"Block user in Azure AD" playbook action

Copper Contributor


I am creating some playbooks and would like to include an action where the user involved in the alert it blocked. I thought this was possible using Sentinel playbooks based on the image in this tutorial.

I cannot find that action under Azure AD in the connector section. Is this some sort of custom action?
Any help would be greatly appreciated.

4 Replies


Have you seen this play book?

YOu can deploy it in your own environment

@Thijs Lecomte Good catch. This specific Playbook is located here: https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUser


You can use that as a template to determine how that step is accomplished or just use it as is.

@Thijs Lecomte  Was there supposed to be a link or attachment in your reply? 

Yes indeed. @Rod_Trent got the right one :)