This workflow template allows for the immediate suspension of potentially compromised user accounts in Azure Active Directory via a message in Microsoft Teams. When an account is identified as at risk, this workflow guides the authorized requester through the necessary steps to verify permission, disable the compromised account, clear any existing sessions, and reset the password, ensuring prompt containment and mitigation of any potential threat to the system's security.

Trigger

Microsoft Teams Bot

Optional Triggers

Slack,Webhook

Use Cases

Identity and Access Management , Suspicious User Activity

Workflow Breakdown

Receive a message from Microsoft Teams to disable a user
Execute the nested workflow to confirm the user executing the workflow has permissions
Gather the user details and notify the user running the workflow
Disable the user, clear any sessions the user has, and reset the users password.

Vendors

Utils, Microsoft Azure AD, Microsoft 365, Microsoft Teams Bot

Workflow Output

Message output to the conversation in Microsoft Teams on the verdict of the actions on the user.

Tips

Setup the nested workflow with the workflow name and user email as needed for permissions

Disable a Specific User in Google Cloud Identity - Workflow Template

Reset Direct Manager reference for an Azure user (Azure AD) - Workflow Template

Verify Permissions to Execute Specific Workflows - Azure AD - Workflow Template

Disable and Contain a Specific Compromised User in Okta - Workflow Template

Reset Azure Active Directory MFA Methods and Password on a User - Workflow Template