☁️ Cloud Identity Compromise Response Quickstart
Time-boxed response path for cloud identity compromise incidents targeting Azure AD, M365, and associated cloud services. Prioritises immediate session revocation, MFA enforcement, tenant-configuration review, and OAuth app auditing to eliminate attacker persistence in the cloud identity plane.
First 15 Minutes
0/4Review the triggering alert (Azure AD Identity Protection risk event, impossible-travel detection, anomalous token activity, or SIEM correlation) and validate it against Azure AD sign-in logs. Confirm whether the suspicious sign-in is a true compromise by examining the IP geolocation, device compliance state, user-agent string, and risk-level assessment. False positives from VPN usage or travel must be ruled out quickly to avoid unnecessary disruption.
Immediately revoke all active sessions and refresh tokens for the compromised account using Revoke-AzureADUserAllRefreshToken or the Microsoft Entra admin center. This forces re-authentication on all devices and terminates any attacker sessions that are using stolen tokens. Note that access tokens remain valid until they expire (typically 60-90 minutes), so time-sensitive operations by the attacker may continue briefly even after revocation.
Reset the compromised account password, disable the account temporarily if the compromise is severe, and verify that MFA is properly configured and not bypassed. Check whether the attacker registered additional MFA methods (new phone number, authenticator app) and remove them. If the account previously had MFA exceptions or was using legacy authentication protocols that bypass MFA, close those gaps immediately to prevent re-compromise.
If the compromised identity had access to Azure subscriptions, AWS accounts, or GCP projects, assess whether the attacker used that access to modify cloud infrastructure. Temporarily restrict the account access to sensitive resources using conditional-access policies, Azure RBAC changes, or resource-level access controls. Check for newly created virtual machines, storage accounts, or IAM roles that may indicate the attacker is establishing persistent infrastructure.
First 60 Minutes
0/4Export Azure AD sign-in logs and audit logs for the compromised account and any related service principals covering at least 30 days before the incident. Focus on successful authentications from unfamiliar IPs, MFA registration events, role-assignment changes, and conditional-access policy modifications. Azure AD logs are the primary evidence source for understanding the scope and timeline of a cloud-identity compromise.
Export the M365 Unified Audit Log for the compromised account to identify all actions taken during the compromise window. Look for email access, file downloads from SharePoint and OneDrive, Teams message reads, and administrative operations. The UAL provides a comprehensive record of data access that is essential for determining whether the attacker exfiltrated data or modified configurations during their access window.
Capture the current Azure AD tenant configuration including conditional-access policies, authentication methods, named locations, app registrations, enterprise applications, custom roles, and federation settings. Attackers with privileged access often modify tenant settings to weaken security controls or create backdoors. Compare the current configuration against your documented baseline to identify unauthorized changes that must be remediated.
Enumerate all OAuth applications that the compromised account consented to, and review enterprise app registrations for any new or modified apps created during the compromise window. Attackers frequently register malicious OAuth apps with broad permissions (Mail.ReadWrite, Files.ReadWrite.All, Directory.ReadWrite.All) to maintain persistent access that survives password resets. Revoke suspicious app permissions and delete unauthorized registrations.
First 4 Hours
0/4Review mailbox rules for the compromised account and any other accounts the attacker may have accessed. Look for auto-forwarding rules to external addresses, rules that delete or move incoming security notifications, and rules that intercept password-reset or MFA-related emails. These rules are a common persistence mechanism that allows attackers to maintain visibility into the victim mailbox even after the initial compromise is remediated.
Analyze the Unified Audit Log and Azure AD logs to trace any lateral movement from the compromised identity to other cloud resources. Check whether the attacker accessed other user mailboxes, SharePoint sites, Azure subscriptions, or administrative portals. Look for privilege-escalation attempts such as adding the compromised account to admin roles, creating new admin accounts, or modifying PIM (Privileged Identity Management) settings.
Perform a thorough credential remediation that includes password reset, revocation of all refresh tokens, removal and re-enrollment of all MFA methods, disabling app passwords, and revoking any personal access tokens or API keys. If the compromised account had access to service principals, managed identities, or key-vault secrets, rotate those credentials as well. Verify that conditional-access policies now enforce MFA for all sign-in scenarios for the remediated account.
Review and strengthen conditional-access policies based on the attack vectors observed during the investigation. Implement or tighten policies for: requiring MFA for all users including privileged accounts, blocking legacy authentication protocols, restricting sign-ins from non-compliant devices, enforcing location-based access controls for admin portals, and requiring device compliance for sensitive resource access. Document all policy changes and test them to avoid locking out legitimate users.
DFIR Assist — Cloud Identity Compromise Response Quickstart Quickstart | Printed 3/1/2026