Incident Response for Compromised User Account Containment in Microsoft Entra ID
This Standard Operating Procedure (SOP) provides comprehensive guidance for detecting, containing, and remediating compromised user accounts within Microsoft Entra ID (formerly Azure Active Directory). It should be activated immediately when indicators of account compromise are detected, including suspicious sign-in activity, unauthorized access, privilege escalation, or malicious actions performed using valid credentials. This procedure is intended for SOC analysts (L1, L2, L3), Incident Response teams, Identity and Access Management (IAM) administrators, and IT security operations personnel.
Purpose
The purpose of this SOP is to establish a standardized, repeatable methodology for responding to compromised user accounts in Microsoft Entra ID environments. This procedure aims to:
- Rapidly detect and validate suspicious account activity
- Contain compromised accounts to prevent further unauthorized access
- Investigate the scope and impact of account compromise
- Eradicate attacker access and persistence mechanisms
- Restore legitimate user access securely
- Document lessons learned and improve identity security posture
- Minimize business disruption while protecting organizational assets
This SOP ensures consistent incident handling aligned with Microsoft security best practices, zero-trust principles, regulatory compliance requirements, and organizational security policies.
Scope
This SOP applies to:
Systems and Services:
- Microsoft Entra ID (Azure Active Directory) tenant(s)
- Azure cloud resources and subscriptions
- Microsoft 365 services (Exchange Online, SharePoint, Teams, OneDrive)
- Enterprise applications integrated with Entra ID (SaaS, custom apps)
- Conditional Access policies and identity protection
- Privileged Identity Management (PIM) and privileged accounts
- Multi-factor authentication (MFA) systems
- Single Sign-On (SSO) integrated applications
- Hybrid identity infrastructure (Entra Connect, ADFS)
- Azure Virtual Machines and cloud workloads
- Third-party applications using Entra ID authentication
User Accounts:
- Standard user accounts (employees, contractors)
- Privileged accounts (Global Administrators, Security Administrators)
- Service accounts and application identities
- Guest and external user accounts (B2B collaboration)
- Synchronized accounts from on-premises Active Directory
- Emergency access accounts (break-glass accounts)
Environments:
- Production Entra ID tenant
- Development and test tenants
- Partner and customer tenants (B2B scenarios)
- Multi-tenant architectures
Roles & Responsibilities
SOC Level 1 (L1) Analyst
- Monitor security alerts from Microsoft Defender for Cloud Apps, Entra ID Protection, and SIEM
- Perform initial triage of identity-related security alerts
- Review Entra ID sign-in logs for suspicious activity
- Document all findings in the incident management system
- Execute immediate containment actions (block sign-in, revoke sessions)
- Notify affected users through approved communication channels
- Escalate confirmed compromises to L2/L3 per escalation criteria
- Follow identity security playbooks and standard procedures
- Maintain chain of custody for digital evidence
SOC Level 2 (L2) Analyst
- Conduct detailed investigation of compromised account activity
- Analyze sign-in logs, audit logs, and mailbox audit records
- Identify lateral movement and privilege escalation attempts
- Determine scope of compromise and affected resources
- Correlate identity events with endpoint and network telemetry
- Perform threat hunting for additional compromised accounts
- Coordinate containment with identity and IAM teams
- Collect and preserve forensic evidence
- Provide technical guidance to L1 analysts
- Escalate complex incidents requiring advanced investigation
SOC Level 3 (L3) Analyst
- Lead technical investigation and forensic analysis
- Perform advanced threat hunting across cloud and hybrid environments
- Analyze OAuth token abuse and consent grant attacks
- Investigate persistence mechanisms and backdoor accounts
- Coordinate cross-functional response activities
- Develop custom detection queries (KQL, Microsoft Graph API)
- Advise on remediation and recovery strategies
- Conduct root cause analysis
- Lead post-incident technical review sessions
Incident Response Team
- Serve as Incident Commander for critical account compromises
- Make strategic decisions regarding containment scope
- Coordinate with legal, HR, and privacy teams
- Manage communications with affected users and stakeholders
- Engage Microsoft support or external incident response vendors
- Authorize privileged access for investigation activities
- Oversee remediation validation and account restoration
- Ensure compliance with data breach notification requirements
- Conduct executive briefings on incident status
Identity and Access Management (IAM) Team
- Execute account containment actions (disable, password reset)
- Revoke active sessions and refresh tokens
- Reset MFA registrations when compromised
- Review and adjust Conditional Access policies
- Audit role assignments and permissions
- Restore legitimate user access post-remediation
- Implement technical controls to prevent recurrence
- Validate identity security configurations
- Support forensic data collection from Entra ID
IT / Security Operations
- Investigate related endpoint security events
- Analyze network traffic for data exfiltration
- Review email security alerts (phishing, malicious forwarding)
- Implement emergency firewall rules if needed
- Support hybrid identity infrastructure investigation
- Validate security of connected systems
- Apply security patches and configuration hardening
Management / Executive Leadership
- Provide resources and authority for incident response
- Approve critical business decisions (global account blocks)
- Authorize engagement of external resources
- Manage stakeholder communications
- Review incident response effectiveness
- Approve remediation plans and security investments
Prerequisites
Required Tools and Platforms
- Microsoft Entra ID Portal: https://entra.microsoft.com
- Microsoft 365 Defender Portal: https://security.microsoft.com
- Microsoft Entra ID Protection
- Microsoft Defender for Cloud Apps (MCAS)
- Microsoft Sentinel (or integrated SIEM)
- Azure Activity Logs and Diagnostic Settings
- Microsoft Graph API and PowerShell modules:
- Microsoft.Graph
- AzureAD
- ExchangeOnlineManagement
- MSOnline
- Incident management platform (ServiceNow, Jira, etc.)
