Response Actions for Entra ID
    • 01 Aug 2024
    • 2 Minutes to read
    • PDF

    Response Actions for Entra ID

    • PDF

    Article summary

    This article leads you through the set up of Red Canary Automate Playbooks that use Entra ID response actions.

    Prerequisites

    1. You must be logged in as a Global Administrator.

    2. Correct Entra ID Tenant Installation:

      • Install the app in the appropriate Entra ID tenant(s) where you want response actions to apply.

      • The default tenant may be the only tenant selected for install. However, if other relevant tenants exist, be sure to install the app in those tenants.

    3. Confirm that the app installation is not pending approval in the Admin Consent Requests section in Azure.

    Create a new playbook or edit an existing one

    Follow these steps to create and/or edit an automation playbook which uses Entra ID response actions.

    1. From the Red Canary navigation menu, click Automation.

    2. Click Playbooks

    3. Click Create New Playbook (alternatively, select an existing playbook and edit it).

    4. Enter a name for your new playbook.
      1.png 

    5. Click + Add Action.
      2.png

    6. Scroll down to the Microsoft Entra ID section, and select one of the Supported actions:

      1. Clear Microsoft Entra ID User Sessions: This logs users out of all services that authenticate with Entra ID, invalidates all of the user’s refresh tokens, and invalidates all session cookies in a user’s browser by resetting the refreshTokenValidFromDateTime user property to the current date-time. The user can still authenticate their Azure account with valid credentials. This action invalidates refresh tokens for any Entra ID user, including Global Admins. 

      2. Suspend Microsoft Entra ID User: This prevents users from logging in to their Azure account by setting the accountEnabled user property to false. This will suspend any Entra ID user, including Global Admins.  

      3. Un-suspend Microsoft Entra ID User: This enables a user to log back in to their Azure account by setting the accountEnabled user property to true. You might use this action when a threat is marked as remediated.

    7. After selecting one of the supported actions, click +Add to Playbook.

    8. Enter your Tenant ID.

    9. To ensure Red Canary has the appropriate level of access, click the consent link.

    10. Login to Microsoft.

    11. Click Accept.

    In Microsoft Azure

    After approving Red Canary’s App registration, you will need to login to your Azure portal and grant our App Registration the Privileged Auth Admin role. Adding the Privileged Auth Admin role will enable Red Canary to suspend and un-suspend privileged users.

    Note: Learn more about Entra ID built-in roles.

    1. From your Microsoft Azure homepage, in the search bar, type and then select Azure Active Directory.

    2. From the Navigation pane, click Roles and administrators.

      7.png

    3. In the search bar, type and then select Privileged Authentication Administrator.

      8.png

    4. Click on the Active assignments tab.

    5. Click + Add assignments.

    6. Click No member selected.

      9.png

    7. In the search bar, type and then select Red Canary + Entra ID Response Actions.

      10.png

    8. Click Select.

    9. Click Next >.

    10. Select Permanently Assigned

    11. Enter a justification for personal record keeping.

      11.png

    12. Click Assign.

    In Red Canary

    Complete the playbook process in Red Canary.

    1. Select Confirm Microsoft Automate API Access Granted.

    2. Optional Step: Select how you want to be notified when an alert is generated by selecting Require approval.

    3. Click Save.

      Note: Approval is optional for these response actions. When approving the execution of this action, you will specify the appropriate user to target with the response action.

    Respond to generated threats

    After an alert is generated, assign an action to that threat.

    1. From the Red Canary navigation menu, click Threats.

    2. Select the Entra ID threat you want to respond to.

    3. Scroll down until you see entries for the Automate Playbook Execution.

    4. Click on the Execution Details dropdown.

      15.png

    5. Click the Select a user dropdown, and then select the user you want to take action on.

      16.png

    6. You can either click Approve and Continue to enact the playbook action you designed, or you can click Deny and prevent an action from executing.

      17.png



    Was this article helpful?