Security Assessment: Change password for Microsoft Entra seamless SSO account
This article describes Microsoft Defender for Identity's Microsoft Entra Seamless Single sign-on (SSO) account password change security posture assessment report.
Note
This security assessment will be available only if Microsoft Defender for Identity sensor is installed on servers running Microsoft Entra Connect services and Sign on method as part of Microsoft Entra Connect configuration is set to single sign-on and the SSO computer account exists. Learn more about Microsoft Entra seamless sign-on here.
Why might the Microsoft Entra seamless SSO computer account old password be a risk?
Microsoft Entra seamless SSO automatically signs in users when they're using their corporate desktops that are connected to your corporate network. Seamless SSO provides your users with easy access to your cloud-based applications without using any other on-premises components. When setting up Microsoft Entra Seamless SSO, a computer account named AZUREADSSOACC is created in Active Directory. By default, the password for this Azure SSO computer account is not automatically updated every 30 days. This password functions as a shared secret between AD and Microsoft Entra, enabling Microsoft Entra to decrypt Kerberos tickets used in the seamless SSO process between Active Directory and Microsoft Entra ID. If an attacker gains control of this account, they can generate service tickets for the AZUREADSSOACC account on behalf of any user and impersonate any user within the Microsoft Entra tenant that has been synchronized from Active Directory. This could allow an attacker to move laterally from Active Directory into Microsoft Entra ID.
How do I use this security assessment to improve my hybrid organizational security posture?
Review the recommended action at https://security.microsoft.com/securescore?viewid=actions for Change password for Microsoft Entra seamless SSO account.
Review the list of exposed entities to discover which of your Microsoft Entra SSO computer accounts have a password more than 90 days old.
Take appropriate action on those accounts by following the steps described in how to change the AD DS Connector account password article.
Note
While assessments are updated in near real time, scores and statuses are updated every 24 hours. While the list of impacted entities is updated within a few minutes of your implementing the recommendations, the status may still take time until it's marked as Completed.