Remediation actions in Microsoft Defender for Identity

Applies to:

  • Microsoft Defender for Identity
  • Microsoft 365 Defender

Microsoft Defender for Identity allows you to respond to compromised users by disabling their accounts or resetting their password. After taking action on users, you can check on the activity details in the action center.

The response actions on users are available directly from the user page, the user side panel, the advanced hunting page, or in the action center.

The following actions can be performed directly on the user account:

  • Disable user in Active Directory: This will temporarily prevent a user from logging in to the on-premises network. This can help prevent compromised users from moving laterally and attempting to exfiltrate data or further compromise the network.
  • Suspend user in Azure Active Directory: This will temporarily prevent a user from logging in to Azure Active Directory. This can help prevent compromised users from attempting to exfiltrate data and minimizes the time between Disable user in Active Directory and the sync of this status to the cloud.
  • Reset user password – This will prompt the user to change their password on the next logon, ensuring that this account can't be used for further impersonation attempts.

Note

For users with the Password never expires flag turned on, the password reset will only take place once the flag is removed.

Prerequisites

To perform the above actions, you need to configure the account that Microsoft Defender for Identity will use to perform them. You can read about the requirements in Microsoft Defender for Identity action accounts.

Permissions

Currently, this feature requires the account signed into Microsoft 365 Defender to possess the Security Administrator role.

Remediation actions in Defender for Identity

See also

Microsoft Defender for Identity action accounts