Skip to main content

Disable and Contain a Specific User in Entra ID (ex-Azure AD) - Workflow Template

Workflow and nested workflow that can be used to disable a specific user in Entra ID when an account is compromised.

Updated over a year ago

This Torq workflow template enables automated user disablement in Entra ID (formerly Azure AD) in response to potentially compromised accounts. Upon detecting suspicious activity via a Microsoft Teams message, this workflow confirms execution permissions for the requester, collects user details, and sends confirmation to the Teams conversation. Subsequently, it disables the user, clears any sessions, and resets the password, ensuring quick containment of threats to identity and access integrity.

Take Me to the Template

Trigger

Microsoft Teams Bot

Optional Triggers

["Slack","Webhook"]

Use Cases

Identity and Access Management , Suspicious User Activity

Workflow Breakdown

  1. Receive a message from Microsoft Teams to disable a user

  2. Execute the nested workflow to confirm the user executing the workflow has permissions

  3. Gather the user details and notify the user running the workflow

  4. Disable the user, clear any sessions the user has, and reset the users password.

Vendors

Utils, Microsoft Azure AD, Microsoft 365, Microsoft Teams Bot

Workflow Output

Message output to the conversation in Microsoft Teams on the verdict of the actions on the user.

Tips

  • Setup the nested workflow with the workflow name and user email as needed for permissions

Related Articles
Disable a Specific User in Google Cloud Identity - Workflow Template
Reset Direct Manager reference for an Entra ID user (ex-Azure AD) - Workflow Template
Verify Permissions to Execute Workflows - EntraID (ex-Azure AD) - Workflow Template
Disable and Contain a Specific Compromised User in Okta - Workflow Template
Workflow Template: Verify Entra ID (ex-Azure AD) Audit Sign-Ins from Allowed Regions
Did this answer your question?