1. Expel Help Center
  2. Auto Remediations
  3. Disable Accounts

Microsoft Defender for Endpoint: Disable Accounts

This guide is the first step of a larger process to enable auto remediations. After completing the steps on this page, you will be instructed to return to the Enable an Auto Remediation in Workbench guide to finish your setup.

This guide helps you set up your Microsoft Defender for Endpoint device so that you can enable the On-Prem/Hybrid Disable Accounts auto remediation in Workbench. During the setup process, you will grant Expel all necessary permissions for the remediation to work.

How It Works

If our SOC identifies an account (username or email address) that is compromised and must be disabled, Workbench completes the action automatically and logs the user out of their session.

This remediation action will attempt to perform both on-premise (domain controller) and cloud (Entra ID) disablement for a user. It will first attempt to disable the user account on specified Domain Controller(s) (domain controller host names are set up via context; see Step 2) using Microsoft Defender for Endpoint Live Response, before attempting to force a cloud sync. Even if this sync attempt fails, a separate task is executed via Microsoft Graph to ensure the user account is also disabled in Entra ID.

Active user sessions and refresh tokens for the disabled account are revoked via Microsoft Graph.

You have the option to restrict these actions to specific accounts by configuring an allow or deny list (the accounts must first be added as context, and then the list can be configured in Workbench; see Step 3).

Note
Some vendors refer to disabling a user account as blocking a user, suspending a user, changing user status, removing a user from the org, or locking a user account.

Endpoints Used

MS Graph API Endpoints (for Cloud/Entra ID users)

Method Endpoint Purpose
GET v1.0/users/{userid} Get user details (check if user exists, onPremisesSyncEnabled, accountEnabled)
PATCH v1.0/users/{userid} Update user - sets accountEnabled: false to disable
POST v1.0/users/{userid}/revokeSignInSessions Revoke all sign-in sessions
POST beta/users/{userid}/invalidateAllRefreshTokens Revoke all refresh tokens

Microsoft Defender for Endpoint API (for On-Prem/Hybrid users)

Method Endpoint Purpose
GET api/machines/{id} Get machine details (OS platform)
POST api/machines/{id}/runliveresponse Execute PowerShell script on domain controller
GET api/machineactions/{id} Poll for action completion status
POST api/libraryfiles Upload PowerShell script to library

Scope and Limitations

When choosing to enable this auto remediation, remember the following:

  • This remediation will work for on-prem-only, hybrid, or cloud-only Entra ID/Active Directory environments, meaning account disablement in Entra ID will not be rolled back after an Active Directory sync in hybrid AD environments. However, if you have a cloud-only Entra ID environment, we recommend you instead leverage the Microsoft 365 Disable Accounts remediation action.
  • After a previously logged-in account is disabled, it can still access some resources until the access token expires and requires re-authentication. Default expiration is 60 to 90 minutes after the disabling; as a result, it is possible for a user to remain logged in and to access some of the resources for up to 90 minutes after an account is disabled.
  • This auto remediation will not work on admin user accounts, or on any user who is assigned a privileged directory-level role or a privileged read-only role.
  • While an account is disabled, the user cannot reset the password. After the account is re-enabled, the account must be reset manually.

Prerequisites

  1. You must be an Azure admin for your organization, as you must have the ability to grant app permissions and add assignments.
  2. You must have admin access in Workbench, as auto remediations are enabled at the organization level.
  3. You must have a valid license for Microsoft Defender for Endpoint Plan 2 (P2) or Microsoft 365 E5/A5/G5 (which includes P2).

Quick Links

  1. Grant Necessary Permissions
  2. Enable Live Response
  3. Update Your Context
  4. Return to the Main Setup Guide

Step 1: Grant Necessary Permissions

The remediation actions the Expel SOC creates in Workbench will run in your vendor technology, so granting us certain permissions is required.

The option you choose in this section depends on how you initially onboarded your Microsoft Defender for Endpoint device in Workbench.

