Remove access rights on suspicious accounts with the Admin SDHolder permission

Question

Hi,&nbsp;Can the Defender Team please add more information regarding the improvement action "Remove access rights on suspicious accounts with the Admin SDHolder permission"? All sites appear to have this action triggered as "TO ADDRESS" but it displays "Users affected​ - No data to show" and under "Exposed Entities" it is blank with a line at the bottom displaying:{ISPM_REPORT_SUSPICIOUS_ADMIN_SD_HOLDER_USERS_TABLE_EMPTY_PLACEHOLDER}Just over 24 hours of initial detection the "Exposed Entities" section of "Remove access rights on suspicious accounts with the Admin SDHolder permission" now shows "No non-sensitive Admin SDHolder users" but it is still marked as "To address".&nbsp;Also please note the "More Information" links do not point to any useful or specific information for this improvement action.&nbsp;Thanks,&nbsp;Gary

daniel naim · Answer

Thanks for surfacing it, this should be resolved in the upcoming MDI version (209)If that's not the case feel free to tag me again.

davidgoodfield · Answer

We are having the same issue. Still marked as 'To address' but under exposed entities it says 'No non-sensitive Admin SDHolder users'.

garycutri · Answer

Thanks for the feedback. It's been a week now and our tenants are still listed as "To address". We now have other "Defender for Identity" improvement actions that are completed but listed as "To address" (e.g. Remove dormant accounts from sensitive groups). It's clear that the Identity actions are not being updated and\reported correctly.

daniel naim · Answer

GaryCutri&nbsp;davidgoodfield&nbsp;Can you please with me your tenant details? can do it over email.daniel.naim@microsoft.com
&nbsp;

Forum Discussion

Remove access rights on suspicious accounts with the Admin SDHolder permission

Share

Resources