This Torq workflow template enables automated user disablement in Entra ID (formerly Azure AD) in response to potentially compromised accounts. Upon detecting suspicious activity via a Microsoft Teams message, this workflow confirms execution permissions for the requester, collects user details, and sends confirmation to the Teams conversation. Subsequently, it disables the user, clears any sessions, and resets the password, ensuring quick containment of threats to identity and access integrity.

Trigger

Microsoft Teams Bot

Optional Triggers

["Slack","Webhook"]

Use Cases

Identity and Access Management , Suspicious User Activity

Workflow Breakdown

Receive a message from Microsoft Teams to disable a user
Execute the nested workflow to confirm the user executing the workflow has permissions
Gather the user details and notify the user running the workflow
Disable the user, clear any sessions the user has, and reset the users password.

Vendors

Utils, Microsoft Azure AD, Microsoft 365, Microsoft Teams Bot

Workflow Output

Message output to the conversation in Microsoft Teams on the verdict of the actions on the user.

Tips

Setup the nested workflow with the workflow name and user email as needed for permissions

Disable a Specific User in Google Cloud Identity - Workflow Template

Reset Direct Manager reference for an Entra ID user (ex-Azure AD) - Workflow Template

Verify Permissions to Execute Workflows - EntraID (ex-Azure AD) - Workflow Template

Disable and Contain a Specific Compromised User in Okta - Workflow Template

Verify Entra ID (ex-Azure AD) Audit Sign-Ins from Allowed Regions - Workflow Template