- Secure communication channels (encrypted messaging)
- Forensic documentation tools
Required Access and Permissions
- Entra ID roles (minimum required):
- Security Reader (investigation)
- Security Administrator (containment actions)
- Global Reader (comprehensive visibility)
- Authentication Administrator (MFA reset)
- Privileged Authentication Administrator (privileged account actions)
- Microsoft 365 Defender access for cross-service investigation
- Azure subscription Reader access for cloud resource review
- Exchange Online administrative access for mailbox investigation
- Privileged Identity Management (PIM) activation rights
- API permissions for automated investigation queries
Required Logs and Data Sources
Configure and retain the following logs (minimum 90 days recommended):
- Entra ID Sign-in Logs (interactive and non-interactive)
- Entra ID Audit Logs (administrative actions, changes)
- Entra ID Risk Detections (Identity Protection alerts)
- Azure Activity Logs (subscription-level operations)
- Microsoft 365 Unified Audit Log
- Exchange Online Mailbox Audit Logs
- SharePoint and OneDrive activity logs
- Microsoft Teams audit logs
- Defender for Cloud Apps activity logs
- Conditional Access sign-in events
- MFA authentication logs
- Application consent audit logs
Required Approvals
- Emergency Change Advisory Board (CAB) approval for production account modifications
- Incident Commander authorization for account disablement
- Legal counsel notification for potential data breach scenarios
- Privacy officer notification if PII access is suspected
- HR notification for employee-related compromises
Incident Identification
Compromised Entra ID accounts may be identified through multiple detection methods:
Automated Security Alerts
Microsoft Entra ID Protection Risk Detections:
- Atypical travel (impossible travel between geographic locations)
- Anonymous IP address sign-ins (TOR, VPN, proxy)
- Malware-linked IP addresses
- Unfamiliar sign-in properties (new device, browser, location)
- Password spray attacks detected
- Leaked credentials detected (third-party breach databases)
- Azure AD threat intelligence (Microsoft-identified malicious activity)
- Suspicious inbox manipulation rules
- Anomalous token usage patterns
Microsoft Defender for Cloud Apps Alerts:
- Activity from suspicious IP addresses
- Impossible travel alerts
- Mass file download or deletion
- Multiple failed login attempts
- Ransomware activity detected
- Suspicious inbox forwarding rules
- Unusual administrative activities
- OAuth app with suspicious permissions
Microsoft 365 Defender Alerts:
- Suspicious email forwarding configuration
- Unusual mailbox access patterns
- Mass deletion of emails
- Suspicious eDiscovery searches
- Privileged account anomalies
- File access from unusual locations
SIEM Correlation Rules:
- Multiple failed authentications followed by success
- Sign-in from multiple geographic locations simultaneously
- After-hours administrative activity
- Privilege escalation events
- Service principal or application credential abuse
- Conditional Access policy violations
User Reports
- User reports unauthorized access to their account
- Unusual emails sent from user's mailbox
- Unexpected password change notifications
- MFA prompts when not attempting to sign in (MFA fatigue)
- Unexplained changes to account settings or mailbox rules
- Reports of account lockouts or access issues
- Unauthorized expense reports or financial transactions
- Suspicious calendar invitations or file sharing
Threat Hunting Indicators
- Sign-ins outside normal business hours
- Geographic anomalies (login from foreign countries)
- User agent string anomalies (unusual browsers, outdated clients)
- Multiple users signing in from same IP address
- Sign-ins immediately before or after password changes
- Dormant accounts suddenly becoming active
- New device registrations for privileged accounts
- OAuth application consents granted to suspicious apps
- Creation of suspicious inbox rules (forward to external addresses)
- Unusual Azure resource modifications
- Service principal activity outside established patterns
Third-Party Intelligence
- Credential stuffing alerts from threat intelligence feeds
- Darkweb credential leak notifications
- Have I Been Pwned (HIBP) breach notifications
- Industry ISAC alerts about targeted campaigns
- Microsoft security notifications
- Vendor-specific security advisories
Incident Triage & Validation
Initial Assessment (Target: 15 minutes)
Review Alert Details
- Examine the triggering alert in Entra ID Protection, Defender, or SIEM
- Note alert severity, risk level, and detection source
- Identify affected user account (UPN, Object ID)
- Document alert timestamp and detection time
- Review alert description and technical details
Examine Sign-in Logs Navigate to: Entra ID Portal > Monitoring > Sign-in logs
Filter for the affected user and review:
- Recent sign-in timestamps and locations
- IP addresses and geographic locations
- Device information (operating system, browser, device ID)
