Automating Entra ID Account Disabling with Azure Logic Apps

Listen to this Post

Featured Image
Jan Bakker demonstrates a cost-effective approach to mimicking Identity Governance features using native Azure tools. By leveraging Azure Logic Apps and a Managed Identity, he triggers automated workflows when an account is disabled—without relying on audit log forwarding. This method can be extended to revoke refresh tokens or perform other security actions.

You Should Know:

1. Setting Up the Logic App Trigger

To detect disabled accounts in Entra ID (Azure AD), use the “When a user is deleted or disabled” trigger in Logic Apps.

Steps:

1. Create a Logic App in Azure Portal.

  1. Select the “When a user is deleted or disabled” trigger under Azure AD.
  2. Authenticate using a Managed Identity (no need for separate credentials).
 Assign Managed Identity permissions (PowerShell) 
New-AzRoleAssignment -ObjectId <ManagedIdentityObjectId> -RoleDefinitionName "User Administrator" -Scope "/" 

2. Revoking Refresh Tokens

After detecting a disabled account, use Microsoft Graph API to revoke sessions:

POST https://graph.microsoft.com/v1.0/users/{userId}/invalidateAllRefreshTokens 
Authorization: Bearer {access_token} 

Automating with Logic Apps:

1. Add an HTTP action in Logic Apps.

2. Use the Managed Identity for authentication.

3. Configure the Graph API call.

3. Removing Group Memberships (Security Hardening)

As suggested by Guy Horn, removing group memberships prevents privilege escalation.

 Remove user from all groups (PowerShell) 
$user = Get-AzureADUser -ObjectId "[email protected]" 
$groups = Get-AzureADUserMembership -ObjectId $user.ObjectId 
$groups | ForEach-Object { 
Remove-AzureADGroupMember -ObjectId $_.ObjectId -MemberId $user.ObjectId 
} 

4. Alternative: Azure Automation Runbook

For advanced workflows, use an Azure Automation Runbook with PowerShell:

 Example: Disable account + revoke sessions 
Disable-AzureADUser -ObjectId "[email protected]" 
Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/users/[email protected]/invalidateAllRefreshTokens" -Method POST -Headers @{Authorization = "Bearer $token"} 

What Undercode Say:

Automating security responses in Entra ID reduces manual overhead and minimizes attack windows. By combining Logic Apps, Managed Identities, and Microsoft Graph, organizations can enforce Zero Trust principles without expensive third-party tools.

Expected Output:

  • Logic App triggers on user disablement.
  • Refresh tokens are invalidated automatically.
  • Group memberships are stripped to prevent lateral movement.

Prediction:

As cloud identity threats grow, more enterprises will adopt native automation over costly ID Governance solutions. Expect Microsoft to expand Logic App connectors for granular identity responses.

Relevant URLs:

References:

Reported By: Jan Bakker – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram