Managed Sentinel – Alert 140
| Alert ID | MS-A140 |
| Alert Name | Previously blocked Azure AD accounts becoming active |
| Description | This alerts is triggered whenever a previously Azure AD account blocked from sign-ins is unblocked. |
| Severity Level | High |
| Threat Indicator | Compromised Account |
| MITRE ATT&CK Tactics | Priviledge Escalation Credential Access |
| Log sources | Azure AD |
| False Positive | |
| Recommendations | 1. Disable user account. 2. Complete an investigation in Azure Sentinel to understand any access from impacted user account to other internal network systems. 3. Review log history on SignIns and AzureActivity table to find out the adminsitrator who reactivated the user account |