- Application accessed during suspicious sign-ins
- Authentication methods used (password, MFA, certificate)
- Sign-in status (success, failure, interrupted)
- Conditional Access policies applied
- Risk state at time of sign-in
Check Entra ID Audit Logs Navigate to: Entra ID Portal > Monitoring > Audit logs
Filter for the affected user and look for:
- Password changes or resets
- MFA registration modifications
- Role assignments or privilege escalations
- Application consent grants
- Mailbox rule modifications
- Security settings changes
- Device registrations or modifications
Review User Risk Level Navigate to: Entra ID Protection > Risky users
Check:
- Current risk level (low, medium, high)
- Risk detections contributing to score
- Risk state (at risk, remediated, dismissed)
- Last risk detection timestamp
- Risk history and previous incidents
Validate with User
- Contact user through trusted communication channel (phone, in-person)
- DO NOT use potentially compromised email or messaging
- Ask about:
- Recent sign-in activity and locations
- Password changes or sharing
- MFA prompts received
- Phishing emails clicked
- Suspicious activity observed
- Document user's response verbatim
Severity Assessment
Assign incident severity based on the following criteria:
CRITICAL (P1)
- Global Administrator or privileged role account compromised
- Active data exfiltration detected (mass downloads, email forwarding)
- Financial fraud or unauthorized transactions conducted
- Lateral movement to multiple accounts confirmed
- Malicious OAuth applications granted tenant-wide permissions
- Ransomware deployed via compromised admin account
- Emergency access (break-glass) account compromised
- Evidence of Advanced Persistent Threat (APT) activity
- Compliance-regulated data accessed (PHI, PCI, PII)
HIGH (P2)
- Multiple standard user accounts compromised
- Privileged role possible but not confirmed
- Sensitive data access detected (confidential documents, executive communications)
- Mailbox rules forwarding emails externally
- Azure resources modified or deleted
- Service principal credentials compromised
- Business-critical application access
- Sustained attack over multiple days/weeks
MEDIUM (P3)
- Single standard user account compromised
- Limited resource access (read-only permissions)
- No evidence of data exfiltration
- Suspicious sign-ins but minimal account activity
- Compromise contained to non-sensitive systems
- Risk detections flagged but inconclusive
- Short-duration compromise (under 24 hours)
LOW (P4)
- Single sign-in anomaly with strong alternative explanation
- User-reported suspicious activity but no confirmed compromise
- Risk detection triggered by legitimate travel or VPN use
- No unauthorized actions taken
- Strong compensating controls in place (MFA enforced)
- Isolated incident with no broader indicators
False Positive Determination
Rule out false positives by verifying:
Legitimate Business Travel
- Cross-reference sign-in location with corporate travel calendar
- Check with user's manager about approved travel
- Review expense reports or travel requests
- Consider time zone differences for remote workers
Authorized VPN or Remote Access
- Verify IP address belongs to corporate VPN pool
- Check remote access logs for concurrent connections
- Confirm user has authorized VPN client installed
- Validate against remote work policy
New Device or Location
- Confirm user recently acquired new device
- Verify device is corporate-managed or approved BYOD
- Check for recent device enrollment in Intune
- Validate with user about location changes
Testing or Administrative Activity
- Check with IT for authorized security testing
- Verify against change management records
- Confirm with identity team about administrative actions
- Review authorized maintenance windows
If Confirmed False Positive:
- Document findings and rationale in incident ticket
- Dismiss risk detection in Entra ID Protection with justification
- Tune detection rules to reduce similar false positives
- Update knowledge base with false positive pattern
- Close ticket with "False Positive - Verified Legitimate" status
- Consider adding exception to Conditional Access policy if appropriate
If Unable to Confirm Legitimacy:
- Treat as potentially malicious and proceed with containment
- Apply "better safe than sorry" principle for security
- Document uncertainty and reasons in incident notes
Containment
Immediate Containment Actions (Target: 15-30 minutes from confirmation)
CRITICAL: All containment actions must be logged with timestamps and justification.
Phase 1: Block Account Access
Disable User Account Sign-in
Via Entra ID Portal:
- Navigate to: Entra ID > Users > [Select User] > Properties
- Set "Account enabled" to No
- Click Save
- Document action in incident ticket
Via PowerShell:
Connect-MgGraph -Scopes "User.ReadWrite.All" Update-MgUser -UserId "user@domain.com" -AccountEnabled:$falseNote: This immediately prevents new sign-ins but does NOT revoke existing active sessions.
