Response Actions for Entra ID Protection

  • Updated on Feb 25, 2026
  • Published on Jun 27, 2025
  • 2 minute(s) read
Prev Next

The Red Canary Automation interface provides the following response action for Microsoft Entra ID Protection:

Mark User Compromised
Marks a user account as "confirm compromised," which automatically elevates their risk level to high within the Entra ID environment. The user's risk level can then be used by conditional access policies in Entra ID to require a password reset, block sign in, or apply stricter access controls.

The necessary Azure permissions will be requested automatically when you add the action to a playbook. For more information about the permissions required, see Permission Requirements for Microsoft.

Prerequisites

  • You have a Microsoft Entra ID P2 License, which is required for the underlying Entra ID Protection capabilities that power this response action. To verify this, refer to Microsoft's Subscription Matrix.

  • You have the Global Administrator role in Azure

  • You know your Azure Tenant ID

  • You have an active Red Canary integration that streams the relevant Microsoft Entra ID identity logs. Typically this will be either an Entra ID integration or a Microsoft 365 integration.

Adding the Entra ID Protection Response Action to a Playbook

To add the Entra ID Protection response action to an Automate playbook:

  1. From the Red Canary portal navigation menu, select Automation > Playbooks.

  2. In the Playbooks section, open an existing Automate playbook or make a new one by clicking +Create New Playbook.

  3. Assign or edit the playbook name and description, then click +Add Action.

  4. From the Microsoft Entra ID Identity Protection section, add the action to the playbook.

  5. Enter your Azure Tenant ID.

  6. In order to set the required Entra ID permissions for this action, click the consent link and log in to your Microsoft account as a Global Administrator.

  7. Review the permissions requested by the Red Canary app and click Accept.

    Note

    The first time you add an Entra ID response action, accepting these permissions will automatically install the Red Canary +  Azure AD Response Actions enterprise app in Azure.

  8. After you’ve accepted the permissions request, check the Confirm Microsoft Automate API Access Granted box.

  9. [OPTIONAL] Check the Require Approval box and provide contact details if you want someone to approve this action before it executes. This will apply to both manual and automatically-triggered executions.

  10. Click Save.

Manually Executing the Response Action

To execute the Entra ID Protection response action manually:

  1. Open the playbook and click Run.

  2. Search for the user identity in the dropdown list then click Run.

  3. Click the Follow along… link to view the results of the action.

    If you set the action to Require Approval, you’ll need to approve it before it can execute.

Automatically Executing the Response Action

To execute the Entra ID Protection response action automatically, link an appropriate trigger to the playbook. For more information, see Customize When a Playbook is Run With Triggers.