Manage365 Docs

Compromise remediation

The "user is compromised" playbook composes four primitives into a single action: revoke sessions, disable sign-in, reset password, remove mail-forwarding rules. Each step is toggleable and failures in one step don't abort the rest — the goal is to get the user out of the seat first, report what's left.

When to use it

  • User clicked a phishing link and you saw the MFA notification
  • Defender raised a "impossible travel" alert
  • User says "I've been getting weird bounces" (classic BEC forwarding rule)
  • HIBP scan flagged the account in a fresh breach

What each step does

Revoke sign-in sessions

Calls Graph POST /users/{id}/revokeSignInSessions. Kills every active session — Outlook, Teams, OWA, mobile apps. The fastest and cheapest control; always run this first. Existing access tokens die within 5–10 minutes depending on Azure's cache.

Disable sign-in

Sets accountEnabled = false on the user. Prevents new sessions from starting. Reversible — just re-enable when the user has a new password.

Reset password

Generates a 24-character random password meeting M365 complexity. Shown once in the playbook result modal — copy it straight to your secure comms with the user. forceChangePasswordNextSignIn is on by default so the user sets their own password on first sign-in.

Consider also resetting their MFA enrolment from M365 admin centre if the attacker may have enrolled their own authenticator — the playbook doesn't touch MFA secrets.

Remove forwarding rules

Enumerates inbox messageRules and deletes any with forwarding actions (forwardTo, redirectTo, forwardAsAttachmentTo). This is the #1 BEC persistence trick — attackers create a rule like "forward all mail to external@attacker.com" so they keep reading the user's inbox even after you kick them out.

What the playbook doesn't do

Deliberate omissions — run these manually if the scenario warrants:

  • Remove MFA enrolments — if the attacker added their own authenticator, you need to clear the user's methods via admin centre
  • Re-authorise OAuth apps — an attacker may have consented to a malicious app. Check Enterprise applications in Entra admin
  • Purge sent items — if phishing went out from the user's account, consider recall or a delete-all-sent

Audit trail

The entire playbook is audited as a single user.compromise_remediation event with per-step outcomes in metadata. When you need to produce evidence for an incident report (NDB scheme, APRA CPS 234), that one audit entry tells the story cleanly.

Required permission

SECURITY_MANAGE. L3 technicians and MSP admins/owners have this by default; L2 and below don't. Configure via Users → role change.