Revoke All Active Sessions and Tokens
Via Entra ID Portal:
- Navigate to: Entra ID > Users > [Select User]
- Click Revoke sessions button
- Confirm action
Via PowerShell:
Revoke-MgUserSignInSession -UserId "user@domain.com"This action:
- Invalidates all refresh tokens
- Forces re-authentication on all devices
- Terminates active sessions across all applications
- Applies to both interactive and non-interactive sign-ins
Reset Account Password
Via Entra ID Portal:
- Navigate to: Entra ID > Users > [Select User]
- Click Reset password
- Generate temporary complex password
- Require password change at next sign-in: Yes
- Store temporary password in secure password vault
- DO NOT share password with user yet (account remains disabled)
Via PowerShell:
$NewPassword = ConvertTo-SecureString -String "Complex!Temp123" -AsPlainText -Force Update-MgUser -UserId "user@domain.com" -PasswordProfile @{ Password = $NewPassword ForceChangePasswordNextSignIn = $true }Document Initial Containment
- Record exact timestamp of each action
- Log who performed the containment
- Note account status before and after actions
- Document business impact notification sent
- Create timeline entry in incident ticket
Phase 2: Investigate Active Sessions and Recent Activity
Review Recent Sign-in Activity (Last 24-72 hours)
Navigate to: Entra ID > Sign-in logs
Filter by user and document:
- All IP addresses used
- Geographic locations of sign-ins
- Device IDs and operating systems
- Applications accessed
- Success/failure status
- MFA challenges and responses
- Conditional Access policy outcomes
- Export filtered logs to CSV for forensic analysis
Check for Privilege Escalation
Navigate to: Entra ID > Audit logs
Search for these activities:
- "Add member to role" - Check if user added to privileged groups
- "Update user" - Look for permission modifications
- "Add app role assignment" - Verify no unauthorized app permissions
- "Add owner to application" - Check for ownership changes
- "Add service principal" - Look for rogue application registrations
Document any privilege changes with timestamps.
Investigate Mailbox Activity (Microsoft 365)
Via Microsoft 365 Defender Portal:
- Navigate to: Email & collaboration > Exchange message trace
- Search for emails sent by compromised account
- Look for suspicious email subjects or recipients
Check Mailbox Rules:
- Navigate to: Exchange admin center > Recipients > Mailboxes
- Select user > Manage mailbox delegation
- Review inbox rules for:
- External forwarding addresses
- Auto-delete rules
- Rules moving emails to RSS or obscure folders
- Rules forwarding to other compromised accounts
Via PowerShell:
Connect-ExchangeOnline Get-InboxRule -Mailbox "user@domain.com" | FL Name, Enabled, ForwardTo, DeleteMessageReview File Access Activity (SharePoint/OneDrive)
Navigate to: Microsoft 365 Defender > Cloud Apps > Activity log
Filter for user and look for:
- Mass file downloads
- File sharing with external users
- Unusual file access patterns
- Sensitive document views
- File deletions or modifications
- Export activity logs for forensic analysis
Phase 3: Contain Lateral Movement Risk
Check for Compromised Devices
Navigate to: Entra ID > Devices > All devices
For each device registered to the compromised user:
- Note device names and operating systems
- Check last sign-in date
- Review device compliance status
- Consider disabling suspicious devices:
Update-MgDevice -DeviceId "<device-id>" -AccountEnabled:$false
Audit OAuth Application Consents
Navigate to: Entra ID > Enterprise applications > User consent
Filter by the compromised user and review:
- Applications granted consent recently
- Permissions granted (especially Mail.Read, Files.ReadWrite.All)
- Suspicious application names or publishers
- Applications with broad tenant-wide permissions
Revoke suspicious OAuth consents:
- Select the application
- Click Permissions tab
- Click Revoke permissions
- Document application details before removal
Block Suspicious IP Addresses
Via Conditional Access Named Locations:
- Navigate to: Entra ID > Security > Conditional Access > Named locations
- Create new named location with malicious IPs
- Create or modify Conditional Access policy to block these IPs
Alternative - via Defender for Cloud Apps:
- Navigate to: Defender for Cloud Apps > Settings > IP address ranges
- Add suspicious IPs to Risky IP addresses category
- Apply IP-based blocking policies
Review Service Principal and App Registrations
If user had permissions to create service principals:
Navigate to: Entra ID > App registrations
- Review recently created applications
- Check for suspicious application names
- Audit credentials/certificates added to existing apps
- Review API permissions granted
Audit secrets added:
Get-MgApplication | Where-Object {$_.PasswordCredentials -ne $null} | Select-Object DisplayName, AppId, @{Name='SecretAdded';Expression={$_.PasswordCredentials.StartDateTime}}
Phase 4: Protect Related Accounts
Force MFA Re-registration
If MFA may have been compromised:
Navigate to: Entra ID > Users > [Select User] > Authentication methods
- Click Require re-register MFA
- This forces user to re-enroll all MFA methods
- Consider requiring stronger authentication methods (FIDO2, Windows Hello)
Check for Lateral Movement to Other Accounts
Search sign-in and audit logs for:
- Other accounts signing in from same malicious IPs
- Similar suspicious activity patterns on related accounts
- Accounts in same department or group
- Accounts with shared resources or permissions
Apply containment to additional compromised accounts as identified.
Notify Related Stakeholders
- User's direct manager (via secure channel)
- IT Security team
- Compliance and privacy teams (if sensitive data accessed)
- Business unit leadership (if business process impacted)
- DO NOT notify via compromised email system
Eradication
Remove Attacker Access and Persistence
Remove Malicious Mailbox Rules
Connect to Exchange Online and remove suspicious rules:
Connect-ExchangeOnline Get-InboxRule -Mailbox "user@domain.com" | Where-Object {$_.ForwardTo -ne $null -or $_.DeleteMessage -eq $true} | Remove-InboxRule -Confirm:$falseDocument all removed rules for forensic records.
