Our company uses MS365 and while its good to be able to disable an on-prem AD user using a workflow, it’s not enough. Is there a way to create a workflow to disable an Entra ID user? This would be extremely helpful to us! Please help point me in the right direction.
I’m confused. This plug-in seems only to work for insight connect. is there no functionality available for insightidr for this without needing insight connect?
We just got InsightIDR ultimate and says we have unlimited access to SOAR, is that what I need to make this specific Entra ID automation? Where do you access SOAR? From the Rapid7 platform landing page somewhere?
InsightIDR Subscriptions & Features | Rapid7
I don’t have IDR, but I access ICON from the platform landing page.
With your package you should be able to leverage that InsightConnect workflow. I recommend looking through the documentation regarding Active Response - which is an option for MDR customers where Rapid7 can disable a user and revoke the sessions if the SOC has “confirmed” malicious activity. Rapid7 Active Response | Managed Services Documentation
In the screenshot it shows the two methods to get to InsightConnect from the platform home.
If you navigate to the extension library and type Azure, and then filter by workflows we have a few that are already pre-built. You would import them, setup the connections, and then activate.
You can customize any workflow that is found in the extension library. Think of them as templates. If you find a workflow that doesn’t include Azure, but does most of what you want, you can import that, and customize it to also do the Azure actions.
If you find something you like and need help or guidance, start another discuss thread, be detailed in what you are trying to accomplish and we will try to provide guidance. If you can open it in the InsightConnect section instead of InsightIDR that would be ideal.
Let me know if you have further questions or concerns.