Forum Discussion
Secure Score "this account is sensitive and cannot be delegated"
Hi In Microsoft Secure Score when selecting the recommended action Ensure that all privileged accounts have the configuration flag "this account is sensitive and cannot be delegated" and in the Expo...
Hi, We are using a gMSA for AADConnect (Azure AD cloud sync service account) which allows for delegation (0x1000 - WORKSTATION_TRUST_ACCOUNT) - how can we omit this account from the recommendation?
LiorShapira
Microsoft
MicrosoftThe recommendation contains gMSA accounts by definition. The reason is due to the fact that the goal of gMSA is to be managed by AD and the account can be used only by certain users. Therefore, delegation will allow actor to use this account and as a result to escalate privileges and use the gMSA although they can’t read its password.
I suggest closing the recommendation is this case with mitigation.