsyn...