Module 13 · Azure Incident Response

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
Apr 27, 2026
1 min read
Read as

Last updated: April 29, 2026

100% Free

No signup. No paywall. No catch. One of our 10 most-requested practitioner modules — published in full so anyone can learn for free. We earn through consulting, not by gating knowledge.

See all 10 free modules →

Module 7 (Blue Team) covered IR generally. This is the Azure-specific actions.

Module 7 (Blue Team) covered IR generally. This is the Azure-specific actions.

Compromised account playbook

  1. Disable user account in Entra ID
  2. Revoke active sessions and refresh tokens (Revoke-AzureADUserAllRefreshToken)
  3. Reset password
  4. Review AD audit logs for the user (last 30 days)
  5. Check for created service principals or app registrations
  6. Review M365 mailbox forwarding rules
  7. Review consent grants
  8. Re-enable with new MFA after investigation
Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants
← Previous · Module 12
Module 12 · Azure Cost-Aware Security
← Back to Academy Hub
Continue Learning

Other modules in this track

View all modules
Academy
Module 1 · Intermediate

Roles, attack patterns (token theft, AitM, consent phishing), Conditional Access, PIM, hybrid AD considerations.

Apr 22, 2026 · 5 min read
Academy
Module 2 · Intermediate

RBAC hierarchy, network security, Storage/SQL/KeyVault hardening, Defender for Cloud, common misconfigurations.

Apr 22, 2026 · 4 min read
Academy
Module 3 · Advanced

Exchange + SharePoint + Teams + Power Platform hardening, Defender stack, Purview, IR in M365.

Apr 22, 2026 · 4 min read