Microsoft Defender for identity auto disable user account.

Question

Microsoft Defender for identity auto disable user account.

brichardi 336

Hello,

Recently, we are experiencing a lot of user accounts being automatically disable by Microsoft Defender for Identity when they authenticated by Exchange Online. Somehow, Defender think the user's accounts being attacked, and just disabled users account. We are not able to pinpoint the policy which cause this issue.

Any suggestion on how to fix this issue is greatly appreciated.

Navya 16,455 Reputation points Microsoft External Staff

2025-02-11T08:42:36.5666667+00:00

Hi @brichardi

Thank you for posting this in Microsoft Q&A.

I understand you are experiencing a lot of user accounts being automatically disable by Microsoft Defender for Identity when they authenticated by Exchange Online.

Microsoft Defender for Identity allows you to respond to compromised users by disabling their accounts or resetting their password.

To perform remediation actions in Microsoft Defender for Identity please follow steps which mentioned in this document: https://learn.microsoft.com/en-us/defender-for-identity/remediation-actions

Hope this helps. Do let us know if you any further queries.
Navya 16,455 Reputation points Microsoft External Staff

2025-02-14T08:58:26.1933333+00:00

Hi @brichardi

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Navya 16,455 Reputation points Microsoft External Staff

2025-02-18T04:10:24.0866667+00:00

Hi @brichardi

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
brichardi 336 Reputation points

2025-02-19T19:50:59.88+00:00

Hi Navya,

I think you misunderstood my question. My question is what trigger Microsoft Defender for Identity auto isolate users when they logon to Exchange online. I need to to get the root cause of this issue to prevent this from happening, because a large number of our users get their account auto isolated just for log on to Exchange Online.

1 answer

Your answer

Navya 16,455 Reputation points Microsoft External Staff

2025-02-11T08:42:36.5666667+00:00

Hi @brichardi

Thank you for posting this in Microsoft Q&A.

I understand you are experiencing a lot of user accounts being automatically disable by Microsoft Defender for Identity when they authenticated by Exchange Online.

Microsoft Defender for Identity allows you to respond to compromised users by disabling their accounts or resetting their password.

To perform remediation actions in Microsoft Defender for Identity please follow steps which mentioned in this document: https://learn.microsoft.com/en-us/defender-for-identity/remediation-actions

Hope this helps. Do let us know if you any further queries.
Navya 16,455 Reputation points Microsoft External Staff

2025-02-14T08:58:26.1933333+00:00

Hi @brichardi

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Navya 16,455 Reputation points Microsoft External Staff

2025-02-18T04:10:24.0866667+00:00

Hi @brichardi

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
brichardi 336 Reputation points

2025-02-19T19:50:59.88+00:00

Hi Navya,

I think you misunderstood my question. My question is what trigger Microsoft Defender for Identity auto isolate users when they logon to Exchange online. I need to to get the root cause of this issue to prevent this from happening, because a large number of our users get their account auto isolated just for log on to Exchange Online.

Answer 1

Hi @brichardi ,

During my research, I came across a scenario that seems similar to yours here

Here is what I would recommend to further analyze what is causing the use lockouts in AD:

sign-in logs to see if there are any related entries that might indicate why these accounts are being disabled.
Audit logs in Compliance Center. these contain entries for various administrative changes in your environment.
Review your Conditional Access policies and any other security configurations that could impact user accounts.
Look out for any cached passwords - especially if there was a recent password change.

Share via

Microsoft Defender for identity auto disable user account.

1 answer

Your answer