Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Remove access rights on suspicious accounts with the Admin SDHolder permission

Copper Contributor

Hi,

 

Can the Defender Team please add more information regarding the improvement action "Remove access rights on suspicious accounts with the Admin SDHolder permission"? All sites appear to have this action triggered as "TO ADDRESS" but it displays "Users affected​ - No data to show" and under "Exposed Entities" it is blank with a line at the bottom displaying:


{ISPM_REPORT_SUSPICIOUS_ADMIN_SD_HOLDER_USERS_TABLE_EMPTY_PLACEHOLDER}


Just over 24 hours of initial detection the "Exposed Entities" section of "Remove access rights on suspicious accounts with the Admin SDHolder permission" now shows "No non-sensitive Admin SDHolder users" but it is still marked as "To address".

 

Also please note the "More Information" links do not point to any useful or specific information for this improvement action.

 

Thanks,

 

Gary

4 Replies
We are having the same issue. Still marked as 'To address' but under exposed entities it says 'No non-sensitive Admin SDHolder users'.
Thanks for the feedback. It's been a week now and our tenants are still listed as "To address". We now have other "Defender for Identity" improvement actions that are completed but listed as "To address" (e.g. Remove dormant accounts from sensitive groups). It's clear that the Identity actions are not being updated and\reported correctly.
Thanks for surfacing it, this should be resolved in the upcoming MDI version (209)

If that's not the case feel free to tag me again.

@GaryCutri @davidgoodfield 

Can you please with me your tenant details? can do it over email.
daniel.naim@microsoft.com