Detections
Analytics

Verify Permissions Related to Microsoft Entra Connect Accounts

critical

Language:

Description

Permissions for Microsoft Entra Connect accounts (MSOL) must be sane due to their impact on the entire Active Directory domain.

Solution

A security assessment of the permissions applied on Microsoft Entra Connect accounts can identify those that you can safely remove.

See Also

Microsoft Entra Connect - Accounts and permissions

Indicator Details

Name: Verify Permissions Related to Microsoft Entra Connect Accounts

Codename: C-AAD-CONNECT

Severity: Critical

MITRE ATT&CK Information:

Tactics: TA0003

Techniques: T1098

Attacker Known Tools

Fox-IT: adconnectdump

Gentil Kiwi: mimikatz