Entra Domain Services allows insecure version of NTLM
May 20, 2025 ยท View on GitHub
SYNOPSIS
Disable NTLM v1 for Microsoft Entra Domain Services.
DESCRIPTION
By default, Microsoft Entra Domain Services enables the use of ciphers and protocols such as NTLM v1. These ciphers may be required for some legacy applications, but are considered weak and can be disabled if not required.
RECOMMENDATION
Consider disabling NTLM v1 which is considered weak and can be disabled if not required.
EXAMPLES
Configure with Bicep
To deploy domains that pass this rule:
- Set the
properties.domainSecuritySettings.ntlmV1property toDisabled.
For example:
resource ds 'Microsoft.AAD/domainServices@2022-12-01' = {
name: name
location: location
properties: {
sku: 'Enterprise'
ldapsSettings: {
ldaps: 'Enabled'
}
domainSecuritySettings: {
ntlmV1: 'Disabled'
tlsV1: 'Disabled'
kerberosRc4Encryption: 'Disabled'
}
replicaSets: [
{
subnetId: primarySubnetId
location: location
}
{
subnetId: secondarySubnetId
location: secondaryLocation
}
]
}
}
Configure with Azure template
To deploy domains that pass this rule:
- Set the
properties.domainSecuritySettings.ntlmV1property toDisabled.
For example:
{
"type": "Microsoft.AAD/domainServices",
"apiVersion": "2022-12-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"sku": "Enterprise",
"ldapsSettings": {
"ldaps": "Enabled"
},
"domainSecuritySettings": {
"ntlmV1": "Disabled",
"tlsV1": "Disabled",
"kerberosRc4Encryption": "Disabled"
},
"replicaSets": [
{
"subnetId": "[parameters('primarySubnetId')]",
"location": "[parameters('location')]"
},
{
"subnetId": "[parameters('secondarySubnetId')]",
"location": "[parameters('secondaryLocation')]"
}
]
}
}