Incorrect Secure Score recommendation - Remove unnecessary replication permissions

Hi,

In our environment, we got the "Remove unnecessary replication permissions for Entra Connect AD DS Connector Account" secure score recommendation.

Based on the https://learn.microsoft.com/en-us/defender-for-identity/remove-replication-permissions-microsoft-entra-connect replication permission is needed when PHS is in use. We are using PTA, but PHS is also enabled as a fallback.

On the Entra Connect server I ran the following:

Import-Module ADSyncDiagnostics

Invoke-ADSyncDiagnostics -PasswordSync

The result is: Password Hash Synchronization cloud configuration is enabled

If I remove the replication permission, we soon receive an alert that password hash sync did not occour.

Is it normal? I would say that the sensor should be able to detect PHS usage hence not recommending to remove the permissions.

Thank you in advance,

Daniel