Microsoft Entra ID Account Takeover Response Playbook
A complete, step-by-step playbook for detecting, containing, and remediating account takeover incidents in Microsoft Entra ID. Includes automation recommendations for each phase.
Account takeover (ATO) in Microsoft Entra ID is one of the most damaging identity-based attacks an organization can face. Once an attacker gains access to a legitimate user account, they can move laterally, exfiltrate data, establish persistence, and even escalate to admin-level access—all while appearing as a trusted insider.
The average time to detect an account takeover is 207 days. The average cost of a breach involving compromised credentials is $4.5 million. This playbook is designed to compress your detection-to-containment time from hours to minutes.
1. Understanding the ATO Attack Timeline
Before diving into response actions, you need to understand how attackers operate once they have credentials. This informs which containment actions matter most.
Typical ATO Attack Progression
Initial Access
Attacker logs in with stolen credentials (phishing, credential stuffing, infostealer malware)
Reconnaissance
Enumerate mailbox, OneDrive, SharePoint access. Check admin roles and group memberships.
Persistence
Register MFA device, create inbox rules, add OAuth app consent, generate app passwords
Lateral Movement / Data Access
Access sensitive files, email financial targets, attempt privilege escalation
Impact
BEC fraud, data exfiltration, ransomware deployment, vendor/customer compromise
Key Insight
Persistence happens within the first 15 minutes. If you only revoke the session but miss the OAuth app or new MFA device, the attacker is back in within hours. Your playbook must address all persistence mechanisms.
2. Detection Triggers and Alert Sources
ATO incidents can surface through multiple detection channels. Understanding where alerts originate helps you triage faster.
Entra ID Protection Signals
- Unfamiliar sign-in properties
- Atypical travel (impossible travel)
- Anomalous token / token issuer anomaly
- Password spray detection
- Leaked credentials (dark web monitoring)
- Suspicious inbox forwarding rule
Behavioral / SIEM Signals
- New MFA device registered
- OAuth app consent granted
- Mass file download from SharePoint/OneDrive
- Mailbox delegation added
- User-reported phishing (clicked link)
- Sentinel / Defender XDR multi-stage incident
| Signal | Risk Level | Auto-Trigger? |
|---|---|---|
| Impossible travel + new MFA device | Critical | Yes - immediate containment |
| Leaked credentials (confirmed breach) | Critical | Yes - force password reset |
| Anomalous token detection | High | Yes - revoke sessions |
| OAuth app with mail/files scope | High | Semi - notify + queue revoke |
| Unfamiliar sign-in (new device/location) | Medium | No - enrich + investigate |
| Inbox rule created | Medium | Semi - alert + auto-disable rule |
3. Immediate Containment Actions (First 5 Minutes)
When a high-confidence ATO alert fires, these actions should execute immediately—ideally automated with human notification.
Revoke All Active Sessions
Full AutoInvalidate all refresh tokens and sign-out from all devices
Graph API: revokeSignInSessions
Block Sign-In (Temporary)
Full AutoSet accountEnabled to false or apply block CA policy
Graph API: Update user or Conditional Access
Mark User as Compromised
Full AutoElevate risk level in Entra ID Protection to High
Graph API: confirmCompromised
Notify SOC / On-Call
Full AutoPage analyst with user details, alert source, and risk score
Webhook to PagerDuty/Slack/Teams
Capture Forensic Snapshot
Full AutoPull recent sign-in logs, audit logs, MFA methods, OAuth apps
Graph API batch query
Critical Warning
Do NOT skip step 2 (block sign-in). Session revocation alone is insufficient—the attacker can re-authenticate immediately if they still have credentials. Block first, then proceed with credential reset.
4. Investigation and Scope Assessment
With the account contained, the next phase is understanding what the attacker accessed and whether they established persistence.
Investigation Checklist
Access Analysis
- Review sign-in logs (past 30 days)
- Identify all IPs and locations used
- Check applications accessed (Graph, Exchange, SharePoint)
- Review mailbox activity (emails sent, read, forwarded)
- Check OneDrive/SharePoint file access and downloads
Persistence Analysis
- List all MFA methods (look for new devices)
- Review OAuth app consents
- Check inbox rules (forwarding, delete rules)
- Review mailbox delegates
- Check for app passwords created
Key Unified Audit Log (UAL) Events
| Operation | Indicates | Risk |
|---|---|---|
| Add registered owner to device | New MFA device added | Critical |
| Consent to application | OAuth app granted access | Critical |
| New-InboxRule | Mail forwarding/hiding rule | High |
| Set-Mailbox (ForwardingSmtpAddress) | External mail forwarding | Critical |
| Add-MailboxPermission | Mailbox delegation added | High |
| FileDownloaded (bulk) | Mass file exfiltration | Critical |
5. Full Remediation Checklist
After investigation, execute these remediation actions to fully evict the attacker and prevent re-entry.
