🛡️ Recipe · Security & Compliance
Investigate and Contain a Potentially Compromised User Account
Review recent Entra sign-ins, identify risk indicators, revoke sessions, reset credentials, remove risky app access, and document the response.
Complexity
Advanced
Impact
Security + Identity + Incident Response + Access Control + Compliance
Context
Why This Matters
Why this matters
A suspected account compromise is a time-sensitive security incident. A fast, structured response helps you contain unauthorized access, reduce the chance of data loss, and preserve evidence for follow-up investigation.
This recipe is for Microsoft 365 and Microsoft Entra ID environments where you need to investigate a user's recent authentication activity, check identity risk signals, remove persistence paths such as refresh tokens or delegated OAuth grants, and force the user back through a trusted sign-in path.
When to run it
- Help desk or SOC reports suspicious user behavior.
- A user reports unexpected MFA prompts, password changes, or sign-in alerts.
- Identity Protection, Defender, or another security tool flags unusual sign-ins.
- You need an audit-ready summary of actions taken during containment.
What problem it solves
This workflow consolidates investigation and containment into one repeatable process: review evidence, determine whether there are suspicious locations/IPs or risky sessions, revoke active sign-in state, reset the password, require MFA re-registration, review delegated app grants, and capture the outcome in a report.
Expected Outcomes
Expected outcomes
- You identify the target user and review their recent sign-in activity for the chosen time window.
- You capture evidence such as IP addresses, locations, applications, devices, and sign-in risk signals.
- You revoke active sessions and refresh tokens to interrupt unauthorized access.
- You reset the user's password and require a secure recovery path.
- You clear existing authentication methods as appropriate so the user must re-register MFA.
- You review and remove suspicious delegated OAuth permission grants.
- You produce a summary report suitable for incident tracking or handoff.
Risks & Considerations
Warnings and considerations
- Do not share temporary passwords by email. Use a secure out-of-band method such as phone verification, approved secure chat, or a Temporary Access Pass workflow.
- Session revocation is disruptive. The user will be signed out of apps and devices and may temporarily lose access.
- MFA method deletion can lock out the user if you do not have a recovery method planned. Consider issuing a Temporary Access Pass before removing all MFA methods.
- Be careful with app consent removal. Removing delegated grants can break legitimate integrations until the user re-consents.
- Sign-in logs may be incomplete due to licensing, retention limits, or log latency. No sign-ins in the last 7 days does not prove the account is safe.
- Preserve evidence. Export or record relevant sign-in details before making destructive changes if your incident process requires it.
- Resetting the password alone is not enough if the attacker has refresh tokens, MFA methods, mailbox rules, or app grants.
Required Permissions
| Permission | Why It's Needed |
|---|---|
| AuditLog.Read.All | Read user sign-in logs and capture evidence such as IPs, locations, device details, and status. |
| IdentityRiskyUser.Read.All | Review Entra ID Identity Protection risky user records for the target account. |
| User.ReadWrite.All | Revoke sign-in sessions and update user account settings if needed during containment. |
| UserAuthenticationMethod.ReadWrite.All | List and remove authentication methods and reset the user's password through Graph authentication endpoints. |
| DelegatedPermissionGrant.ReadWrite.All | Review and remove delegated OAuth permission grants that may provide attacker persistence. |
| Directory.Read.All | Resolve the user, applications, and service principals referenced in grants and sign-in evidence. |
The fastest way to get this done — just ask Dex. Copy the prompt below and paste it into your Dex conversation.
For IT Admins
Paste into Dex CoAdmin