Skip to main content
Response Actions are write operations that let you contain a threat directly from inside RAIDEN, without opening a separate Microsoft admin portal. They cover the most time-critical containment steps: cutting off active sessions, disabling an account, blocking further access via Conditional Access, and cleaning up malicious inbox rules.
Response Actions can be triggered manually by clicking the button in the case, or automatically if you enable automation in Settings → Automation. Automated actions are off by default — you choose what RAIDEN is permitted to do on its own and can disable it at any time.

Available actions

Revoke all active sessions

Immediately invalidates all active login sessions for the selected user. The user is signed out of every device and application connected to your M365 tenant. Use this as your first containment step when you suspect an account has been compromised. It forces the attacker out while you investigate further.
DetailValue
Permission usedUser.RevokeSessions.All
EffectSigns the user out of all active sessions immediately
ReversibleYes — the user can sign back in with their credentials

Disable account

Prevents the user from signing in entirely. Unlike revoking sessions, disabling the account stops any new authentication attempts until the account is re-enabled.
DetailValue
Permission usedUser.EnableDisableAccount.All
EffectBlocks all sign-in attempts for the account
ReversibleYes — use Re-enable account when ready

Re-enable account

Restores sign-in access for a previously disabled account. Use this once you have confirmed the threat is resolved and the account is safe to hand back to the user.
DetailValue
Permission usedUser.EnableDisableAccount.All
EffectRestores sign-in access
ReversibleYes — you can disable again at any time

Create Conditional Access block policy

Creates a Conditional Access policy in your M365 tenant that blocks the targeted user from signing in. This is a persistent block that remains in place until you remove the policy from your Azure AD / Entra ID admin centre.
This action creates a real policy in your Microsoft tenant. To remove it, go to your Entra ID admin centre and delete the policy from the Conditional Access section.
DetailValue
Permission usedPolicy.ReadWrite.ConditionalAccess
EffectCreates a persistent sign-in block policy in Entra ID
ReversibleYes — delete the policy from Entra ID

Read and delete inbox rules

Reads and removes malicious inbox rules from the user’s mailbox. Attackers commonly create inbox rules to forward emails to external addresses or hide security alerts from the compromised user.
DetailValue
Permission usedMailboxSettings.ReadWrite
EffectReads existing inbox rules and deletes selected ones
ReversibleNo — deleted rules cannot be recovered through RAIDEN
Review the inbox rules listed before deleting. Deleted inbox rules cannot be restored through RAIDEN.

How to use Response Actions

Response Actions are available in the Remediation panel inside a case view.
1

Open the case

Go to Cases and open the case you are investigating.
2

Find the Remediation panel

Scroll to the Remediation panel within the case view.
3

Review the recommended actions

Read the Recommended Actions listed for the case. These are written in plain language and tell you which response actions are most appropriate for this specific threat.
4

Click the action button

Click the button for the action you want to take. RAIDEN will execute it immediately against your Microsoft 365 tenant.
5

Document in Case Notes

Record what action you took and when using Case Notes. This creates an audit trail for the investigation.
These permissions are requested during initial setup so they are available when needed. By default they are only exercised when you click a button. If you enable automation in Settings → Automation, RAIDEN may also invoke them automatically for high-confidence detections — automated actions are off by default and fully configurable.