Entra Domain Services allows insecure version of RC4

May 20, 2025 ยท View on GitHub

SYNOPSIS

Disable RC4 encryption for Microsoft Entra Domain Services.

DESCRIPTION

By default, Microsoft Entra Domain Services enables the use of ciphers and protocols such as RC4. These ciphers may be required for some legacy applications, but are considered weak and can be disabled if not required.

RECOMMENDATION

Consider disabling RC4 encryption which is considered weak and can be disabled if not required.

EXAMPLES

Configure with Bicep

To deploy domains that pass this rule:

  • Set the properties.domainSecuritySettings.kerberosRc4Encryption property to Disabled.

For example:

resource ds 'Microsoft.AAD/domainServices@2022-12-01' = {
  name: name
  location: location
  properties: {
    sku: 'Enterprise'
    ldapsSettings: {
      ldaps: 'Enabled'
    }
    domainSecuritySettings: {
      ntlmV1: 'Disabled'
      tlsV1: 'Disabled'
      kerberosRc4Encryption: 'Disabled'
    }
    replicaSets: [
      {
        subnetId: primarySubnetId
        location: location
      }
      {
        subnetId: secondarySubnetId
        location: secondaryLocation
      }
    ]
  }
}

Configure with Azure template

To deploy domains that pass this rule:

  • Set the properties.domainSecuritySettings.kerberosRc4Encryption property to Disabled.

For example:

{
  "type": "Microsoft.AAD/domainServices",
  "apiVersion": "2022-12-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "sku": "Enterprise",
    "ldapsSettings": {
      "ldaps": "Enabled"
    },
    "domainSecuritySettings": {
      "ntlmV1": "Disabled",
      "tlsV1": "Disabled",
      "kerberosRc4Encryption": "Disabled"
    },
    "replicaSets": [
      {
        "subnetId": "[parameters('primarySubnetId')]",
        "location": "[parameters('location')]"
      },
      {
        "subnetId": "[parameters('secondarySubnetId')]",
        "location": "[parameters('secondaryLocation')]"
      }
    ]
  }
}