Remove Red Canary Active Remediation Access from Your Microsoft Defender Console
    • 16 Jul 2024
    • 1 Minute to read
    • PDF

    Remove Red Canary Active Remediation Access from Your Microsoft Defender Console

    • PDF

    Article summary

    Removing permissions for the Red Canary Cyber Incident Response Team (CIRT) requires deleting the Active Remediation access package. This access package, created using Microsoft Identity Governance, contains an elevated permissions role within Microsoft Defender for Endpoint necessary for Red Canary's Active Remediation service.

    Step 1: Azure–Delete the Microsoft Azure identity governance access package for Active Remediation

    Note: If Red Canary services are still going to be used, do not delete the standard Red Canary access package. You only need to delete the Red Canary Active Remediation access package.

    1. From your Azure portal, log in with your global administrator account. 

    2. Expand the navigation pane, and then click Azure Active Directory.

    3. Click Identity Governance, and then click Catalogs

    4. Select Red Canary catalog.

    5. From the Manage section, click Access Packages, and then click Red Canary Active Remediation Access Package.

    6. From the access package overview screen, click Delete.

    7. Click Yes.

    Step 2: Azure–Delete the Active Remediation security group

    1. From your Azure portal, log in with your global administrator account.

    2. Expand the navigation pane, and then click Azure Active Directory.

    3. Click Groups, and then click New Group.

    4. Search for the Red Canary Active Remediation group.

    5. Select Red Canary Active Remediation, and then click Delete.

    6. Click Yes at the confirmation prompt.

    Step 3: Microsoft Defender XDR–Delete the role-based access permissions in Microsoft Defender for Endpoint

    1. From your Microsoft Defender XDR portal, log in with your global administrator account.

    2. Click Settings, and then click Endpoints.

    3. Click Roles.

    4. Select the Red Canary Active Remediation role.

    5. At the confirmation screen, click Delete.


    Was this article helpful?