Login
      Contents x
      Remove Red Canary Active Remediation Access from Your Microsoft Defender Console
      • 16 Jul 2024
      • 1 Minute to read
      • PDF
      Contents

      Remove Red Canary Active Remediation Access from Your Microsoft Defender Console

      • Updated on 16 Jul 2024
      • 1 Minute to read
      • PDF
      Article summary

      Removing permissions for the Red Canary Cyber Incident Response Team (CIRT) requires deleting the Active Remediation access package. This access package, created using Microsoft Identity Governance, contains an elevated permissions role within Microsoft Defender for Endpoint necessary for Red Canary's Active Remediation service.

      Step 1: Azure–Delete the Microsoft Azure identity governance access package for Active Remediation

      Note: If Red Canary services are still going to be used, do not delete the standard Red Canary access package. You only need to delete the Red Canary Active Remediation access package.

      1. From your Azure portal, log in with your global administrator account. 

      2. Expand the navigation pane, and then click Azure Active Directory.

      3. Click Identity Governance, and then click Catalogs

      4. Select Red Canary catalog.

      5. From the Manage section, click Access Packages, and then click Red Canary Active Remediation Access Package.

      6. From the access package overview screen, click Delete.

      7. Click Yes.

      Step 2: Azure–Delete the Active Remediation security group

      1. From your Azure portal, log in with your global administrator account.

      2. Expand the navigation pane, and then click Azure Active Directory.

      3. Click Groups, and then click New Group.

      4. Search for the Red Canary Active Remediation group.

      5. Select Red Canary Active Remediation, and then click Delete.

      6. Click Yes at the confirmation prompt.

      Step 3: Microsoft Defender XDR–Delete the role-based access permissions in Microsoft Defender for Endpoint

      1. From your Microsoft Defender XDR portal, log in with your global administrator account.

      2. Click Settings, and then click Endpoints.

      3. Click Roles.

      4. Select the Red Canary Active Remediation role.

      5. At the confirmation screen, click Delete.

      Was this article helpful?
      What's Next
      PRODUCTS
      USE RED CANARY
      SUPPORT
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout