Login
        Contents x
        Response Actions for Entra ID Protection
        • 27 Jun 2025
        • 2 Minutes to read
        • PDF
        Contents

        Response Actions for Entra ID Protection

        • Updated on 27 Jun 2025
        • 2 Minutes to read
        • PDF
        Article summary

        The Red Canary Automation interface provides the following response action for Microsoft Entra ID Protection:

        Mark User Compromised
        Marks a user account as "confirm compromised," which automatically elevates their risk level to high within the Entra ID environment. The user's risk level can then be used by conditional access policies in Entra ID to require a password reset, block sign in, or apply stricter access controls.

        The necessary Azure permissions will be requested automatically when you add the action to a playbook. For more information about the permissions required, see Permission Requirements for Microsoft.

        Prerequisites

        • You have a Microsoft Entra ID P2 License, which is required for the underlying Entra ID Protection capabilities that power this response action. See License Requirements for Microsoft for more information.

        • You have the Global Administrator role in Azure

        • You have an active Red Canary integration that streams the relevant Microsoft Entra ID identity logs. Typically this will be either an Entra ID integration or a Microsoft 365 integration.

        Adding Entra ID Protection Response Actions to a Playbook

        To add one or more Entra ID Protection response actions to an Automate playbook:

        1. From the Red Canary portal navigation menu, select Automation > Playbooks.

        2. In the Playbooks section, open an existing Automate playbook or make a new one by clicking +Create New Playbook.

        3. Assign or edit the playbook name and description, then click +Add Action.

        4. From the Microsoft Entra ID Identity Protection section, add the required action to the playbook.

        5. Enter your Azure Tenant ID.

        6. In order to set the required Entra ID permissions for this action, click the consent link and log in to your Microsoft account as a Global Administrator.

        7. Review the permissions requested by the Red Canary app and click Accept.

          Note

          The first time you add an Entra ID response action, accepting these permissions will automatically install the Red Canary +  Azure AD Response Actions enterprise app in Azure.

        8. After you’ve accepted the permissions request, check the Confirm Microsoft Automate API Access Granted box.

        9. [OPTIONAL] Check the Require Approval box and provide contact details if you want someone to approve this action before it executes. This will apply to both manual and automatically-triggered executions.

        10. Click Save.

        Manually Executing the Reponse Actions

        To execute the Entra ID Protection response actions manually:

        1. Open the playbook and click Run.

        2. Search for the user identity in the drop down then click Run.

        3. Click the Follow along… link to view the results of the action.

          If you set the action to Require Approval, you’ll need to approve it before it can execute.

        Automatically Executing the Response Actions

        To execute the Entra ID Protection response actions automatically, link an appropriate trigger to the playbook. For more information, see Customize When a Playbook is Run With Triggers.

        Was this article helpful?
        What's Next
        Change password!
        Changing your password will log you out immediately. Use the new password to log back in.
        Change profile
        Success!
        First name must have atleast 2 characters. Numbers and special characters are not allowed.
        Last name must have atleast 1 characters. Numbers and special characters are not allowed.
        Enter a valid email
        Enter a valid password
        Your profile has been successfully updated.
        Logout