Create workflow for compromised users in Azure AD

%3CLINGO-SUB%20id%3D%22lingo-sub-2691375%22%20slang%3D%22en-US%22%3ECreate%20workflow%20for%20compromised%20users%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2691375%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20work%20in%20a%20small%20security%20team%2C%20and%20we%20don't%20have%2024%2F7%20till%20now%2C%20so%20I%20would%20like%20to%20find%20a%20way%20to%20lock%20users%20which%20are%20High%20Risk%20users.%3C%2FP%3E%3CP%3EBy%20now%20we%20get%20an%20email%20alert%20of%20those.%3C%2FP%3E%3CP%3EWhat%20I%20would%20like%20to%20know%20is%20if%20I%20can%20create%20any%20kind%20of%20workflow%20that%20whenever%20a%20user%20has%20a%20High%20Risk%2C%20sends%20the%20email%20and%20locks%20the%20user%20on%20Active%20Directory%2C%20until%20a%20team%20member%20will%20be%20able%20to%20check%20it%20manually.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20way%20to%20achieve%20it%20considering%20we%20don't%20have%20yet%20Sentinel%20(neither%20we%20can%20right%20now).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2691375%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2692690%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20workflow%20for%20compromised%20users%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2692690%22%20slang%3D%22en-US%22%3EWith%20%E2%80%98high%20risk%E2%80%99%20I%20assume%20you%E2%80%99re%20referring%20to%20the%20user%20or%20sign-in%20risk%20of%20a%20user%3F%20Locking%20the%20account%20itself%20is%20not%20an%20option%20out%20of%20the%20box%2C%20but%20you%20can%20use%20Azure%20AD%20conditional%20access%20to%20block%20access%20until%20the%20user%20self%20remediates%20this.%20If%20you%20really%20would%20like%20to%20block%20sign%20in%20for%20such%20users%20you%20can%20either%20use%20a%20PowerShell%20script%20that%20runs%20regularly%20or%20when%20you%20do%20have%20Sentinel%20in%20place%20use%20a%20playbook%20for%20this.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2693421%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20workflow%20for%20compromised%20users%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2693421%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1095589%22%20target%3D%22_blank%22%3E%40dmarquesgn%3C%2FA%3E%26nbsp%3BWhat%20subscription%20do%20you%20have%3F%20I%20may%20state%20the%20obvious%20here%20but%20have%20you%20looked%20at%20AAD%20Identity%20Protection%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fidentity-protection%2Fhowto-identity-protection-configure-risk-policies%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EHow%20To%3A%20Configure%20and%20enable%20risk%20policies%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fidentity-protection%2Foverview-identity-protection%23license-requirements%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ELicense%20requirements%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fidentity-protection%2Fconcept-identity-protection-policies%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20AD%20Identity%20Protection%20policies%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi,

 

I work in a small security team, and we don't have 24/7 till now, so I would like to find a way to lock users which are High Risk users.

By now we get an email alert of those.

What I would like to know is if I can create any kind of workflow that whenever a user has a High Risk, sends the email and locks the user on Active Directory, until a team member will be able to check it manually.

 

Is there any way to achieve it considering we don't have yet Sentinel (neither we can right now).

 

Thanks

3 Replies
With ‘high risk’ I assume you’re referring to the user or sign-in risk of a user? Locking the account itself is not an option out of the box, but you can use Azure AD conditional access to block access until the user self remediates this. If you really would like to block sign in for such users you can either use a PowerShell script that runs regularly or when you do have Sentinel in place use a playbook for this.

@dmarquesgn What subscription do you have? I may state the obvious here but have you looked at AAD Identity Protection?

 

How To: Configure and enable risk policies

 

License requirements

 

Azure AD Identity Protection policies | Microsoft Docs