Entra ID (Azure AD) Account Lockdown (RUX)
This article describes the Azure Active Directory (AAD) Account Lockdown feature in a Frequently Asked Questions (FAQ) style. This feature is only available in the Vectra Respond UX.
Overview
What is Azure Active Directory (AAD) Account Lockdown?
Why is disabling of an AAD/M365 account necessary during a security investigation?
Requirements and Configuration
What are the requirements necessary to configure AAD Account Lockdown?
What permissions are required in Vectra to configure and utilize AAD Account Lockdown?
What Vectra roles will automatically be enabled with permissions for AAD Account Lockdown?
How do I configure AAD Account Lockdown?


What is the name of the app added to Azure AD?
What permission in Microsoft is required for the Vectra AI - Azure AD Lockdown app?
How is the required permission in Microsoft configured?
Does the consent app link ever change?
Can I setup AAD Account Lockdown for more than one AAD/M365 data source?
Usage
What enforcement options does AAD Account Lockdown provide for AAD/M365 accounts?
How do I manually lock down an account?

How can I utilize Automatic AAD Account Lockdown?
Where can I check the Lockdown status of an account?

Once an AAD/M365 account has been disabled, how can it be re-enabled?
Why is it preferred to re-enable an account through the Vectra Respond UX?
Are there any account types that cannot be disabled?
Is there API support for AAD Account Lockdown?
Notification
Will the end user be notified when an account is locked down?
How can administrators know if an account has been locked down through Vectra?
Are logs available of Lockdown related actions?

Disabling
If I no longer wish to use AAD Account Lockdown, what are the steps to turn it off?
How do I remove consent for the App if I wish to completely remove the integration?
Technical Note
Last updated
Was this helpful?