Incident Response for Compromised User Account Containment in Microsoft Entra ID
This Standard Operating Procedure (SOP) provides comprehensive guidance for detecting, containing, and remediating compromised user accounts within Microsoft Entra ID (formerly Azure Active Directory). It should be activated immediately when indicators of account compromise are detected, including suspicious sign-in activity, unauthorized access, privilege escalation, or malicious actions performed using valid credentials. This procedure is intended for SOC analysts (L1, L2, L3), Incident Respon
Rudra Verma, Senior Security Architect & Researcher