MSEntraID#
README
Microsoft Entra ID Responders#
These responders provide various user management capabilities for Microsoft Entra ID, including revoking session tokens, enabling/disabling users, and enforcing password resets.
Available Responders#
-
Revoke Sign-In Sessions (
revokeSignInSessions) – Invalidates all the refresh tokens issued to applications for a Microsoft Entra ID user (as well as session cookies in a user's browser). -
Password Reset (
forcePasswordReset) – Forces a password reset at the next login. -
Password Reset with MFA (
forcePasswordResetWithMFA) – Forces a password reset at the next login, requiring multi-factor authentication (MFA) before changing the password. -
Enable User (
enableUser) – Enables a previously disabled user account. -
Disable User (
disableUser) – Disables a user account, preventing further sign-ins.
Configuration#
To enable the responder, you need three values:
- Microsoft Entra ID Tenant ID
- Application ID
- Application Secret
The first two values can be found at any time in the application's Overview page in the Microsoft Entra ID Portal. The secret must be generated and then stored in a safe place, as it is only fully visible when you first make it.
Setup#
Pre-requisites#
- User account with the Cloud Application Administrator role.
- User account with the Global Administrator Role (most of the steps can be done with only the Cloud App Administrator role, but the final authorization for its API permissions requires GA).
Steps#
Creation#
- Navigate to the Microsoft Entra ID Portal and sign in with the relevant administrator account.
- Navigate to App Registrations, and create a new registration.
- Provide a display name (this can be anything, and can be changed later). Click Register.
Secret#
- Navigate to Certificates and Secrets.
- Create a new client secret. Enter a relevant description and set a security-conscious expiration date.
- Copy the Value. This will only be fully visible for a short time, so you should immediately copy it and store it in a safe place.
API Permissions#
- Navigate to API permissions.
- Add the following Microsoft Graph API application permissions:
-
Directory.ReadWrite.AllUser.ReadWrite.All
Option A (Broader Permissions):
(These permissions cover all responder functionalities.)
-
Option B (Least Privileged – Recommended):
- For the Revoke SignIn Sessions responder:
User.RevokeSessions.All - For the Enable User and Disable User responders:
User.EnableDisableAccount.AllUser.Read.All- For the Password Reset responders:
User-PasswordProfile.ReadWrite.All
- For the Revoke SignIn Sessions responder:
-
Using a Global Administrator account, click the "
Grant admin consent for [TENANTNAME]" button. - Enter the corresponding values (
tenant_id,client_id,client_secret) into your responders Cortex configuration.
Note: For enhanced security, it is recommended to use the least privileged permissions (Option B) that are sufficient for your use case. Please refer to the Microsoft Graph Permissions Reference for further details.
References#
MSEntraID_disableUser#
Author: nusatanra-self, StrangeBee
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.microsoft.com/security/business/identity-access/microsoft-entra-id
Description#
Disable user in Microsoft Entra ID for a User Principal Name. (mail)
Configuration#
| tenant_id | Microsoft Entra ID Tenant ID |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| client_id | Client ID/Application ID of Microsoft Entra ID Registered App |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| client_secret | Secret for Microsoft Entra ID Registered Application |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
MSEntraID_ForcePasswordResetWithMFA#
Author: nusatanra-self, StrangeBee
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.microsoft.com/security/business/identity-access/microsoft-entra-id
Description#
Force password reset at next login with MFA verification before password change for a User Principal Name. (mail)
Configuration#
| tenant_id | Microsoft Entra ID Tenant ID |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| client_id | Client ID/Application ID of Microsoft Entra ID Registered App |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| client_secret | Secret for Microsoft Entra ID Registered Application |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
MSEntraID_ForcePasswordReset#
Author: nusatanra-self, StrangeBee
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.microsoft.com/security/business/identity-access/microsoft-entra-id
Description#
Force password reset at next login for a User Principal Name. (mail)
Configuration#
| tenant_id | Microsoft Entra ID Tenant ID |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| client_id | Client ID/Application ID of Microsoft Entra ID Registered App |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| client_secret | Secret for Microsoft Entra ID Registered Application |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
MSEntraID_revokeSignInSessions#
Author: Daniel Weiner @dmweiner; revised by @jahamilto; Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.1
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.microsoft.com/security/business/identity-access/microsoft-entra-id
Description#
Invalidates all the refresh tokens issued to applications for a Microsoft Entra ID user (as well as session cookies in a user's browser)
Configuration#
| tenant_id | Microsoft Entra ID Tenant ID |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| client_id | Client ID/Application ID of Microsoft Entra ID Registered App |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| client_secret | Secret for Microsoft Entra ID Registered Application |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
MSEntraID_enableUser#
Author: nusatanra-self, StrangeBee
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.microsoft.com/security/business/identity-access/microsoft-entra-id
Description#
Enable user in Microsoft Entra ID for a User Principal Name. (mail)
Configuration#
| tenant_id | Microsoft Entra ID Tenant ID |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| client_id | Client ID/Application ID of Microsoft Entra ID Registered App |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| client_secret | Secret for Microsoft Entra ID Registered Application |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |