You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: ATPDocs/service-account-discovery.md
+7-5Lines changed: 7 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,14 +11,14 @@ ms.date: 03/25/2025
11
11
12
12
Service accounts are specialized identities within Active Directory used to run applications, services, and automated tasks. These accounts often require elevated privileges to perform their designated job. However, because they can't authenticate in the same way as human accounts, they typically don't benefit from the increased security of modern authentication methods like MFA (multifactor authentication). Given their potential elevated privilege and the inherent limitations of the access policies that govern them, careful management and monitoring are crucial to ensure they don't become a security vulnerability.
13
13
14
-
The auto discovery feature quickly identifies gMSA and sMSA accounts as well as user accounts within Active Directory that meet specific criteria and classifies them as service accounts. These accounts are then highlighted and presented, along with relevant information including insights into recent authentications and the sources and destinations of those interactions, as part of a dedicated inventory within the Defender experience. This helps you better understand the accounts' purpose so you can more easily spot anomalous activity and understand its implications.
15
-
16
14
Service accounts can be broadly classified into several types, including:
17
15
18
16
- gMSA (Group Managed Service Accounts): gMSAs provide a single identity solution for multiple services that require mutual authentication across multiple servers, as they allow Windows to handle password management, reducing administrative overhead.
19
17
- sMSA (Managed Service Accounts): Designed for individual services on a single server rather than groups.
20
18
- User Account: These standard user accounts are typically used for interactive logins but can also be configured to run services.
21
19
20
+
The auto discovery feature quickly identifies gMSA and sMSA accounts as well as user accounts within Active Directory that meet specific criteria and classifies them as service accounts. These accounts are then highlighted and presented, along with relevant information including insights into recent authentications and the sources and destinations of those interactions, as part of a dedicated inventory within the Defender experience. This helps you better understand the accounts' purpose so you can more easily spot anomalous activity and understand its implications.
21
+
22
22
> [!NOTE]
23
23
> Service account tags are exposed within the Identity Info table within Advanced Hunting.
24
24
@@ -44,7 +44,6 @@ There are several options you can choose from to customize the identities list v
44
44
45
45
### Service account details
46
46
47
-
48
47
- Total: The total number of service accounts listed.
49
48
50
49
- Managed: The total number of service accounts that are gMSA (Group Managed Service Accounts) or sMSA (Managed Service Accounts)
@@ -66,8 +65,8 @@ You can use the sort and filter functionality on each service account tab to get
66
65
- Tags: Sensitive or Honey Token
67
66
- Auth protocols: Lists the available methods for verifying user identities, for example, Kerberos and NTLM (New Technology LAN Manager).
68
67
- Sources: The number of potential source logins.
69
-
- Destinations: The number of destinations the service account tried to access, such as a Domain Controller or remote desktop session.
70
-
- Connections: The number of connections made by the service account.
68
+
- Destinations: When a service account is trying to access a destination server, the request is directed to the target system, which can include a number of resources on that server. These resources might be a database, a file server, or other services hosted on the server.
69
+
- Connections: The number of unique connections made between sources and destinations.
71
70
- Created: The timestamp when the service account was first created.
72
71
- Last updated: The timestamp of the most recent update to the service account.
73
72
@@ -91,6 +90,9 @@ When you investigate a specific Service account, you'll see the following detail
91
90
|Count | How many sign in events occurred over this connection in the last 180 days.
92
91
Last seen | The date and time of the most recent sign in event over this connection. |
93
92
93
+
:::image type="content" source="media/Screenshot-of-the-connections-page.png" alt-text="Screenshot of the connections page" lightbox="media/Screenshot-of-the-connections-page.png":::
94
+
95
+
94
96
For more information about the following tabs, **Overview**, **Incidents and alerts**,**Observed in organization**, **Timeline**, and **Attack paths**, see: [Investigate assets](/defender-for-identity/investigate-assets#identity-details)
Copy file name to clipboardExpand all lines: ATPDocs/whats-new.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -33,7 +33,7 @@ This update provides:
33
33
34
34
- Automatic identification of Group Managed Service Accounts, Managed Service Accounts, and user accounts operating as service accounts.
35
35
36
-
- A centralized Service Accounts inventory, displaying key attributes like account type, authentication activity, privileges, and criticality.
36
+
- A centralized Service Accounts inventory, displaying key attributes like account type, authentication type, unique connections, last log-on, service class and criticality.
37
37
38
38
For more information, see: [Investigate and protect Service Accounts | Microsoft Defender for Identity](service-account-discovery.md)
0 commit comments