Forum Discussion
Secure Score "this account is sensitive and cannot be delegated"
Hi
In Microsoft Secure Score when selecting the recommended action Ensure that all privileged accounts have the configuration flag "this account is sensitive and cannot be delegated" and in the Exposed entities tab I only see computer accounts. In the Implementation instructions they only mention user accounts.
How do I complete this recommended action and get rid of the computer accounts detected?
Hi,
From our end, it is also the same, the Domain Controllers and ADFS appears in the list.
Same here: Domain Controller, Exchange, AzureADKerberos account still show up in the list.
LiorShapiraany news on this topic ?
@LiorShapira Could you please share any update with the community?
My case is since 15-Oct-2024 and still unresolved, basically MS support is clueless.
LiorShapiraMy tenant still has not changed, in exposed entities I still see my DC's , Exchange and DHCP servers. And in the implementation tab I cannot see any change, and the learn more link points to this https://go.microsoft.com/fwlink/?linkid=2283220
- LiorShapira
Microsoft
starman2heven Could you please check again? we've updated the recommendation title to be "Ensure privileged accounts are not delegated". The deployment was ended yesterday (except of United States Environment which will take a couple of days). At the moment, we excluded DC's only and ADFS, Exchange servers and Certificate servers will be excluded by Nov 20'.
For Us also DHCP us still showing in the list. Can you please provide an update on this.
- Any advices on what kind of servers it's safe or not to enable this setting?
- Servers that have been automatically tagged as "Sensitive" due to the roles installed on them, like Domain controller, Certificate Authority.
starman2heven To do this on a “computer” object:
Set-ADComputer -Identity "dc1" -AccountNotDelegated $true
micheleariis the issue that many people are having with this is not so much HOW to do this but whether it's acceptable to do it.
The accepted wisdom for a long time now has been that you do NOT disable delegation on your DC computer accounts, that doing so will, in fact, degrade your domain functions, as domain services running on a DC rely on being able to delegate via the DC computer account to other servers in the domain.
But this Secure Score requirement is requiring that the DC computer account delegation be removed.
Frustratingly, all the official documentation on this, including the MS learn article specifically about this securescore requirement, completely ignore the computer accounts in the documentation. the learn article even shows computer accounts listed in it's example screenshot and then completely ignores them and only instructs on how to resolve delegation of sensitive USER accounts.
starman2heven Hi, which computer account is presenting to you?
