Skip to main content
All CollectionsTemplatesIntermediate
Disable and Contain a Specific User in Entra ID (ex-Azure AD) - Workflow Template
Disable and Contain a Specific User in Entra ID (ex-Azure AD) - Workflow Template

Workflow and nested workflow that can be used to disable a specific user in Entra ID when an account is compromised.

Updated over 3 months ago

This Torq workflow template enables automated user disablement in Entra ID (formerly Azure AD) in response to potentially compromised accounts. Upon detecting suspicious activity via a Microsoft Teams message, this workflow confirms execution permissions for the requester, collects user details, and sends confirmation to the Teams conversation. Subsequently, it disables the user, clears any sessions, and resets the password, ensuring quick containment of threats to identity and access integrity.

Trigger

Microsoft Teams Bot

Optional Triggers

["Slack","Webhook"]

Use Cases

Identity and Access Management , Suspicious User Activity

Workflow Breakdown

  1. Receive a message from Microsoft Teams to disable a user

  2. Execute the nested workflow to confirm the user executing the workflow has permissions

  3. Gather the user details and notify the user running the workflow

  4. Disable the user, clear any sessions the user has, and reset the users password.

Vendors

Utils, Microsoft Azure AD, Microsoft 365, Microsoft Teams Bot

Workflow Output

Message output to the conversation in Microsoft Teams on the verdict of the actions on the user.

Tips

  • Setup the nested workflow with the workflow name and user email as needed for permissions

Did this answer your question?