Listen to this Post
URLs:
- https://lnkd.in/gD3XF9bc
- https://lnkd.in/gSdNXAXf
- https://lnkd.in/g–DNyiv
- https://inthecloud247.com/revoke-user-access-in-case-of-an-emergency-with-a-single-click/
Practice Verified Codes and Commands:
1. Revoke User Access in Entra:
Set-MsolUser -UserPrincipalName [email protected] -BlockCredential $true
2. Reset User Password:
Set-MsolUserPassword -UserPrincipalName [email protected] -NewPassword "NewSecurePassword123!"
3. Disable User Account:
Set-MsolUser -UserPrincipalName [email protected] -BlockCredential $true
4. Collect Investigation Package (MDE):
Start-MdeInvestigationPackageCollection -UserPrincipalName [email protected]
5. Check User Risk Level:
Get-MsolUserRisk -UserPrincipalName [email protected]
6. Block User Sign-In:
Set-MsolUser -UserPrincipalName [email protected] -BlockCredential $true
7. Enable Conditional Access Policy:
New-AzureADMSConditionalAccessPolicy -DisplayName "Block High-Risk Users" -State "Enabled" -Conditions @{UserRiskLevels = @("High")} -GrantControls @{Operator = "OR"; BuiltInControls = @("Block")}
8. Audit User Activity:
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) -UserIds [email protected]
What Undercode Say:
Handling compromised user accounts in Entra requires a combination of immediate action and strategic planning. The first step is to confirm the compromise, but as highlighted, this alone is insufficient. Immediate actions such as revoking access, resetting passwords, and disabling accounts are crucial. Automation plays a significant role in ensuring these actions are taken swiftly and consistently.
Using PowerShell commands like `Set-MsolUser` and `Set-MsolUserPassword` allows administrators to quickly block and reset credentials for compromised accounts. Additionally, leveraging Conditional Access Policies (CAP) can help enforce security measures automatically based on user risk levels. For instance, creating a CAP that blocks users with high-risk levels ensures that compromised accounts are immediately restricted from accessing resources.
The `Start-MdeInvestigationPackageCollection` command is invaluable for gathering comprehensive data on user activities post-compromise. This data is essential for understanding the extent of the breach and for forensic analysis. Regularly auditing user activities using `Search-UnifiedAuditLog` helps in identifying suspicious patterns and taking preemptive measures.
In conclusion, while Entra provides tools to flag compromised accounts, the onus is on administrators to implement robust remediation strategies. Automation, combined with a thorough understanding of Entra’s capabilities, can significantly enhance an organization’s security posture. Regularly updating and testing these strategies ensures that the organization is prepared to handle account compromises effectively.
For further reading and detailed guides, refer to the following URLs:
– Handling Compromised Accounts
– Vote for Design Change
– Conditional Access Policies
– Revoke User Access Automatically
References:
initially reported by: https://www.linkedin.com/posts/nathanmcnulty_this-has-come-up-several-times-lately-so-activity-7295583267976581122-MEJS – Hackers Feeds
Extra Hub:
Undercode AI
