Link Search Menu Expand Document

Azure AD - Get Blocked Sign-Ins

Workflow #0035

This workflow checks for sign-ins that were blocked because the account was locked out in Microsoft Azure (error code 50053). If any results are found, the attempts are aggregated and a Webex Teams message is sent. Required Graph API permissions: AuditLog.Read.All, Directory.Read.All

Note: This workflow requires an Azure Active Directory Premium license.

GitHub


Change Log

Date Notes
Jun 29, 2021 - Initial release
Sep 10, 2021 - Updated to use the new system atomics

See the Important Notes page for more information about updating workflows


Requirements

  • The following system atomics are used by this workflow:
    • Webex Teams - Post Message to Room
    • Webex Teams - Search for Room
  • The following atomic actions must be imported before you can import this workflow:
  • The targets and account keys listed below
  • (Optional) A Webex Teams access token and room name to post messages to
  • Microsoft Azure Active Directory (with a premium license)
  • Microsoft Azure App Registration with AuditLog.Read.All and Directory.Read.All API permissions

Workflow Steps

  1. Fetch global variables
  2. Get an access token for the Graph API
  3. Calculate and format the start date
  4. Fetch sign in events
  5. Check if the request was successful:
    • If not, return an error message
    • If it was, aggregate the events and post a Webex Teams message

Configuration

  • If you want the workflow to run on a schedule, you need to create a schedule and then add it as a trigger within the workflow
  • Set the Azure Tenant ID local variable to the Azure tenant to run the report for
  • Set the Hours to Check to how many hours ago you want the workflow to look for events (default: 24 hours). If you’re using a schedule to run this workflow, make sure the schedule’s interval matches this timeframe
  • See this page for information on configuring the workflow for Webex Teams

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
Microsoft Graph HTTP Endpoint Protocol: HTTPS
Host: graph.microsoft.com
Path: /v1.0
None  
Microsoft Graph Token HTTP Endpoint Protocol: HTTPS
Host: login.microsoftonline.com
Path: None
Microsoft Graph API  
Webex Teams HTTP Endpoint Protocol: HTTPS
Host: webexapis.com
Path: None
None Not necessary if Webex Teams activities are removed

Account Keys

Account Key Name Type Details Notes
Microsoft Graph API HTTP Basic Authentication Username: Client ID
Password: Client Secret