1. Expel Help Center
  2. Auto Remediations
  3. Reset Credentials

Microsoft 365: Reset Credentials

This guide is the first step of a larger process to enable auto remediations. After completing the steps on this page, you will be instructed to return to the Enable an Auto Remediation in Workbench guide to finish your setup.

This guide helps you set up your Microsoft 365 device so that you can enable the Reset Credentials auto remediation in Workbench. During the setup process, you will grant Expel all necessary permissions for the remediation to work.

Scope and Limitations

When choosing to enable this auto remediation, remember the following:

  • This auto remediation will not work on admin user accounts or on accounts that Microsoft considers Privileged (as these accounts cannot be forced to change their password).
  • While an account is temporarily disabled, the user will be unable to reset their password; they will be forced to change their password as soon as the account is re-enabled.

Prerequisites

  1. You must be an Azure admin for your organization, as you must have the ability to grant app permissions and add assignments.
  2. You must have admin access in Workbench, as auto remediations are enabled at the organization level.
  3. Make sure all end user accounts have MFA enabled, to allow the auto remediation to run properly.
  4. Make sure to enable password writeback so that password changes made in Microsoft Entra ID are synchronized back to your local active directory (password writeback is not enabled by default in a hybrid environment).

Quick Links

Setup includes the following steps (select any step for detailed instructions):

  1. Grant Necessary Permissions
  2. Add an Expel Assignment to the User Administrator Role
  3. Update Your Context
  4. Return to the Main Setup Guide

Step 1: Grant Necessary Permissions

The remediation actions the Expel SOC creates in Workbench will run in your vendor technology, so granting us certain permissions is required. The way you grant us these permissions will depend on how you set up your initial Microsoft 365 security device. 

  • If you chose to use the Expel application during your onboarding, go to Option 1.
  • If you chose to create your own custom Microsoft Entra ID application during your onboarding, go to Option 2.
  • If you aren't sure, go to your enterprise applications in Azure and look for either the Expel Microsoft 365 Integration application or your custom application. Then proceed based on which one you find.

Option 1: Grant Permissions in the Expel Application

If you chose to use the Expel Microsoft 365 Integration application during your security device onboarding, you will simply need to grant admin consent so that we may perform the auto remediation.

Note

If you have set up other auto remediations for Microsoft 365, you may have completed this step already. We recommend that you verify this permission before moving on to Step 2.

  1. Log in to https://portal.azure.com/.
  2. Select Enterprise Applications.
  3. Select the Expel application.
  4. In the left menu, go to Security > Permissions.
  5. Select the Grant admin consent for Expel button.
  6. Select the Refresh option to verify that the permissions have been updated.
  7. Go to Add an Expel Assignment to the User Administrator Role.

Option 2: Grant Permissions in Your Microsoft Entra ID Application

If you chose to create your own custom application during your security device onboarding, you will need to grant us with admin consent and add user read/write permissions for the Microsoft Graph API so that we may perform the auto remediation.

  1. Log in to https://portal.azure.com/.
  2. Use the search field to locate the Expel Cloud Service application, which will display within the MicroSoft Entra ID section of the search results (you registered and created this app during your security device onboarding). Locating it in this manner will allow you to configure permissions via Application Registration.
  3. Go to Manage > API Permissions.
    • If you do not see this option, you are not in the right place. Try going to Security > Permissions and looking for a message that says "To configure requested permissions for apps you own, use the app registration." The accompanying Application Registration link will take you to the right place.
  4. If you see the User.ReadWrite.All permission in the configured permissions for Microsoft Graph and the type shows as Application, you are done and can skip to Add an Expel Assignment to the User Administrator Role. If not, continue to step 5.
  5. Select Add a permission.
  6. Select Microsoft Graph.
  7. Select Application permissions as the type.
  8. Navigate to the User.ReadWrite.All permission and use the checkbox to select it.
  9. Select Add permissions to save your changes.
  10. Use the search field to find and select Enterprise Applications.
  11. Select your custom application.
  12. In the left menu, go to Security > Permissions.
  13. Select the Grant admin consent for Expel button.
  14. Select the Refresh option to verify that the permissions have been updated.

Step 2: Add an Expel Assignment to the User Administrator Role

You will need to add an assignment for Expel within the User Administrator role to allow us to reset user credentials.

  1. Still in the Azure portal, search for Microsoft Entra ID.
  2. Go to Manage > Roles and Administrators.
  3. Search for and select the User Administrator role.
  4. Select Add assignments to add the assignment for Expel. Important: This assignment must be added to the Expel application or to your custom application (whichever one you configured in the previous section).

If you need additional help with assignments, refer to the Azure documentation

Step 3: Update Your Context

If you do not want to specify any credentials for a "do not reset" or "always reset" list, and instead wish for Expel to automatically reset all identified credentials, skip to Step 4.

Working with your engagement manager, prepare to create an allow or deny list by adding credentials as context for your environment. You will then be able to select those credentials as "Never reset" or "Always reset" assets when you enable the auto remediation in Workbench.

Note

If our SOC identifies credentials that must be reset and you have created either an allow ("Always reset") or deny ("Never reset") list in Workbench, any credentials falling outside of those parameters are assigned to you as actions rather than being reset automatically.

Step 4: Return to the Main Setup Guide

Your Microsoft 365 device is now ready for the Reset Credentials auto remediation. You should now do one of the following:

  • If you do not need to set up any other devices for this auto remediation, you can return to the Enable an Auto Remediation in Workbench guide to finish Step 2 of the process.
  • If you need to set up additional devices for this auto remediation, or wish to use this device with multiple auto remediations, be sure to complete those setup guides as well before returning to the Enable an Auto Remediation in Workbench guide to finish Step 2 of the process. Make sure to follow the setup guide that is specific to your auto remediation, as device setup instructions are unique to each auto remediation and device.

Related articles