3. Remove the account from admin rolesNext, we may want to remove the account from any admin roles. It's good practice to temporarily remove the account from any admin roles until you are 100% sure the compromised account is no longer accessed by the hacker. Go to
Microsoft 365 admin center >
Users >
Active Users2.
Search for the user you want to reset the password for. Click the
Display name of the account. Click
Manage roles >
User (no admin center access) >
Save changes.
4. Re-enroll in MFAIf you have MFA enabled for the user you may want to re-enroll the devices or at least review the devices and make sure they are the user's devices.
In short, once a malicious user has access to the user's Microsoft 365 account they can enroll their own devices and possibly reset the password after you've changed the password. So go to the user's MFA authentication methods and sit down with the user and ask if that's their authentication method. Go to
Azure Active Directory >
Users.
Search for the user, then click the
user's displayname.
2. Click
Authentication methods then view the user's authentication methods.
5. Check for enterprise apps authorized for the userAnother way a malicious actor may retain access to your user's Microsoft 365 account is through enterprise apps. In short, once a person has access to the account they may register the user fora malicious enterprise app that the hacker can use to retain access to the account after the password reset. So we'll need to review the registered apps for the user.
