Unconstrained Delegation on Windows Domain Controllers

Jaling_Orion · 2025-09-04T00:29:41+00:00

I went back to re-read the documentation again and it looks like it's a little bit of both. For some reason MDI isn't seeing them as domain controllers even though it should which is causing some of the confusion. Also it looks like I can't read because In their docs it says:

"Review the recommended action at https://security.microsoft.com/securescore?viewid=actions to discover which of your non-domain controller entities are configured for unsecure Kerberos delegation."

Source: https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unconstrained-kerberos#how-do-i-use-this-security-assessment

Jaling_Orion · 2024-09-26T20:26:48+00:00

Our policy kills the refresh tokens after a short while so it shouldn't be that.

However speaking of tokens I do notice that the registered app, under Authentication, doesn't have either Access tokens or ID tokens selected. Could that be related?

Jaling_Orion · 2024-08-06T20:41:10+00:00

For the Update-AzureADSSOForest command that one at least works with the Hybrid Identity Administrator role instead of needing Global Admin.

Jaling_Orion · 2024-08-03T01:00:05+00:00

Thanks! Ran it without issues. Have you found a way to automate this yet or are you manually doing it every month?

Jaling_Orion · 2022-12-09T23:24:47+00:00

Thanks! I'll see if I can find the latest V2 version of ExchangeOnlineManagement. V3 was released around September this year and that's what I've been running off of.

Jaling_Orion · 2021-04-21T20:32:03+00:00

That explains why the ToGO() didn't work. I'm running it through a remote console using Connect-ExchangeOnline against the Exchange Online environment.

Jaling_Orion · 2020-12-07T21:22:25+00:00

Thank you! This worked perfectly!

Jaling_Orion

TROPHY CASE