Response Actions for Entra ID
    • 27 Jun 2025
    • 2 Minutes to read
    • PDF

    Response Actions for Entra ID

    • PDF

    Article summary

    The Red Canary Automation interface provides the following four response actions for Microsoft Entra ID:

    Clear User Sessions
    Invalidates all refresh tokens and session cookies for a user account, forcing them to re-authenticate with any applications they've previously authorized.

    Suspend User
    Disables the user account within Entra ID.

    Unsuspend User
    Renables the user account within Entra ID.

    Force Password Reset
    Updates the user account in Entra ID to require a password reset at the next login. Note that this doesn't log the user out, so typically you'll combine it with a Clear User Sessions action to properly deal with potentially compromised credentials.

    The necessary Azure permissions will be requested automatically when you add an action to a playbook. For more information about the permissions required, see Permission Requirements for Microsoft.

    Prerequisites

    • You have the Global Administrator role in Azure

    • You have an active Red Canary integration that streams the relevant Microsoft Entra ID identity logs. Typically this will be either an Entra ID integration or a Microsoft 365 integration.

    Important!

    If you need these actions to work for users with elevated permissions such as Global Administrators, you’ll also need to assign Red Canary the Privileged Authentication Administrator role in Entra ID. See Assigning the Privileged Auth Admin Role for details.

    Adding Entra ID Response Actions to a Playbook

    To add one or more Entra ID response actions to an Automate playbook:

    1. From the Red Canary portal navigation menu, select Automation > Playbooks.

    2. In the Playbooks section, open an existing Automate playbook or make a new one by clicking +Create New Playbook.

    3. Assign or edit the playbook name and description, then click +Add Action.

    4. From the Microsoft Entra ID section, add the required action to the playbook.

    5. Enter your Azure Tenant ID.

    6. In order to set the required Entra ID permissions for this action, click this consent link and log in to your Microsoft account as a Global Administrator.

    7. Review the permissions requested by the Red Canary app and click Accept.

      Note

      The first time you add an Entra ID response action, accepting these permissions will automatically install the Red Canary +  Azure AD Response Actions enterprise app in Azure.

    8. After you’ve accepted the permissions request, check the Confirm Microsoft Automate API Access Granted box.

    9. [OPTIONAL] Check the Require Approval box and provide contact details if you want someone to approve this action before it executes. This will apply to both manual and automatically-triggered executions.

    10. Click Save.

    Manually Executing the Reponse Actions

    To execute the Entra ID response actions manually:

    1. Open the playbook and click Run.

    2. Search for the user identity in the drop down then click Run.

    3. Click the Follow along… link to view the results of the action.

      If you set the action to Require Approval, you’ll need to approve it before it can execute.

    Automatically Executing the Response Actions

    To execute the Entra ID response actions automatically, link an appropriate trigger to the playbook. For more information, see Customize When a Playbook is Run With Triggers.

    Assigning the Privileged Auth Admin Role

    If you want to run Entra ID response actions on privileged users, you’ll need to log in to your Azure portal and grant the Privileged Authentication Administrator role to the Red Canary app.

    1. From your Azure homepage, select the Microsoft Entra ID Azure service.

    2. In the navigation pane, go to Manage > Roles and administrators.

    3. Use the search bar to locate and open the Privileged Authentication Administrator role.

    4. Go to the Active assignments tab and click Add assignments.

    5. Under Select member(s), click No member selected.

    6. Choose the Red Canary + Azure AD Response Actions enterprise application and click Select.

    7. Click Next >.

    8. Set the assignment duration to Permanently assigned and enter a justification note.

    9. Click Assign.


    Was this article helpful?

    Changing your password will log you out immediately. Use the new password to log back in.
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.