Incident Response for Compromised User Account Containment in Microsoft Entra ID

This Standard Operating Procedure (SOP) provides comprehensive guidance for detecting, containing, and remediating compromised user accounts within Microsoft Entra ID (formerly Azure Active Directory). It should be activated immediately when indicators of account compromise are detected, including suspicious sign-in activity, unauthorized access, privilege escalation, or malicious actions performed using valid credentials. This procedure is intended for SOC analysts (L1, L2, L3), Incident Respon

2026-02-14T23:42:09.607Z
Rudra Verma, Senior Security Architect & Researcher