Revoke Suspicious OAuth Application Consents
For each suspicious application identified:
- Navigate to: Entra ID > Enterprise applications
- Select the application
- Click Permissions tab
- Click Revoke permissions
- Consider deleting the application if confirmed malicious
Via PowerShell:
# List all OAuth grants for user Get-MgUserOauth2PermissionGrant -UserId "user@domain.com" # Revoke specific grant Remove-MgUserOauth2PermissionGrant -UserId "user@domain.com" -OAuth2PermissionGrantId "<grant-id>"Remove Unauthorized Devices
Delete devices confirmed as attacker-controlled:
Remove-MgDevice -DeviceId "<device-id>"Consider requiring device re-enrollment with enhanced compliance policies.
Remove Elevated Permissions
If attacker added user to privileged roles:
Navigate to: Entra ID > Roles and administrators
- Select affected role
- Remove user from membership
- Review and document when elevation occurred
Via PowerShell:
# List role assignments Get-MgDirectoryRoleMember -DirectoryRoleId "<role-id>" # Remove role assignment Remove-MgDirectoryRoleMemberByRef -DirectoryRoleId "<role-id>" -DirectoryObjectId "<user-object-id>"Delete Malicious Application Registrations
If attacker created rogue applications:
- Document application details (name, AppId, permissions)
- Export application configuration for forensics
- Delete application:
Remove-MgApplication -ApplicationId "<app-object-id>"Remove Malicious Service Principal Credentials
If credentials were added to legitimate applications:
# Remove password credential Remove-MgApplicationPassword -ApplicationId "<app-id>" -KeyId "<key-id>" # Remove certificate credential Remove-MgApplicationKey -ApplicationId "<app-id>" -KeyId "<key-id>"
Address Attack Vector
Identify and Remediate Initial Compromise Method
If phishing was the vector:
- Search for phishing emails across all mailboxes
- Delete phishing emails from all mailboxes
- Block sender domains at email gateway
- Report phishing URLs to Microsoft and security vendors
- Deploy security awareness training to affected users
If credential stuffing/password spray:
- Enforce stronger password policies
- Deploy password protection (banned password lists)
- Enable smart lockout policies
- Mandate MFA for all users
If MFA fatigue attack:
- Implement number matching for MFA
- Deploy phishing-resistant MFA (FIDO2, Windows Hello)
- Configure MFA notification limits
- Train users on MFA fatigue tactics
If OAuth consent grant attack:
- Restrict user consent to verified publishers only
- Implement admin consent workflow
- Review and remove risky OAuth applications tenant-wide
If password found in breach:
- Enable Entra ID Password Protection
- Deploy Microsoft Entra ID Protection
- Force password reset for users with leaked credentials
Search for Additional Compromised Accounts
Hunt for other accounts using same tactics:
- Same IP addresses
- Same OAuth applications
- Similar mailbox rules
- Same timing patterns
- Shared network infrastructure
Apply containment to any additional compromised accounts.
Review and Update Security Policies
Evaluate current policies and identify gaps:
- Conditional Access policies
- Authentication strength requirements
- Session control policies
- Risk-based policies
- Identity Protection policies
Recovery
Account Restoration Process
Prerequisites before restoring access:
- Complete eradication of attacker access confirmed
- All malicious artifacts removed
- User validated as legitimate owner
- Security posture improved with additional controls
- Incident Commander approval obtained
Verify User Identity
Before restoring access, confirm user identity through:
- In-person verification (preferred for privileged accounts)
- Video call with government-issued ID
- Multi-factor verification through HR records
- Manager confirmation of identity
- Security questions from HR records
Document identity verification method and timestamp.
Security Awareness Briefing
Before restoring access, brief user on:
- What happened during the incident
- How the compromise likely occurred
- Security best practices going forward
- Phishing and social engineering awareness
- Secure password practices
- Proper MFA usage
- Reporting suspicious activity
Require user to acknowledge briefing in writing.
