Thomas Naunheim • 1/12/2024

Microsoft Entra Workload ID - Incident Response with Microsoft Sentinel Playbooks and Conditional Access

This technical guide details the incident response process for compromised Microsoft Entra Workload Identities. It covers using Microsoft Sentinel playbooks to trigger actions like disabling or confirming a service principal as compromised via Microsoft Graph API, and discusses entity mapping, token revocation via Continuous Access Evaluation (CAE), and implementing conditional logic within security automation workflows.

0 comments

#Microsoft Sentinel #Conditional Access #Microsoft Entra