Azure AD - Get Blocked Sign-Ins
Workflow #0035
This workflow checks for sign-ins that were blocked because the account was locked out in Microsoft Azure (error code 50053). If any results are found, the attempts are aggregated and a Webex message is sent. Required Graph API permissions: AuditLog.Read.All, Directory.Read.All
Note: This workflow requires an Azure Active Directory Premium license.
Change Log
Date | Notes |
---|---|
Jun 29, 2021 | - Initial release |
Sep 10, 2021 | - Updated to use the new system atomics |
Sep 7, 2022 | - Minor updates to naming and descriptions |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Webex - Post Message to Room
- Webex - Search for Room
- The following atomic actions must be imported before you can import this workflow:
- Microsoft Graph - Get Access Token (CiscoSecurity_Atomics)
- The targets and account keys listed at the bottom of the page
- (Optional) Cisco Webex
- Microsoft Azure Active Directory (with a premium license)
- Microsoft Azure App Registration with
AuditLog.Read.All
andDirectory.Read.All
API permissions
Workflow Steps
- Fetch global variables
- Get an access token for the Graph API
- Calculate and format the start date
- Fetch sign in events
- Check if the request was successful:
- If not, return an error message
- If it was, aggregate the events and post a Webex message
Configuration
- If you want the workflow to run on a schedule, you need to create a schedule and then add it as a trigger within the workflow
- Set the
Azure Tenant ID
local variable to the Azure tenant to run the report for - Set the
Hours to Check
to how many hours ago you want the workflow to look for events (default: 24 hours). If you’re using a schedule to run this workflow, make sure the schedule’s interval matches this timeframe - See this page for information on configuring the workflow for Webex
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
Microsoft Graph | HTTP Endpoint | Protocol: HTTPS Host: graph.microsoft.com Path: /v1.0 | None | |
Microsoft Graph Token | HTTP Endpoint | Protocol: HTTPS Host: login.microsoftonline.com Path: None | Microsoft Graph API | |
Webex Teams | HTTP Endpoint | Protocol: HTTPS Host: webexapis.com Path: None | None | Not necessary if Webex activities are removed |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
Microsoft Graph API | HTTP Basic Authentication | Username: Client ID Password: Client Secret |