AD Connect service account read access listed as ESC5 vulnerability
shaunm001 opened this issue · comments
We're using AD Connect to replicate on-prem AD to Azure AD, which uses a service account (e.g. MSOL_db365a3ec62) to enumerate all of the AD objects to be replicated. This service account apparently has read/write access to all objects in AD, and so the Locksmith app reports it as ESC5-type misconfiguration on the AD CS computer object (see below). But doesnt this account require read/write access (or at least read) on the object to effectively replicate it to Azure AD?
Hey @shaunm001! Great question!
While this is probably not a serious security concern, in the Locksmith team's opinion, AD CS objects should not be replicated to Entra ID anyway.
Since your Entra Connect Service account is named MSOL_db365a3ec6, I am assuming you used the Express setup. If this is true, giving this account read/write on every object results in an over-privileged account.
Instead, I'd work to trim the rights granted to the MSOL account back to the following:
Source
If you have questions on how to do that, shoot me a DM on Mastodon or LinkedIn and we can chat.
Ah, great info, I will take a look at this configuration, thanks so much!
Are you comfortable with me closing this issue?