Credential Reset
- Force password reset (require change at next sign-in)Full Auto
- Revoke all refresh tokens (again, post-password reset)Full Auto
- Delete any app passwordsFull Auto
MFA Cleanup
- Remove all MFA methods registered during attack windowSemi-Auto
- Re-register user MFA with verified deviceHuman Required
- Enable phishing-resistant MFA (passkeys/FIDO2)Human Required
OAuth / App Access
- Revoke suspicious OAuth app consentsSemi-Auto
- Block app from tenant if maliciousHuman Decision
- Review service principal permissionsHuman Required
Email Cleanup
- Delete malicious inbox rulesFull Auto
- Remove external forwardingFull Auto
- Remove mailbox delegates added during attackSemi-Auto
- Search and purge sent phishing emailsSemi-Auto
Access Restoration
- Unblock user account (set accountEnabled = true)Human Approval
- Dismiss user risk in Entra ID ProtectionHuman Approval
- Monitor for 48 hours post-restorationFull Auto
6. Recovery and User Communication
Once remediation is complete, restore access and communicate clearly with the affected user.
User Communication Template
Subject: Action Required - Your Account Security
---
Hi [Name],
Our security team detected suspicious activity on your account and took immediate action to protect you.
What happened: Unauthorized access was detected from [Location/IP].
What we did: We secured your account by resetting your session and credentials.
What you need to do:
1. Reset your password using this link: [Link]
2. Re-register your MFA device
3. Report any emails you may have clicked on recently
If you have questions, contact the security team at [email] or [phone].
Security Team
7. Automation Decision Matrix
Not every action should be fully automated. Use this matrix to decide what runs autonomously vs. requires human approval.
| Action | Reversible? | User Impact | Recommendation |
|---|---|---|---|
| Revoke sessions | Yes | Low (re-login) | Full Auto |
| Block sign-in | Yes | High (locked out) | Full Auto |
| Force password reset | No | Medium | Full Auto |
| Remove MFA device | No | High | Semi-Auto |
| Revoke OAuth app | Yes | Medium | Semi-Auto |
| Delete inbox rules | No | Low | Full Auto |
| Unblock user | Yes | N/A | Human Approval |
8. Special Case: Token Theft Response
Token theft (AiTM attacks, session hijacking) bypasses password and MFA entirely. The attacker has a valid refresh token and can access resources without re-authenticating.
Token Theft Indicators
- •Entra ID Protection: "Anomalous Token" or "Token Issuer Anomaly" detection
- •Sign-in from new IP immediately after successful MFA from different IP
- •Multiple concurrent sessions from geographically impossible locations
- •Session cookie replay detected (same session ID, different source IP)
Token Theft Response Actions
- 1Revoke all sessions immediately - Standard containment, but critical for token theft
- 2Enable Continuous Access Evaluation (CAE) - Ensures token revocation propagates in near real-time
- 3Require token binding (if available) - Binds tokens to specific devices/browsers
- 4Deploy phishing-resistant MFA - Passkeys/FIDO2 prevent AiTM token theft
- 5Reduce token lifetime - Shorter refresh token validity limits attacker window
Automate Your Entra ID ATO Response
BitLyft AIR automates the entire ATO response playbook—from detection to containment to remediation—in seconds instead of hours. See how we protect Microsoft 365 environments.
Frequently Asked Questions
How quickly should ATO containment happen?
Ideally within 5 minutes of detection. Attackers establish persistence within 15 minutes, so speed is critical. Automated containment is the only way to consistently hit this target.
Should I block the user or just revoke sessions?
Both. Session revocation stops the current session, but the attacker can re-authenticate if they have credentials. Blocking prevents any sign-in until remediation is complete.
How do I handle VIP/executive accounts?
Same playbook, but with immediate escalation to leadership. Consider having a separate 'white glove' process for credential reset and device re-enrollment with executive assistants.
What if the attacker registered their own MFA device?
This is why MFA cleanup is critical. During investigation, identify all devices registered during the attack window and remove them before allowing the user to re-authenticate.