Entra ID (Azure AD) Account Lockdown (RUX)

Below is a brief demo video:

Overview

What is Azure Active Directory (AAD) Account Lockdown?

• AAD Account Lockdown is a new feature that will give Respond UX users the ability to stop potentially malicious Azure AD and M365 accounts during a security investigation. This functionality enables enforcement action, via disabling the account and/or revoking the current session. The enforcement action can be initiated manually by a Vectra user with the proper permissions or via Automatic Lockdown when an account crosses an Urgency score threshold that is configurable.

Why is disabling of an AAD/M365 account necessary during a security investigation?

• Disabling an AAD/M365 account can prevent an attack from progressing further along the kill chain. It can stop the malicious user from logging into any additional systems, potentially limiting the blast radius of an on-going attack.

Requirements and Configuration

What are the requirements necessary to configure AAD Account Lockdown?

• AAD Account Lockdown requires ‘Global Administrator’ permissions for a user within the customer's AAD tenant to grant consent that Vectra be added as an application that will enable Respond UX users (who have the required permissions in Vectra) to perform Lockdown.

• A user with sufficient permissions in Vectra to configure AAD Account Lockdown.

• A user with sufficient permissions in Vectra to use AAD Account Lockdown.

What permissions are required in Vectra to configure and utilize AAD Account Lockdown?

• There are two sets of permissions that are associate with AAD Account Lockdown:

  • Configuration of AAD Account Lockdown (available in Settings > External Connectors).

    • view_azure_ad_lockdown_settings

      • Allows viewing of AAD Lockdown settings.

    • edit_azure_ad_lockdown_settings

      • Allows editing of AAD Lockdown settings.

  • Using AAD Account Lockdown (available in the sidebar of an AAD/M365 account entity page).

    • view_azure_ad_lockdown

      • Allows viewing of AAD Lockdown status of an AAD/M365 account.

    • edit_azure_ad_lockdown

      • Allows a user to lock or unlock an AAD/M365 account.

        • This includes all Lockdown functionality such as revoking the existing AAD/M365 account session.

What Vectra roles will automatically be enabled with permissions for AAD Account Lockdown?

• By default, all roles will be granted view permissions.

• By default, Admin and Super Admin roles will have all AAD Account Lockdown related permissions.

• Role permissions can be modified as desired at Manage > Roles.

How do I configure AAD Account Lockdown?

1. Please ensure that the roles used by your admins and analysts have the desired permissions per the above permissions guidance.

   • Roles can be edited by any Vectra user with the "Manage - Roles" permission by navigating to Manage > Roles in your Vectra UI .

2. Navigate to Configuration > Response:Lockdown > Azure AD Lockdown and edit this setting to enable integration of Vectra with AAD and the Lockdown functionality itself:

1. Copy the consent link by clicking the "Copy" button and follow the consent flow to allow Vectra to integrate with your AAD:

1. Once you have completed the consent flow, you have fully configured AAD Account Lockdown.

What is the name of the app added to Azure AD?

• The consent process above will create an app in Azure AD under "Enterprise Applications" called "Vectra AI - Azure AD Lockdown"

What permission in Microsoft is required for the Vectra AI - Azure AD Lockdown app?

• API Name

  • Microsoft Graph

• Claim value

  • Directory.ReadWrite.All

  • UserAuthenticationMethod.ReadWrite.All

• Permission display name

  • Read and write directory data

  • Read and write all users' authentication methods

• Permission description

  • Allows the app to read and write data in your organization's directory, such as users, and groups, without a signed-in user. Does not allow user or group deletion.

    • Vectra requires this to revoke and disable accounts.

  • Allows the app to read and write authentication methods of all users in your organization, without a signed-in user. Authentication methods include things like a user's phone number and Authentication app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods.

    • Vectra requires this to reset passwords.

How is the required permission in Microsoft configured?

• This permission is granted as part of the automated consent process that is done by a global administrator.

Does the consent app link ever change?

• No, once created, the consent app link remains the same and will not expire.

Can I setup AAD Account Lockdown for more than one AAD/M365 data source?

• No, at this time, AAD Account Lockdown supports a single Microsoft tenant. If the consent link is executed against a 2nd tenant, AAD Account Lockdown will stop working for accounts that exist in the original tenant where the consent flow was executed and start working in the 2nd tenant.

Usage

What enforcement options does AAD Account Lockdown provide for AAD/M365 accounts?

• AAD/M365 accounts can be locked manually through the Respond UX with two options for enforcement actions:

  1. Revoke session

     • The account’s current session is interrupted and the user is signed out.

  2. Revoke session and disable the account

     • The account’s current session(s) is(are) interrupted and the account is disabled for further use.

