- 27 Jun 2025
- 2 Minutes to read
- PDF
Response Actions for Entra ID
- Updated on 27 Jun 2025
- 2 Minutes to read
- PDF
The Red Canary Automation interface provides the following four response actions for Microsoft Entra ID:
Clear User Sessions
Invalidates all refresh tokens and session cookies for a user account, forcing them to re-authenticate with any applications they've previously authorized.
Suspend User
Disables the user account within Entra ID.
Unsuspend User
Renables the user account within Entra ID.
Force Password Reset
Updates the user account in Entra ID to require a password reset at the next login. Note that this doesn't log the user out, so typically you'll combine it with a Clear User Sessions action to properly deal with potentially compromised credentials.
The necessary Azure permissions will be requested automatically when you add an action to a playbook. For more information about the permissions required, see Permission Requirements for Microsoft.
Prerequisites
You have the Global Administrator role in Azure
You have an active Red Canary integration that streams the relevant Microsoft Entra ID identity logs. Typically this will be either an Entra ID integration or a Microsoft 365 integration.
Important!
If you need these actions to work for users with elevated permissions such as Global Administrators, you’ll also need to assign Red Canary the Privileged Authentication Administrator role in Entra ID. See Assigning the Privileged Auth Admin Role for details.
Adding Entra ID Response Actions to a Playbook
To add one or more Entra ID response actions to an Automate playbook:
From the Red Canary portal navigation menu, select Automation > Playbooks.
In the Playbooks section, open an existing Automate playbook or make a new one by clicking +Create New Playbook.
Assign or edit the playbook name and description, then click +Add Action.
From the Microsoft Entra ID section, add the required action to the playbook.
Enter your Azure Tenant ID.
In order to set the required Entra ID permissions for this action, click this consent link and log in to your Microsoft account as a Global Administrator.
Review the permissions requested by the Red Canary app and click Accept.
Note
The first time you add an Entra ID response action, accepting these permissions will automatically install the Red Canary + Azure AD Response Actions enterprise app in Azure.
After you’ve accepted the permissions request, check the Confirm Microsoft Automate API Access Granted box.
[OPTIONAL] Check the Require Approval box and provide contact details if you want someone to approve this action before it executes. This will apply to both manual and automatically-triggered executions.
Click Save.
Manually Executing the Reponse Actions
To execute the Entra ID response actions manually:
Open the playbook and click Run.
Search for the user identity in the drop down then click Run.
Click the Follow along… link to view the results of the action.
If you set the action to Require Approval, you’ll need to approve it before it can execute.
Automatically Executing the Response Actions
To execute the Entra ID response actions automatically, link an appropriate trigger to the playbook. For more information, see Customize When a Playbook is Run With Triggers.
Assigning the Privileged Auth Admin Role
If you want to run Entra ID response actions on privileged users, you’ll need to log in to your Azure portal and grant the Privileged Authentication Administrator role to the Red Canary app.
From your Azure homepage, select the Microsoft Entra ID Azure service.
In the navigation pane, go to Manage > Roles and administrators.
Use the search bar to locate and open the Privileged Authentication Administrator role.
Go to the Active assignments tab and click Add assignments.
Under Select member(s), click No member selected.
Choose the Red Canary + Azure AD Response Actions enterprise application and click Select.
Click Next >.
Set the assignment duration to Permanently assigned and enter a justification note.
Click Assign.