Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

"Block user in Azure AD" playbook action

Copper Contributor

Hi,

I am creating some playbooks and would like to include an action where the user involved in the alert it blocked. I thought this was possible using Sentinel playbooks based on the image in this tutorial.
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook
Sentinel_Block_User.png

I cannot find that action under Azure AD in the connector section. Is this some sort of custom action?
Any help would be greatly appreciated.

4 Replies

Hi

Have you seen this play book?

https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUser
YOu can deploy it in your own environment

@Thijs Lecomte Good catch. This specific Playbook is located here: https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUser

 

You can use that as a template to determine how that step is accomplished or just use it as is.

@Thijs Lecomte  Was there supposed to be a link or attachment in your reply? 

Yes indeed. @Rod_Trent got the right one :)