Reset Password with Strong Requirements
Generate or have user create a strong password meeting:
- Minimum 14 characters (16+ for privileged accounts)
- Complexity requirements (upper, lower, number, symbol)
- Not previously used (check password history)
- Not found in breach databases
- Unique to this account (not reused across systems)
Via Entra ID Portal:
- Navigate to: Entra ID > Users > [Select User]
- Click Reset password
- Provide password to user via secure channel (encrypted email, password vault, in-person)
- Require change at next sign-in: Yes
Re-register MFA Methods
Require fresh MFA enrollment:
- Navigate to: Entra ID > Users > [Select User] > Authentication methods
- Delete all existing MFA methods
- Click Require re-register MFA
- User must register MFA on next sign-in
Recommended MFA methods (in order of security):
- FIDO2 security key (phishing-resistant)
- Windows Hello for Business (phishing-resistant)
- Microsoft Authenticator (number matching enabled)
- Hardware token (OATH)
- Authenticator app (TOTP)
- SMS (least secure, use only if no alternative)
Enable User Account
After password reset and security briefing:
Via Entra ID Portal:
- Navigate to: Entra ID > Users > [Select User] > Properties
- Set "Account enabled" to Yes
- Click Save
Via PowerShell:
Update-MgUser -UserId "user@domain.com" -AccountEnabled:$trueGuided First Sign-in
For high-value or privileged accounts:
- Have user perform first sign-in with security team present
- Verify MFA re-registration completes successfully
- Validate password change is successful
- Check that appropriate Conditional Access policies apply
- Verify device compliance if required
- Confirm access to required applications
- Test email sending and receiving
- Validate file access permissions
Restore Access Gradually
For privileged accounts, restore permissions in phases:
Phase 1 (Day 1-3):
- Standard user access only
- Monitor for 48-72 hours
- Verify no suspicious activity
Phase 2 (Day 4-7):
- Restore moderate permissions
- Continue enhanced monitoring
- Validate user behavior patterns
Phase 3 (Day 8+):
- Restore full privileges if no concerns
- Maintain elevated monitoring for 30 days
- Require Just-In-Time (JIT) access for sensitive operations
Re-enroll Devices
If devices were removed during containment:
- Require device re-enrollment in Intune/MDM
- Ensure device meets compliance requirements
- Apply device-based Conditional Access policies
- Validate device health attestation
- Consider requiring device wipe and rebuild for compromised endpoints
Enhanced Monitoring Period
Implement Enhanced Logging and Alerting (30-90 days)
Configure additional monitoring for restored account:
- Custom alert rules for account-specific anomalies
- Sign-in location monitoring
- Privilege usage tracking
- Application access monitoring
- Data access auditing
- Elevated permission usage alerts
Example Custom Alert (KQL for Microsoft Sentinel):
SigninLogs | where UserPrincipalName == "user@domain.com" | where ResultType != "0" or RiskLevelDuringSignIn != "none" | project TimeGenerated, UserPrincipalName, IPAddress, Location, RiskLevelDuringSignIn, ResultTypeDaily Account Review (First 7 Days)
SOC to review daily:
- All sign-in attempts (successful and failed)
- Applications accessed
- Filesdownloaded or shared
- Emails sent (spot check for unusual recipients)
- Administrative actions performed
- Risk detections triggered
Document review findings in incident ticket.
Weekly Security Check-ins
Schedule check-ins with user:
- Week 1: Confirm no issues or suspicious activity
- Week 2: Verify MFA working properly
- Week 4: Final security review
Document user feedback and any concerns.
Apply Additional Security Controls
Implement Risk-Based Conditional Access
Create or update Conditional Access policy for compromised account type:
- Require MFA for all cloud apps
- Block legacy authentication
- Require compliant or hybrid Azure AD joined device
- Block sign-ins from risky locations
- Require phishing-resistant MFA for privileged actions
- Implement continuous access evaluation (CAE)
Enable Entra ID Protection Policies
Ensure account is covered by:
- User risk policy: Require password change at high risk
- Sign-in risk policy: Require MFA at medium or high risk
- MFA registration policy: Ensure MFA enrollment enforced
Navigate to: Entra ID Protection > Policies
Apply Privileged Identity Management (For Privileged Accounts)
If account has elevated privileges:
- Remove standing administrative permissions
- Implement Just-In-Time (JIT) access via PIM
- Require approval for privilege activation
- Limit elevation duration (max 8 hours)
- Require justification for elevation
- Enable MFA on activation
- Configure access reviews
Post-Incident Activities
Comprehensive Documentation
Detailed Incident Report
Complete incident documentation including:
Executive Summary
- Incident overview and timeline
- Business impact assessment
- Financial impact (productivity loss, response costs)
- Data accessed or exfiltrated
- Remediation summary
- Preventive measures implemented
Technical Details
- Initial detection method and timestamp
- Compromise indicators and evidence
- Attack vector and tactics (MITRE ATT&CK mapping)
- Affected systems and accounts
- Containment actions taken
- Eradication steps performed
- Recovery process and validation
Timeline of Events
- First suspicious activity timestamp
- Detection timestamp
- Containment timestamp
- Eradication timestamp
- Recovery timestamp
- All key decision points
Evidence Collected
- Sign-in logs (CSV exports)
- Audit logs (JSON exports)
- Screenshots of malicious activity
- OAuth application details
- Mailbox rule configurations
- Network traffic captures (if applicable)
Store report in secure incident archive with restricted access.
MITRE ATT&CK Mapping
Map attacker activities to MITRE ATT&CK framework:
- Initial Access: Phishing (T1566), Valid Accounts (T1078)
- Persistence: Account Manipulation (T1098), Create Account (T1136)
- Privilege Escalation: Valid Accounts (T1078)
- Defense Evasion: Impair Defenses (T1562)
- Credential Access: Credentials from Password Stores (T1555)
- Discovery: Account Discovery (T1087), Cloud Infrastructure Discovery (T1580)
- Collection: Email Collection (T1114), Data from Cloud Storage (T1530)
- Exfiltration: Exfiltration Over Web Service (T1567)
Use for threat intelligence and detection improvement.
Lessons Learned Session
Post-Incident Review Meeting
Schedule within 7 business days of incident closure.