  • If you chose to enable the Microsoft Defender for Endpoint integration, follow Option 1.
  • If you chose to create a custom Azure application, follow Option 2.

Option 1 (Microsoft Defender for Endpoint Integrations)

New installation

No changes are required.

 

Existing installation

  1. Open Expel Microsoft Defender for Endpoint Integration > API Permissions.
  2. Select Grant admin consent.
  3. Consent to the new API permissions.

Option 2 (Custom Azure Applications)

New and existing installations:

  1. Follow all previous API permission steps in Microsoft Defender for Endpoint Setup for Workbench.
  2. Add these Microsoft Graph application permissions to your custom Azure application:
    • Directory.ReadWrite.All
    • User.EnableDisableAccount.All
    • User.ManageIdentities.All
    • User.Read.All
    • User.RevokeSessions.All
  3. Add these WindowsDefenderATP application permissions to your custom Azure application:
    • Library.Manage
    • Machine.LiveResponse
    • Machine.ReadWrite.All

      MS-permissions.png
       

Step 2: Enable Live Response

In order to enable on-prem/hybrid disablement of accounts, you must allow Expel to run Powershell commands via Microsoft Live Response. To enable the running of these commands on domain controllers, follow these steps:

Ensure Domain Controllers are Onboarded with Live Response

  1. Go to the Microsoft Defender portal and sign in.
  2. Check Domain Controller Onboarding Status:
    • Go to Assets > Devices in the Microsoft Defender portal.
    • Search for your Domain Controller hostnames.
    • Ensure their status is Active and the Onboarding status is Onboarded.

Enable Live Response Advanced Features

  1. In the navigation pane, select Settings > Endpoints > Advanced features.
  2. Select the following features are enabled:
    • Live Response
    • Live Response on Servers
    • Live Response unsigned script execution
  3. Select Save preferences.
    live-response-advanced-features.png

Note 
Expel will only use the Microsoft Defender for Endpoint Live Response “unsigned script execution” permission to issue remediation commands to your Domain Controllers via the Live Response channel. These commands are limited to the remediation actions you opt into in org settings. Expel uses the Live Response “unsigned script execution” permission for the following Microsoft Defender for Endpoint remediation actions:

  • Account disablement and enablement (in case a disabled account should be reverted)
  • Process termination (as part of the Kill Processes remediation action)
  • File deletion (as part of the Delete Malicious Files remediation action) 

Enabling this option does not alter the local PowerShell Execution Policy enforced by GPO on the server. It strictly permits the execution of unsigned scripts only when initiated through the authenticated Live Response session. It does not allow users logged directly into the server to run unsigned scripts. Furthermore, execution via Live Response is restricted to users with specific RBAC permissions (e.g., Global/Security Admins) within the Microsoft Defender portal.

Step 3: Update Your Context

Working with your Customer Success Manager:

  1. (Optional) Create an allow or deny list by adding accounts as context for your environment.
  2. Specify the hostnames of one or more domain controllers which should be used for on-prem disablement via Live Response (mandatory for on-prem/hybrid disablement).

In order for the remediation action to identify your domain controllers’ hostnames, ensure they are tagged with the Domain Controller detection tag in Workbench:

add-context.png
 

Note
If our SOC identifies an account that must be disabled and you have created either an allow ("Always disable") or deny ("Never disable") list in Workbench, any accounts falling outside of those parameters are assigned to you as actions rather than being disabled automatically.

Step 4: Return to the Main Setup Guide

Your Microsoft Defender for Endpoint device is now ready for the On-Prem/Hybrid Disable Accounts auto remediation. You should now do one of the following:

  • If you do not need to set up any other devices for this auto remediation, you can return to the Enable an Auto Remediation in Workbench guide to finish Step 2 of the process.
  • If you need to set up additional devices for this auto remediation, or wish to use this device with multiple auto remediations, be sure to complete those setup guides as well before returning to the Enable an Auto Remediation in Workbench guide to finish Step 2 of the process. Make sure to follow the setup guide that is specific to your auto remediation, as device setup instructions are unique to each auto remediation and device.

Related articles