From the security event details page accessible in the Report section by clicking on an event, or through the "View event in Office Protect" link in the security events notifications, you can now perform remediation actions to act quickly and avoid potential damage if there is a compromise on your organization.
Please note the Office Protect team is focused on adding new remediations. If you have any suggestions, feel free to contact us at [email protected].
REMEDIATION ACTIONS
Permissions
If the Office Protect health status is Healthy on your tenant: to perform Block User actions, new Delegated Permissions have been automatically added to your Office Protect application, including offline_access and Directory.AccessAsUser.
To be able to remove applications, some Application permissions have been added to Office Protect: AppCatalog.ReadWrite.All, TeamsAppInstallation.ReadWriteForUser.All, TeamsAppInstallation.ReadWriteForTeam.All, TeamsAppInstallation.ReadWriteForChat.All, TeamSettings.ReadWrite.All and Chat.ReadWrite.All.
You can review Office Protect application permissions in the Entra ID admin portal.
If the Office Protect health status is Unhealthy on your tenant: you first need to remediate the situation from the Health Status section.
To perform user disabling actions on administrators, Office Protect needs a Global Administrator to grant new delegated permissions to Office Protect, including offline_access and Directory.AccessAsUser.
If the permissions have not been granted, a consent page will be displayed when clicking on "Block user" on an admin for the first time.
This consent cannot be granted by the tenant's partner: only a Global Administrator on the tenant can grant these permissions. Once the delegated permissions have been granted on behalf of the organizations, partner users with the right roles will be able to disable Admin users in addition to regular non-admin users.
Block user
On which security events?
Any event raised by and/or on a user. Each user on which a remediation action is available will have a dedicated remediation section.
Actions - you can select any of the following actions to be applied when blocking a user:
- Disable user: user will not be able to sign-in until unblocked.
How to unblock: from the M365 admin portal (click on the user - Unblock sign-in), or through the Entra Identity admin portal (click on a user - Edit properties - Settings - "Account enabled" checkbox).
Important Note: If an Entra ID synchronization solution is configured on your tenant, it may revert the disabling action after a few minutes. However, the revoke session action cannot be reverted.
- Revoke sessions: revokes all the user's active sessions to cuts off the access to the potentially compromised user. The user will have to sign-in again. This action alone does not prevent a malicious user from connecting again. It must be combined with other actions such as resetting the password and/or disabling the user.
This action cannot be undone. - Remove mail forwarding: available only if user has a mailbox in your tenant - removes the Email forwarding options set on the user in the Exchange admin center.
This action cannot be undone. - Disable inbox rules: available only if user has a mailbox in your tenant - hackers can create malicious inbox rules for data extraction purposes, to hide phishing attacks or to prevent the user to be contacted.
Inbox rules can be reviewed in Exchange on the mailbox directly. Rules are not permanently deleted, so after reviewing the rules you or the impacted user can re-enable the legitimate rules and delete the malicious ones. - Reset password: currently under development, it is strongly recommended to perform this action manually along with the above. You can reset a user's password from the M365 admin portal (click on the user - Reset password), or through the Entra Identity admin portal.
Office Protect recommends at a bare minimum, disabling the user, revoking active sessions, and resetting the password. It is also important to keep a close eye on the suspicious user after the reactivating them, in case they are compromised anew.
Who can you block?
- Regular users & Guest users with no admin roles: you can immediately disable these users from Office Protect with no further steps.
- Privileged administrators, Administrators: to disable these users, you will be prompted to sign-in with a user that has a Privileged Authentication Administrator or Global Administator role in the tenant. You cannot block the user you have signed-in with.
These roles can be granted to the tenant's user accounts (guests / regular) or through the DAP/GDAP partner relationship and associated security groups. - System: you cannot block system users like "app@sharepoint".
- Anonymous users: you cannot block anonymous users. Anonymous users are temporary access users generated when a file that has been shared anonymously using sharepoint, onedrive, or teams, is accessed from outside the organization.
Remove App
On which security events?
- User Consented to an App
- New Teams app installed
- Application Permissions Change
Actions:
- Remove app: will remove the application and/or service principal from your organization (Entra Identity/ Teams)
How to restore an application: you can restore the application from the App Registrations section - Deleted applications in the Entra Identity admin portal.
You can block a Teams application from being installed in your organization through the Teams admin portal - Teams apps section.
Which applications can you remove?
- Entra Identity applications
- Teams applications
Reset Password
On which security events?
Any event raised by and/or on a user.
Actions:
- Reset password: will reset the user's password. Once the user's password is reset, a temporary password will be displayed once on screen. The user will need to change it at their next sign-in.
You can also choose to receive the temporary password by email, or send it by email to any Office Protect user who has access to the organization.
To reset a user's password, you will be asked to sign-in with a user who has a Global Administrator or Privileged Authentication Admin role on the tenant.
This action cannot be undone.
Which passwords can you reset?
Any user hosted in your Entra ID.
Remove Rule
On which security events?
- Suspicious Inbox Rule Detected
- Mail Forwarding Rule(s) to External Destination Created
Actions:
- Remove Inbox Rule: will delete the inbox rule from the mailbox
- Remove Mailbox Forwarding: will remove the mailbox forwarding setting from the mailbox
- Remove Transport Rule: will delete the transport rule from the tenant
These actions cannot be undone.
Remove Mailbox Access
On which security events?
When FullAccess rights have been granted to a user on a mailbox:
- Mailbox Access Granted to Non-Owner
- Mailbox Access by Non-Owner
Actions:
- Remove Mailbox Access: removes the user's FullAccess rights on the accessed mailbox
This action cannot be undone.
Remove Anonymous Sharing Link
On which security events?
- File Shared Publicly (anonymous)
Actions:
- Remove sharing link: removes the concerned folder's or file's anonymous sharing links
This action cannot be undone.
FAQ
Why aren't remediations available for my event?
If no remediation is available at the time, or no action can be performed on the user/the application, this banner is displayed:
The Office Protect team is actively working to add new remediations and handle more use cases.
Why are some of the actions greyed out?
If some of the Block user actions are greyed out, it means they cannot apply to the concerned user. Example: the user has no mailbox in the tenant, so you cannot perform actions on it ; user has no mailbox forwarding setting enabled,...
My remediation action failed, what should I do?
If the Disable user action fails on an administrator, make sure the user you signed-in with has the right role to perform the action, and that you are not trying to disable the user you have signed-in with nor the last Global Administrator account created on your tenant.
You can try to refresh the page and re-apply the remediation. If the issue remains, please contact us at [email protected] to get assistance.
Please note that the Office Protect team is currently working to add more details on actions failures.
I have an idea for a remediation. How can I share it with you?
The Office Protect team will be happy to get your feedback and suggestions! You can contact us at [email protected].