Attendees:
- SOC team members involved in response
- Incident Response team
- Identity and Access Management team
- IT Security leadership
- Affected business unit representatives
Agenda:
- Incident summary presentation
- What went well (strengths)
- What could be improved (gaps)
- Detection effectiveness
- Response time analysis
- Communication effectiveness
- Tool and process gaps
- Training needs identified
Document all feedback and assign action items with owners and due dates.
Identify Root Causes
Conduct root cause analysis to determine:
- Why did the compromise occur?
- Why wasn't it detected sooner?
- What controls failed or were missing?
- Were policies and procedures followed?
- Were users adequately trained?
- Were technical controls properly configured?
Use "5 Whys" methodology to drill down to fundamental causes.
Detection and Prevention Improvements
Update Detection Rules
Based on incident findings, create or enhance:
Microsoft Sentinel KQL Queries:
// Detect suspicious inbox rule creation OfficeActivity | where Operation == "New-InboxRule" | where Parameters contains "ForwardTo" or Parameters contains "DeleteMessage" | project TimeGenerated, UserId, ClientIP, Parameters // Detect impossible travel SigninLogs | where ResultType == 0 | summarize Locations = make_set(Location) by UserPrincipalName, bin(TimeGenerated, 1h) | where array_length(Locations) > 1 // Detect OAuth app consent AuditLogs | where OperationName == "Consent to application" | where ResultType == "success" | project TimeGenerated, UserPrincipalName, TargetResources, AADOperationTypeEnhance Conditional Access Policies
Implement or strengthen policies based on attack patterns:
- Require MFA for all users (no exceptions)
- Block legacy authentication protocols
- Require compliant devices for corporate data access
- Implement geographic restrictions for high-risk locations
- Require phishing-resistant MFA for admin accounts
- Enable Continuous Access Evaluation (CAE)
- Implement session controls (sign-in frequency, persistent browser)
Deploy Identity Protection Policies
Configure or tune Entra ID Protection:
- User risk policy: Auto-remediate high-risk users
- Sign-in risk policy: Block or require MFA at medium/high risk
- Customize risk detection sensitivity
- Integrate with Conditional Access
- Enable self-service password reset for low-risk scenarios
Implement Privileged Access Workstations (PAWs)
For privileged accounts:
- Deploy dedicated hardened workstations
- Implement strict application control (allowlisting)
- Require device compliance
- Disable internet browsing from PAWs
- Enforce jump box/bastion architecture
Security Awareness and Training
Conduct Targeted User Training
Based on attack vector, deploy training on:
- Phishing identification and reporting
- MFA best practices and fatigue attack awareness
- Password security and password manager usage
- Suspicious sign-in alert recognition
- OAuth consent grant risks
- Social engineering tactics
- Secure remote work practices
Track training metrics:
- Completion rates
- Assessment scores
- Phishing simulation click rates
- Behavioral improvements
Phishing Simulation Campaign
Deploy simulated phishing tests:
- Mirror tactics used in actual compromise
- Measure baseline susceptibility
- Provide immediate training for users who click
- Track improvement over time
- Adjust training based on results
Update Security Documentation
Revise documentation based on lessons learned:
- Update this SOP with new procedures
- Enhance investigation playbooks
- Update user security guides
- Revise incident response runbooks
- Create quick reference guides
- Update security awareness materials
Compliance and Regulatory
Assess Data Breach Notification Requirements
Determine if incident triggers notification obligations:
- GDPR (EU): 72-hour notification for personal data breaches
- CCPA (California): Notification for breached PII
- HIPAA (Healthcare): PHI breach notification
- State laws: Various US state breach notification laws
- Industry regulations: PCI-DSS, SOX, etc.
Work with legal and privacy teams to:
- Assess notification requirements
- Determine affected individuals
- Draft notification communications
- File regulatory reports as required
- Document compliance activities
Report to Law Enforcement (If Applicable)
Consider reporting to:
- FBI Internet Crime Complaint Center (IC3): https://www.ic3.gov
- Local law enforcement cyber crime unit
- National Cyber Security Centre (NCSC) in applicable countries
- Financial crimes authorities (if financial fraud occurred)
Preserve evidence for potential criminal investigation.
Cyber Insurance Claim
If applicable:
- Notify cyber insurance carrier immediately
- Provide incident documentation
- Coordinate with insurance-approved vendors
- Track all incident-related expenses
- Follow claim procedures per policy
Threat Intelligence Sharing
Share Indicators of Compromise
Contribute to community defense:
- Submit malicious OAuth app details to Microsoft
- Share anonymized attack patterns with industry ISACs
- Report phishing infrastructure to abuse contacts
- Contribute to threat intelligence platforms (MISP, etc.)
- Publish lessons learned (anonymized) to security community
Coordinate with legal team before external sharing.
