Managed Sentinel – Alert 140

Alert IDMS-A140
Alert NamePreviously blocked Azure AD accounts becoming active
DescriptionThis alerts is triggered whenever a previously Azure AD account blocked from sign-ins is unblocked.
Severity LevelHigh
Threat IndicatorCompromised Account
MITRE ATT&CK TacticsPriviledge Escalation
Credential Access
Log sourcesAzure AD
False Positive
Recommendations1. Disable user account.
2. Complete an investigation in Azure Sentinel to understand any access from impacted user account to other internal network systems.
3. Review log history on SignIns and AzureActivity table to find out the adminsitrator who reactivated the user account