- 01 Aug 2024
- 2 Minutes to read
- PDF
Response Actions for Entra ID
- Updated on 01 Aug 2024
- 2 Minutes to read
- PDF
This article leads you through the set up of Red Canary Automate Playbooks that use Entra ID response actions.
Prerequisites
You must be logged in as a Global Administrator.
Correct Entra ID Tenant Installation:
Install the app in the appropriate Entra ID tenant(s) where you want response actions to apply.
The default tenant may be the only tenant selected for install. However, if other relevant tenants exist, be sure to install the app in those tenants.
Confirm that the app installation is not pending approval in the
Admin Consent Requests
section in Azure.
Create a new playbook or edit an existing one
Follow these steps to create and/or edit an automation playbook which uses Entra ID response actions.
From the Red Canary navigation menu, click Automation.
Click Playbooks.
Click Create New Playbook (alternatively, select an existing playbook and edit it).
Enter a name for your new playbook.
Click + Add Action.
Scroll down to the Microsoft Entra ID section, and select one of the Supported actions:
Clear Microsoft Entra ID User Sessions: This logs users out of all services that authenticate with Entra ID, invalidates all of the user’s refresh tokens, and invalidates all session cookies in a user’s browser by resetting the refreshTokenValidFromDateTime user property to the current date-time. The user can still authenticate their Azure account with valid credentials. This action invalidates refresh tokens for any Entra ID user, including Global Admins.
Suspend Microsoft Entra ID User: This prevents users from logging in to their Azure account by setting the accountEnabled user property to false. This will suspend any Entra ID user, including Global Admins.
Un-suspend Microsoft Entra ID User: This enables a user to log back in to their Azure account by setting the accountEnabled user property to true. You might use this action when a threat is marked as remediated.
After selecting one of the supported actions, click +Add to Playbook.
Enter your Tenant ID.
To ensure Red Canary has the appropriate level of access, click the consent link.
Login to Microsoft.
Click Accept.
In Microsoft Azure
After approving Red Canary’s App registration, you will need to login to your Azure portal and grant our App Registration the Privileged Auth Admin role. Adding the Privileged Auth Admin role will enable Red Canary to suspend and un-suspend privileged users.
Note: Learn more about Entra ID built-in roles.
From your Microsoft Azure homepage, in the search bar, type and then select Azure Active Directory.
From the Navigation pane, click Roles and administrators.
In the search bar, type and then select Privileged Authentication Administrator.
Click on the Active assignments tab.
Click + Add assignments.
Click No member selected.
In the search bar, type and then select Red Canary + Entra ID Response Actions.
Click Select.
Click Next >.
Select Permanently Assigned.
Enter a justification for personal record keeping.
Click Assign.
In Red Canary
Complete the playbook process in Red Canary.
Select Confirm Microsoft Automate API Access Granted.
Optional Step: Select how you want to be notified when an alert is generated by selecting Require approval.
Click Save.
Note: Approval is optional for these response actions. When approving the execution of this action, you will specify the appropriate user to target with the response action.
Respond to generated threats
After an alert is generated, assign an action to that threat.
From the Red Canary navigation menu, click Threats.
Select the Entra ID threat you want to respond to.
Scroll down until you see entries for the Automate Playbook Execution.
Click on the Execution Details dropdown.
Click the Select a user dropdown, and then select the user you want to take action on.
You can either click Approve and Continue to enact the playbook action you designed, or you can click Deny and prevent an action from executing.