Deactivating accounts automatically if their credentials are leaked

Steve 66 Reputation points
2020-10-26T01:37:15.847+00:00

We recently moved to the Microsoft E5 license so receive email alerts if any user's Office 365 credentials are leaked on the dark web which are categorized as high risk.

  1. Can we set up a rule so that if we receive an alert that a user's credentials are leaked, his/her AD account is deactivated, an email is sent to his manager, Azure AD admins, security team so the user needs to call in the HelpDesk to reactivate his AD account with a new password?
  2. If so, how do we do that?

We use Pass through Synchronization to

If we receive an alert at 1 a.m. in the morning when none of us are awake we don't want to wait till morning 8 a.m. till the user's account is deactivated so we want to automate it if possible. It also helps if we get a dozen of such alerts so that each account does not have to be manually inactivated.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,664 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 34,306 Reputation points Microsoft Employee
    2020-10-27T00:09:06.777+00:00

    A good option would be to enable Azure Identity Protection, which allows you to configure sign-in risk policies and user risk policies to target risky users and risky sign-ins. The recommended sign-in policy is to target medium risk sign-ins and require MFA. For User policies it should target high risk users requiring the password change action. Administrators can make a decision based on the risk score signal to enforce organizational requirements. Administrators can choose to block access, allow access, or allow access but require a password change using Azure AD self-service password reset.

    Identity Protection has built-in alerts for leaked credentials already, so would be perfect. Credentials are processed immediately after they have been found and deleted shortly after.

    Leaked credentials are classified as "high risk" so would be captured in the risk policies.

    35221-image.png

    Another good option for you would be to enable Azure AD Smart Lockout. Smart lockout can recognize sign-ins that come from valid users and treat them differently than ones of attackers and other unknown sources. Attackers get locked out, while your users continue to access their accounts. Smart lockout will block users after a configurable number of failed sign-in attempts.

    The article Rapidly respond to secure identities with Azure AD lists a number of resources that would be useful for your scenario.

    If you want want something even more custom to disable accounts you can probably set up something in Powershell using Disable-ADAccount

    Hope this helps!