  3. Revoke session and reset the password

     • The account's current session(s) is(are) interrupted and the account will be prompted to provide a new password on the next sign-in.

• Please note that all accounts that have been disabled will require manual re-enablement.

  • This can be done through the Vectra UI (preferred) or outside of the Vectra UI in AAD.

How do I manually lock down an account?

• All AAD/M365 accounts will have a new Account Lockdown widget in the sidebar of individual account entity pages. From here you can enable or disable Lockdown. To lock down an account, simply click the "Disable Account" button and select if you would like to only revoke the current session or revoke the current session and disable the account.

• Please note that enabling or disabling manual lockdown on an account will require the Respond UX user to have the edit_azure_ad_lockdown permission enabled.

How can I utilize Automatic AAD Account Lockdown?

• After enabling Azure AD Account Lockdown, you can also choose to enable Automatic AAD Account Lockdown by clicking the slider next to the feature to "On".

• You can also pick the threshold for Automatic Lockdown by moving the slider to the desired Urgency score that must be met before Lockdown will happen.

Where can I check the Lockdown status of an account?

• All AAD/M365 accounts will have a new Account Lockdown widget in the sidebar of individual account pages. From here you can see the account's current Lockdown status. If an account is locked down, the status will show the username of the Respond UX user that enabled lockdown for that account and the time it was invoked.

• In the case of an account having only their sessions revoked, the Lockdown event will be logged, but it will not be visible on the account page.

Once an AAD/M365 account has been disabled, how can it be re-enabled?

• AAD/M365 accounts can only be re-enabled via the following methods:

  • A user with correct permissions manually re-enables account via the Respond UX (strongly recommended).

  • Account is re-enabled outside of Respond UX (via AAD) (NOT recommended).

    • This is NOT recommended because AAD Account Lockdown does not know the enablement state of the account on the customer AAD/M365 side.

• To re-enable an account through the Respond UX, simply click the "Re-enable Account" button as seen in the screenshot above.

Why is it preferred to re-enable an account through the Vectra Respond UX?

• AAD Account Lockdown does not know the enablement state of the account on the customer AAD/M365 side.

• If an account is re-enabled in AAD and not through the Respond UX, the Respond UX will still show the account as "Disabled".

  • You can simply use the "Re-enable Account" option in the Respond UX if you know the account has been enabled outside of the Respond UX.

Are there any account types that cannot be disabled?

• Yes, Admin Azure AD account cannot be disabled and can only have active sessions revoked.

• Revoke sessions works for all accounts.

Is there API support for AAD Account Lockdown?

• Not at this time.

Notification

Will the end user be notified when an account is locked down?

• No, the end user is not notified from Vectra whenever their account is in lockdown.

How can administrators know if an account has been locked down through Vectra?

• The status of "Disabled until re-enabled" will be shown in the Account Lockdown widget on the account entity page.

• Administrators will be notified via email.

Are logs available of Lockdown related actions?

• Yes, the audit log is available via API calls to the /api/v3.3/events/audits endpoint.

• In the below example using Postman, here you can see a successful pull of "azure_ad_lockdown" related event objects:

• For additional information on using the Respond UX API, please see the following KB articles:

  • API Guide v3.3

  • Quickstart Guide for using the API

  • Vectra public Postman collection for the API

Disabling

If I no longer wish to use AAD Account Lockdown, what are the steps to turn it off?

• A Vectra user with the proper permissions to edit AAD Account Lockdown settings can simply navigate to Settings > External Connectors > Azure AD Lockdown, click "Edit" and then toggle "Enable Azure AD Account Lockdown" to off and "Save the setting.

  • This will disable Azure AD Account Lockdown for any Vectra user until it is re-enabled.

  • You an leave the integration with AD configured if you desire.

How do I remove consent for the App if I wish to completely remove the integration?

• Microsoft does not allow 3rd parties to revoke consent on behalf of a customer so an administrator can simply delete the Azure AD Account Lockdown enterprise application.

• The consent process can be followed again if you wish to re-enable consent in the future.

Technical Note

Most customers synchronize on premises Active Directory with Entra ID. AD remains the authoritative source for account attributes. Disabling an account only in the cloud layer can be overwritten by AD Connect on the next sync which makes that action less dependable. Disabling via Active Directory should be preferred.

Password resets behave differently. The reset is written back to AD then synced to Entra ID, for most deployment, so it persists across both systems. When paired with session revocation, all access and refresh tokens are invalidated. Since token theft attacks do not require the user’s password, forcing reauthentication cuts off the attacker immediately, giving your team a reliable containment action across cloud and hybrid identities.