Microsoft 365 administrators can now be excluded from the automatic workflow to block detected compromised accounts

A compromised account is one of the most severe security incidents out there and it needs to be handled swiftly. For this reason we recently released the new workflow to automatically block compromised accounts.

While the best practice is to automatically block every compromised account, some organizations prefer that if a Microsoft 365 administrator is detected as compromised, it will be blocked only after a security administrator reviews the incident. This approach is meant to prevent cases where the organization has only a limited amount of administrators, and blocking one of them might harm smooth business continuity.

Avanan now includes a granular setting for whether or not Microsoft administrators are automatically blocked when detected as compromised.

To enable the automatic blocking of compromised Microsoft 365 administrators, go to Configuration -> Security Engines -> Anomaly Detection -> Configure -> Compromised Microsoft administrators and select Automatically block admin.

Note – this feature is being deployed gradually. You should see it in your portal in the next 7 days.