You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This article describes Microsoft Defender for Identity's Microsoft Entra Connect accounts unsafe permissions security posture assessment report.
18
+
19
+
> [!NOTE]
20
+
> This security assessment will be available only if Microsoft Defender for Identity sensor is installed on servers running Microsoft Entra Connect services and Sign on method as part of Microsoft Entra Connect configuration is set to single sign-on and the SSO computer account exists. Learn more about Microsoft Entra seamless sign-on **[here](/entra/identity/hybrid/connect/how-to-connect-sso)**.
21
+
22
+
## How can unsafe permissions on Entra Connect accounts expose your hybrid identity to risk?
23
+
24
+
Entra Connect accounts like AD DS Connector account (also known as MSOL_) and Entra Seamless SSO computer account (AZUREADSSOACC) have powerful privileges, including replication and password reset rights. If these accounts are granted unsafe permissions, attackers could exploit them to gain unauthorized access, escalate privileges, or take control of hybrid identity infrastructure. This could lead to account takeovers, unauthorized directory modifications, and a broader compromise of both on-premises and cloud environments.
25
+
26
+
## How do I use this security assessment to improve my hybrid organizational security posture?
27
+
28
+
1. Review the recommended action at[https://security.microsoft.com/securescore?viewid=actions](https://security.microsoft.com/securescore?viewid=actions) for Remove unsafe permissions on sensitive Entra Connect accounts.
29
+
30
+
1. Review the list of exposed entities to identify accounts with unsafe permissions. For example:
31
+
32
+
If you click on "Click to expend" you can find more details about the granted permissions. For example:
33
+
34
+
35
+
1. For each exposed account, remove problematic permissions that allow unprivileged accounts to takeover critical hybrid assets. In the example below, you can see an AD DS Connector account with problematic permissions that need to be removed.
36
+
37
+
38
+
> [!NOTE]
39
+
> While assessments are updated in near real time, scores and statuses are updated every 24 hours. While the list of impacted entities is updated within a few minutes of your implementing the recommendations, the status may still take time until it's marked as **Completed**.
40
+
41
+
## Next steps
42
+
43
+
-[Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score)
44
+
45
+
-[Learn more about Defender for Identity Sensor for Microsoft Entra Connect](https://aka.ms/MdiSensorForMicrosoftEntraConnectInstallation)
0 commit comments