Skip to main content
IT KORR
IT KORRKeeping Organizations Reliable & Resilient
Microsoft 365 Security · Download

Microsoft Security Operations Playbook

A playbook of specific response actions for common Microsoft 365 security incident scenarios.

IT KORR Knowledge Center

Microsoft Security Operations Playbook

A playbook of specific response actions for common Microsoft 365 security incident scenarios.

Scenario: Compromised User Account

  • Disable sign-in immediately.
  • Revoke all active session tokens.
  • Require password reset with identity verification.
  • Review mailbox rules and forwarding for persistence mechanisms.

Scenario: Compromised Device

  • Isolate the device via Defender for Endpoint.
  • Review Defender XDR incident for related indicators on other devices.
  • Preserve forensic state before remediation.

Scenario: Phishing Campaign in Progress

  • Purge the malicious message across all reached mailboxes.
  • Block the sender domain.
  • Identify and remediate any users who interacted with the message.

Related Resources

  • Microsoft 365 Incident Response — /knowledge-center/cloud-productivity/microsoft-365-security/microsoft-365-incident-response

This document is a starting-point resource, not legal or compliance advice. Review it against your organization's actual tenant configuration before adoption — see the full Microsoft 365 Security & Entra ID Hub for the reasoning behind each recommendation.

Build: add8299 | Built: Jul 9, 2026 9:26 PM EDT