Login
        Contents x
        Response Actions for Entra ID
        • 27 Jun 2025
        • 2 Minutes to read
        • PDF
        Contents

        Response Actions for Entra ID

        • Updated on 27 Jun 2025
        • 2 Minutes to read
        • PDF
        Article summary

        The Red Canary Automation interface provides the following four response actions for Microsoft Entra ID:

        Clear User Sessions
        Invalidates all refresh tokens and session cookies for a user account, forcing them to re-authenticate with any applications they've previously authorized.

        Suspend User
        Disables the user account within Entra ID.

        Unsuspend User
        Renables the user account within Entra ID.

        Force Password Reset
        Updates the user account in Entra ID to require a password reset at the next login. Note that this doesn't log the user out, so typically you'll combine it with a Clear User Sessions action to properly deal with potentially compromised credentials.

        The necessary Azure permissions will be requested automatically when you add an action to a playbook. For more information about the permissions required, see Permission Requirements for Microsoft.

        Prerequisites

        • You have the Global Administrator role in Azure

        • You have an active Red Canary integration that streams the relevant Microsoft Entra ID identity logs. Typically this will be either an Entra ID integration or a Microsoft 365 integration.

        Important!

        If you need these actions to work for users with elevated permissions such as Global Administrators, you’ll also need to assign Red Canary the Privileged Authentication Administrator role in Entra ID. See Assigning the Privileged Auth Admin Role for details.

        Adding Entra ID Response Actions to a Playbook

        To add one or more Entra ID response actions to an Automate playbook:

        1. From the Red Canary portal navigation menu, select Automation > Playbooks.

        2. In the Playbooks section, open an existing Automate playbook or make a new one by clicking +Create New Playbook.

        3. Assign or edit the playbook name and description, then click +Add Action.

        4. From the Microsoft Entra ID section, add the required action to the playbook.

        5. Enter your Azure Tenant ID.

        6. In order to set the required Entra ID permissions for this action, click this consent link and log in to your Microsoft account as a Global Administrator.

        7. Review the permissions requested by the Red Canary app and click Accept.

          Note

          The first time you add an Entra ID response action, accepting these permissions will automatically install the Red Canary +  Azure AD Response Actions enterprise app in Azure.

        8. After you’ve accepted the permissions request, check the Confirm Microsoft Automate API Access Granted box.

        9. [OPTIONAL] Check the Require Approval box and provide contact details if you want someone to approve this action before it executes. This will apply to both manual and automatically-triggered executions.

        10. Click Save.

        Manually Executing the Reponse Actions

        To execute the Entra ID response actions manually:

        1. Open the playbook and click Run.

        2. Search for the user identity in the drop down then click Run.

        3. Click the Follow along… link to view the results of the action.

          If you set the action to Require Approval, you’ll need to approve it before it can execute.

        Automatically Executing the Response Actions

        To execute the Entra ID response actions automatically, link an appropriate trigger to the playbook. For more information, see Customize When a Playbook is Run With Triggers.

        Assigning the Privileged Auth Admin Role

        If you want to run Entra ID response actions on privileged users, you’ll need to log in to your Azure portal and grant the Privileged Authentication Administrator role to the Red Canary app.

        1. From your Azure homepage, select the Microsoft Entra ID Azure service.

        2. In the navigation pane, go to Manage > Roles and administrators.

        3. Use the search bar to locate and open the Privileged Authentication Administrator role.

        4. Go to the Active assignments tab and click Add assignments.

        5. Under Select member(s), click No member selected.

        6. Choose the Red Canary + Azure AD Response Actions enterprise application and click Select.

        7. Click Next >.

        8. Set the assignment duration to Permanently assigned and enter a justification note.

        9. Click Assign.

        Was this article helpful?
        What's Next
        Change password!
        Changing your password will log you out immediately. Use the new password to log back in.
        Change profile
        Success!
        First name must have atleast 2 characters. Numbers and special characters are not allowed.
        Last name must have atleast 1 characters. Numbers and special characters are not allowed.
        Enter a valid email
        Enter a valid password
        Your profile has been successfully updated.
        Logout