Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
Sentinel AzureMonitorAgentExtensions MicrosoftDnsAgent audit failures
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 56.00000000000001%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHK%3C/text%3E%3C/svg%3E)
Håkan Ljung
0
Reputation points
I've got the DNS collector extension installed on several domain controllers and at the same time I've got audit configuration set to audit successfull and failed privilege use.
Every 30min or so the extension rebuilds its installation folder and resets file permissions. at the same time there are 32000 failed audit event of MicrosoftDNSAgent.exe trying use the SeTcbPrivilege (act as part of the operating system).
I've got the 1.7.1 version installed and it sets it self to run as the network service account which is not allowed that permission.
This results in millions of entries which are flooding the logs, is this a bug or is there a permission requirement listed somewhere? I cannot find any reference documentation for this
Azure Monitor
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 92%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Sridevi Machavarapu 33,385 Reputation points Microsoft External Staff Moderator2026-06-18T09:37:48.73+00:00 Hello Håkan Ljung,
Based on the published documentation for the DNS AMA connector, SeTcbPrivilege (Act as part of the operating system) is not listed as a prerequisite for MicrosoftDNSAgent. The documented requirements focus on Azure Monitor Agent deployment, DNS analytical logging, and data collection configuration.
Based on your description, the extension is running under the Network Service account and audit failures are being generated related to SeTcbPrivilege. To better understand the behavior, could you provide the following details?
- Which Security event IDs are being generated (for example, 4673 or 4674)?
- Is DNS data continuing to be ingested into Microsoft Sentinel while these audit events are occurring?
- Does the behavior occur on all servers running version 1.7.1?
- Can you share a sample of one of the audit events, including the process name, account, and requested privilege?
For reference, the following documentation describes the DNS AMA connector requirements and deployment:
The additional information will help determine whether this is expected behavior, a configuration issue, or if further investigation is required.
-
Håkan Ljung 0 Reputation points
2026-06-18T11:19:08.04+00:00 Hi @Sridevi Machavarapu ,
Sure, please see the details below:EventID generated is 4673 - Microsoft Windows security auditing, Audit Failure, Sensitive Privilege Use
DNS data seems to be ingested still
It occured on all servers with an older version (1.4.6), an upgrade to 1.7.1 was made to attempt to solve the issue but there was no change in behaviour (except that service that runs the extension switched from local service to network service)
It has been working on one server both with version 1.6.x and 1.7.1. There's not much difference in configuration on these servers, the non working ones run server 2022, the working one runs server 2025The event logged looks like this:
SecurityID : Network Service
Service Name: -
Process Name: C:\Packages\Plugins\Microsoft.Sentinel.AzureMonitorAgentExtensions.MicrosoftDnsAgent\1.7.1\MicrosoftDnsAgent.exe
Privileges: SeTcbPrivilege
Sign in to comment
Sign in to answer