Respond module actions
Once you have configured the Respond module with rules, Respond will alert you when these rules are triggered. This article covers what actions can be taken in a rule.
1. Block Sign In
This action will disable access to a Microsoft 365 / Azure AD account by blocking the account from signing in.
If Respond blocks a user from having sign-in access to Microsoft 365, it might take as long as 24 hours to take effect on all that user’s devices and clients. If you need to immediately prevent a user's sign-in access you must Expire Account Logins and reset their password.
These three Respond actions work well together: Block Sign In, Reset User Password, and Expire Account Logins to sign the user out of all apps and sessions.
2. Force User to Change Password on Next Sign In
This will force a mandatory password change and the end user will have to change the password in the next sign-in.
IMPORTANT Users do not get an email notification that their password needs to be changed.
3. Expire Account Logins
This will initiate a one time event that will sign the user out of all Microsoft 365 sessions.
IMPORTANT This action can take up to 15 minutes for process to complete. This user will be able to immediately sign back in, unless you have also blocked their sign-in status.
4. Reset User Password
This action will perform the following steps:
- SaaS Alerts will generate a new password for the user.
- SaaS Alerts will send that password to the SMS numbers configured in the rule (usually the MSP Admin creating the rule).
- A Change User Password action will be triggered forcing a mandatory password change in next sign-in.
5. Setup User MFA
When this rule is triggered, it will generate a notification to the SMS numbers configured in the rule (usually the MSP Admin creating the rule) with a link to Microsoft 365 to enable multifactor authentication (MFA). Below is the complete list of steps to follow:
- In the admin center, select Users and Active Users.
- In the Active Users section, click multi-factor authentication.
- On the Multi-factor authentication page, select user.
- Click Enable under Quick Steps.
- In the pop-up window, click Enable Multi-Factor Authentication.
IMPORTANT You must be a Microsoft 365 global admin to set up or modify multi-factor authentication.
6. Delete User
This will delete a specific account in the Microsoft 365 admin center User Management page after the rule conditions are met.
IMPORTANT Don't delete the account if you've set up email forwarding or converted it to a shared mailbox. Both need the account to anchor the forwarding or shared mailbox.
NOTE When you delete a user, the account becomes inactive for approximately 30 days. You have until then to restore the account before it is permanently deleted.
7. Alert Only
When setting your rule action to Alert Only, this will generate an alert notification and no remediation will take action after the rule trigger. In other words, the Alert Only setting is required when no other actions will be applied to any applications. This can be used to test new rules for any application or can be left as permanent configuration for applications with limited API where actions are not currently available to perform.
IMPORTANT When wanting to set one application to Alert Only and have actions for another application, Alert Only should not be used.
NOTE Including the application in the rule configuration will be sufficient. When the rule criteria is met for the application with no actions set, the rule will trigger just like Alert Only.