Update Threat Intelligence Database
Add indicators to internal threat intelligence:
- Malicious IP addresses
- Suspicious OAuth application IDs
- Phishing email patterns
- Attacker techniques and procedures
- Campaign attribution (if known)
Escalation Criteria
Escalate from L1 to L2 when:
- Account compromise is confirmed (not a false positive)
- Privileged account or service account is potentially affected
- Multiple failed containment attempts
- Suspicious OAuth applications or consents detected
- Mailbox forwarding or unusual email activity confirmed
- Evidence of lateral movement to other accounts
- Data exfiltration suspected
- Incident complexity exceeds L1 investigation capabilities
- Initial containment does not stop malicious activity
Escalate from L2 to L3/Incident Response Team when:
- Global Administrator or highly privileged account compromised
- Multiple accounts compromised (coordinated attack)
- Advanced persistence mechanisms detected
- Azure resource manipulation or deletion detected
- Business-critical application compromise
- Large-scale data exfiltration confirmed
- Suspected Advanced Persistent Threat (APT) activity
- Root cause cannot be determined by L2
- Incident duration exceeds 4 hours without resolution
- Severity assessed as HIGH or CRITICAL
- Complex OAuth consent grant attacks
- Service principal or managed identity compromise
Escalate to Management/Executive Leadership when:
- Incident severity is CRITICAL (P1)
- Executive or C-level account compromised
- Global Administrator account compromised
- Widespread business disruption
- Confirmed data breach requiring regulatory notification
- Financial fraud or significant monetary loss
- Sensitive or regulated data accessed (PHI, PCI, classified)
- Media attention or public disclosure risk
- Legal action potential (lawsuits, regulatory penalties)
- Cyber insurance claim required
- Third-party or supply chain implications
- Nation-state actor suspected
Escalation Communication Requirements
When escalating, provide:
Incident Summary
- User account(s) affected
- Detection method and timestamp
- Current severity assessment
- Business impact assessment
Technical Details
- Indicators of compromise observed
- Attack vector (if known)
- Systems and data accessed
- Containment actions already taken
Immediate Needs
- Additional resources required
- Authorization requests (account disablements, policy changes)
- Escalation rationale
- Recommended next steps
Supporting Evidence
- Sign-in log excerpts
- Audit log entries
- Screenshots or forensic artifacts
- Timeline of events
Emergency Contact Information
SOC Escalation Chain:
- SOC L2 Lead: [Phone] [Email]
- SOC Manager: [Phone] [Email]
- Security Operations Manager: [Phone] [Email]
Incident Response:
- IR Team Lead: [Phone] [Email]
- CISO: [Phone] [Email]
Identity and Access Management:
- IAM Manager: [Phone] [Email]
- Entra ID Administrator: [Phone] [Email]
Executive:
- CIO: [Phone] [Email]
- General Counsel: [Phone] [Email]
External:
- Microsoft Support: 1-800-MICROSOFT (Premier Support)
- External IR Firm: [Phone] [Contract Number]
- Cyber Insurance: [Phone] [Policy Number]
References
Microsoft Documentation
- Microsoft Entra ID Protection: https://learn.microsoft.com/entra/id-protection/
- Conditional Access: https://learn.microsoft.com/entra/identity/conditional-access/
- Privileged Identity Management: https://learn.microsoft.com/entra/id-governance/privileged-identity-management/
- Microsoft Defender for Cloud Apps: https://learn.microsoft.com/defender-cloud-apps/
- Microsoft Security Best Practices: https://learn.microsoft.com/security/
- Azure AD Security Operations Guide: https://learn.microsoft.com/azure/active-directory/architecture/security-operations-introduction
Industry Frameworks
- NIST Cybersecurity Framework (CSF)
- NIST SP 800-63B: Digital Identity Guidelines
- CIS Controls v8: Control 6 (Access Control Management)
- MITRE ATT&CK for Enterprise: Cloud tactics and techniques
- SANS Incident Handler's Handbook
- ISO/IEC 27001: Identity and Access Management controls
Threat Intelligence
- Microsoft Security Intelligence: https://www.microsoft.com/security/blog/
- CISA Alerts: https://www.cisa.gov/news-events/cybersecurity-advisories
- MITRE ATT&CK Cloud Matrix: https://attack.mitre.org/matrices/enterprise/cloud/
- Azure AD Attack and Defense Playbook: Multiple industry sources
- OAuth Security Best Practices: OAuth.net and industry guides
Internal Documentation
- Enterprise Incident Response Plan
- Identity and Access Management Policy
- Cloud Security Architecture Standards
- Password Policy and Authentication Standards
- Privileged Access Management Procedures
- Data Classification and Handling Policy
- Business Continuity Plan
- Disaster Recovery Plan
- Security Awareness Training Program
- Change Management Procedures
Tools and Utilities
- Microsoft Graph PowerShell SDK: https://learn.microsoft.com/powershell/microsoftgraph/
- Azure AD Incident Response PowerShell Module: Community tools
- Microsoft 365 DSC: Configuration as code for M365
- Hawk: PowerShell-based ODFIR tool for M365 investigations
- Microsoft Sentinel: KQL query references
Follow CyberHawk for More Threat Intelligence and Cybersecurity Content
Stay informed with the latest identity security insights, cloud security best practices, and incident response guidance:
- YouTube: @cyberhawkconsultancy
- TikTok: @cyberhawkthreatintel
- X (Twitter): @cyberhawkintel
- Telegram: @cyberhawkthreatintel
#cyberhawkthreatintel #cyberhawkconsultancy
This SOP should be reviewed and updated quarterly or after each significant Entra ID compromise incident to incorporate lessons learned and evolving threat landscape changes.
Comments
Post a Comment