Can I create a playbook in Microsoft Sentinel that is able to disable a compromised hybrid user account whose authentication authority is an on-premises Active Directory Domain controller?

Question

I would like to create a playbook that disables a compromised account. The account is synchronised from an on-premises Active Directory Domain Controller. Synchronisation to Microsoft Entra ID is through Microsoft Entra Connect Sync. Password hash synchronisation and password write back have are enabled.

Can I configure a playbook that disables the account even on the on-premises domain controller?

Answer 1

Yes, you can configure a playbook to disable a compromised account even on the on-premises domain controller. This process typically involves using Azure Automation Accounts and a Hybrid Worker that can execute tasks both in the cloud and on your on-premises environment.

Consider following these steps.

1. Create an Automation Account in Azure.
2. Deploy a Hybrid Worker solution from the Azure Marketplace.
3. Create a Hybrid Worker Group within your Automation Account.
4. Create a new PowerShell Runbook that includes the script to disable the user account.
5. Register the Hybrid Worker with Azure to ensure it can communicate with your on-premises environment.
6. Test the Runbook to make sure it works as expected.
7. Build or deploy the Playbook and attach it to the relevant Analytics rule in Azure Sentinel.

The playbook can include an action to create a hybrid automation job, which executes a PowerShell script against the on-premises Domain Controller to disable the user account. The user account will remain disabled even after subsequent Azure AD Connect syncs with the Azure cloud.

For detailed steps and to ensure you set the correct permissions, you can refer to the Microsoft Community Hub article on this topic. It’s important to restrict the account’s permissions to the minimum required to disable user accounts using the Delegation userAccountControl bitmask.