1. Expel Help Center
  2. Auto Remediations
  3. Disable Accounts

Microsoft 365: Disable Accounts

This guide is the first step of a larger process to enable auto remediations. After completing the steps on this page, you will be instructed to return to the Enable an Auto Remediation in Workbench guide to finish your setup.

This guide helps you set up your Microsoft 365 device so that you can enable the Disable Accounts auto remediation in Workbench. During the setup process, you will grant Expel all necessary permissions for the remediation to work.

How It Works

If our SOC identifies an account (username or email address) that is compromised and must be disabled, Workbench completes the action automatically and logs the user out of their session. You have the option to restrict these actions to specific accounts by configuring an allow or deny list (the accounts must first be added as context, and then the list can be configured in Workbench; see Step 2).

Note

Some vendors refer to disabling a user account as blocking a user, suspending a user, changing user status, removing a user from the org, or locking a user account.

Scope and Limitations

When choosing to enable this auto remediation, remember the following:

  • After a previously logged-in account is disabled, it can still access some resources until the access token expires and requires re-authentication. Default expiration is 60 to 90 minutes after the disabling; as a result, it is possible for a user to remain logged in and to access some of the resources for up to 90 minutes after an account is disabled.
  • This auto remediation will not work on admin user accounts, or on any user who is assigned a privileged directory-level role or a privileged read-only role.
  • While an account is disabled, the admin or user cannot reset the password. After the account is re-enabled, the account must be reset manually.

If you have an on-prem Active Directory or hybrid Entra ID/ on-prem Active Directory environment, consider the following safety precautions before enabling this auto remediation:

  • This remediation action will perform Account Disablement in Entra ID and NOT in on-prem AD. 
  • In hybrid environments, the On-prem AD configuration always takes precedence and is considered the "Source of Truth." Microsoft initiates automatic syncs from on-prem AD to Entra ID every 30-60 min. 
  • For hybrid environments, the account disablement Expel pushes via Entra ID will be rolled back by Microsoft after the next sync. You must also lock the account in the on-prem environment before the next sync to keep the account locked. 
  • To safely disable accounts in on-prem or hybrid AD environments, Expel recommends using our Microsoft Defender for Endpoint: On-Prem/Hybrid Disable Accounts auto remediation. Enable this auto remediation via the Microsoft Defender for Endpoint: Disable Accounts setup guide.

Prerequisites

  1. You must be an Azure admin for your organization, as you must have the ability to grant app permissions and add assignments.
  2. You must have admin access in Workbench, as auto remediations are enabled at the organization level.

Quick Links

Setup includes the following steps (select any step for detailed instructions):

  1. Grant Necessary Permissions
  2. Update Your Context
  3. Return to the Main Setup Guide

Step 1: Grant Necessary Permissions

The option you choose in this section depends on how you initially onboarded your Microsoft 365 device in Workbench.

  • If you chose to enable the Microsoft 365 integration, follow Option 1.
  • If you chose to create a custom Azure application, follow Option 2.

Option 1 (Microsoft 365 Integrations)

New installation

No changes are required.

Existing installation

  1. Open Expel O365 Integration > API Permissions.
  2. Select the Grant admin consent button.
  3. Consent to the new API permissions.

Option 2 (Custom Azure Applications)

New and existing installations

  1. Follow all previous API permission steps in Microsoft 365 Direct Setup for Workbench.

  2. Add this Microsoft Graph application permission to your custom Azure application:

    User.ReadWrite.All
    mceclip0.png

  3. Verify User.ReadWrite.All is added, and then select Grant admin consent.

    mceclip1.png

Step 2: Update Your Context

If you do not want to specify any accounts for a "do not disable" or "always disable" list, and instead wish for Expel to automatically disable all identified accounts, skip to Step 3.

Working with your engagement manager, prepare to create an allow or deny list by adding accounts as context for your environment. You will then be able to select those accounts as "Never disable" or "Always disable" assets when you enable the auto remediation in Workbench.

Note

If our SOC identifies an account that must be disabled and you have created either an allow ("Always disable") or deny ("Never disable") list in Workbench, any accounts falling outside of those parameters are assigned to you as actions rather than being disabled automatically.

Step 3: Return to the Main Setup Guide

Your Microsoft 365 device is now ready for the Disable Accounts auto remediation. You should now do one of the following:

  • If you do not need to set up any other devices for this auto remediation, you can return to the Enable an Auto Remediation in Workbench guide to finish Step 2 of the process.
  • If you need to set up additional devices for this auto remediation, or wish to use this device with multiple auto remediations, be sure to complete those setup guides as well before returning to the Enable an Auto Remediation in Workbench guide to finish Step 2 of the process. Make sure to follow the setup guide that is specific to your auto remediation, as device setup instructions are unique to each auto remediation and device.

Related articles