In Azure AD, we have a few different types of groups
The main group types are security and Microsoft 365 groups, but in Exchange we also have distribution lists which are mail enabled groups with no security context
Each group also has an assigned and dynamic membership type
Now, before we start creating groups, I need to warn you that Microsoft stupidly believes any user should be able to create groups, both security and M365 types
What you should know is that they can select any email address they want 😱
1) MSA passwords are incredibly strong and rotate frequently enough that Kerberoasting is near impossible (especially with AES)
2) The password can be retrieved on one server and used on another, pass the hash/ticket still works..
OK, first, let's find out if you have a KDS root key set up. Run Powershell on a machine with the Active Directory Powershell Module installed and run this: