Forum Discussion
Secure Score "this account is sensitive and cannot be delegated"
Hi In Microsoft Secure Score when selecting the recommended action Ensure that all privileged accounts have the configuration flag "this account is sensitive and cannot be delegated" and in the Expo...
LiorShapiraMy tenant still has not changed, in exposed entities I still see my DC's , Exchange and DHCP servers. And in the implementation tab I cannot see any change, and the learn more link points to this https://go.microsoft.com/fwlink/?linkid=2283220
LiorShapira
Microsoft
Microsoftstarman2heven Could you please check again? we've updated the recommendation title to be "Ensure privileged accounts are not delegated". The deployment was ended yesterday (except of United States Environment which will take a couple of days). At the moment, we excluded DC's only and ADFS, Exchange servers and Certificate servers will be excluded by Nov 20'.
For Us also DHCP us still showing in the list. Can you please provide an update on this.
I have a Microsoft case open on this for the second time. It has been very painful to get Microsoft support to understand the problem. They just do not read what I am writing or view the snapshots that I attached to the case. I have been in IT for over 25 years and I have to say, Microsoft support today is very poor. I guess you have to buy their "Enterprise" support to get some real support, because their 1st level support is a joke.
LiorShapiraIt would be nice to have a list of server roles that are excluded from this in the documentation. My DHCP server is still being listed and I have no idea why.
LiorShapiraYes, I can confirm that the list of exposed entities has now only 2 devices left. One of them has a DHCP role and the other device object is AzureADKerberos (Cloud Kerberos trust for Windows Hello). What are your recommendation for the AzureADKerberos object? It's basically a Read-Only Domain controller and I would rather not break our Windows Hello authentication.
- LiorShapira
starman2heven We've implemented today an exclusion for ADFS servers, Exchange servers, Certificate servers and AzureADKerberos object. Can you please check the recommendation again? thanks!
In our environment we don't have ADFS or Exchange, only 2 DCs one of which is also a CA (I know it's not recommended, but it's working fine)
Last week, we went from completed status with the DCs still showing as exposed, to a completed status with nothing showing as exposed, but as of this morning it's back to not completed ('to address') and the DCs are showing as exposed again.
