You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: ATPDocs/remediation-actions.md
+13-7Lines changed: 13 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -27,23 +27,27 @@ Watch the following video to learn more about remediation actions in Defender fo
27
27
28
28
To perform any of the [supported actions](#supported-actions), you need to:
29
29
30
-
- Configure the account that Microsoft Defender for Identity will use to perform them. By default, the Microsoft Defender for Identity sensor installed on a domain controller will impersonate the *LocalSystem* account of the domain controller and perform the above actions. However, you can change this default behavior by [setting up a gMSA account](manage-action-accounts.md) and scope the permissions as you need.
30
+
- Configure the account that Microsoft Defender for Identity will use to perform them. By default, the Microsoft Defender for Identity sensor installed on a domain controller will impersonate the *LocalSystem* account of the domain controller and perform the above actions. However, you can change this default behavior by [setting up a gMSA account](manage-action-accounts.md) and scope the permissions as you need.
31
31
32
32
- Be signed into Microsoft Defender XDR to with relevant permissions. For Defender for Identity actions, you'll need a custom role with **Response (manage)** permissions. For more information, see [Create custom roles with Microsoft Defender XDR Unified RBAC](/microsoft-365/security/defender/create-custom-rbac-roles).
33
33
34
34
## Supported actions
35
35
36
-
The following Defender for Identity actions can be performed directly on your on-premises identities:
36
+
The following Defender for Identity actions can be performed on Identities:
37
37
38
-
-**Disable user in Active Directory**: This will temporarily prevent a user from signing in to the on-premises network. This can help prevent compromised users from moving laterally and attempting to exfiltrate data or further compromise the network.
38
+
-**Disable user in Active Directory** - This temporarily prevents a user from signing in to the on-premises network. This can help prevent compromised users from moving laterally and attempting to exfiltrate data or further compromise the network.
39
39
40
-
-**Reset user password**– This will prompt the user to change their password on the next logon, ensuring that this account can't be used for further impersonation attempts.
40
+
-**Reset user password**- This prompts the user to change their password on the next logon, ensuring that this account can't be used for further impersonation attempts.
41
41
42
-
-**Mark User Compromised** - The user’s risk level is set to High
42
+
-**Mark User Compromised** - The user's risk level is set to High.
43
43
44
-
-**Suspend User in Entra ID** - Block new sign-ins and access to cloud resources
44
+
-**Suspend User in Entra ID** - Block new sign-ins and access to cloud resources.
45
45
46
-
-**Require User to Sign In Again** - Revoke a user’s active sessions
46
+
-**Require User to Sign In Again** - Revoke a user's active sessions.
47
+
48
+
-**Suspend User in Okta** - Temporarily disables a user account. This action can be used when a legit user account was found to be compromised and needed to be disabled.
49
+
50
+
-**Deactivate User in Okta** - This action can be used when a non-legit malicious account was detected, to deactivate the account permanently.
47
51
48
52
Depending on your Microsoft Entra ID roles, you might see additional Microsoft Entra ID actions, such as requiring users to sign in again and confirming a user as compromised. For more information, see [Remediate risks and unblock users](/entra/id-protection/howto-identity-protection-remediate-unblock).
49
53
@@ -56,6 +60,8 @@ Depending on your Microsoft Entra ID roles, you might see additional Microsoft E
56
60
|Require User to Sign In Again | - Global Administrator <br>|
57
61
| Disable/Enable User in Active Directory | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr)|
58
62
| Force Password Reset in Active Directory | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr)|
63
+
| Suspend User in Okta | A custom role defined with permissions for Response (manage) Or One of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator|
64
+
| Deactivate User in Okta | A custom role defined with permissions for Response (manage) Or One of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator|
![m365-skilling-repo-management[bot]](https://avatars.githubusercontent.com/in/1161012?v=4&size=40){kind=avatar}
0 commit comments