How and when you would use the Microsoft Azure AD Admin ICON Plugin?

InsightConnect
1

Can someone please explain how and when you would use the Microsoft Azure AD Admin ICON Plugin?

For example how would it improve response in the hypothetical event of a compromised o365 account? Why would you disable the Azure AD user in addition to the AD on prem user?

Based on what I’ve read, we could, using the Azure AD Admin plugin in ICON :

  • Disable the Azure AD account

    • Disable User Account

This action is used to disable a user account. This action will not disable an administrative account.

  • send a revokesession action so that the active user session (includes O365?) will last at max 1 hour, if a refresh or reboot doesn’t take place first.

    • Revoke Sign-In Sessions

This action invalidates all the refresh tokens issued to applications for a user (as well as session cookies in a user’s browser), by resetting the signInSessionsValidFromDateTime user property to the current date-time.

1 Like
2

You’ve got it. Use those two actions and the account should be disabled and logged off. The Admin restriction is a Microsoft API limitation (I think it prevents a global admin from locking themselves out, which would be very bad.)

2 Likes
3

I also use this for enrichment and to speed up additional investigations.
When I see an O365 account I pull back the user info and create an Artifact for the Analyst.
We have found the simple link to the login page saves us the time and clicks to get there and a lot of people appreciate it

{{#each ["Azure User"].[user_information]}}
* __{{@key}}:__ {{this}}
{{/each}}

**Azure User Page:**   
<https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/{{["Azure User"].[user_information].[id]}}>

**Azure User Logins Page:**   
<https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/SignIns/userId/{{["Azure User"].[user_information].[id]}}>
5 Likes