Skip to main content
Go to Red Canary Documentation
Red Canary Support

Permissions For Entra ID Response Actions For Active Directory

  • Updated .

Issue

Why is Red Canary and its Red Canary + Azure AD Response Actions Enterprise App asking for additional permissions when using Entra ID Response Actions in playbooks?

Environment

Red Canary Automation
   Entra ID Response Actions
Hybrid AD Environment
   Entra ID
   On-prem Active Directory
Microsoft Entra Connect

Resolution

Red Canary has introduced new response actions available to organizations using Entra ID (formerly Azure Active Directory) as their Identity Provider.  As a result, there are new permission requirements to support these new playbook actions.  To view and resolve the permissions issue:

  1. Go to Enterprise Applications in the Azure Portal:

  2. Click into the Security → Permissions Tab and then click the “Grant admin consent” button
  3. Microsoft will ask you to log in again (regardless of your logged in status), make sure to log in with a user that has Global Administrator permissions.
  4. You will be prompted to grant permissions to the Red Canary + Azure AD Response Actions application owned by Red Canary, Inc. Accept the permissions.

Alternatively, a Global Administrator can grant the missing permissions by clicking this consent link.

Permission Changes Explained

Old permissions:

Directory.ReadWriteAll
IdentityRiskyUser.ReadWrite.All
User.ReadWrite.All
UserAuthenticationMethod.ReadWrite.All

New permissions:

Directory.ReadWriteAll
IdentityRiskyUser.ReadWrite.All
SecurityIdentitiesAccount.Read.All
SecurityIdentitiesActions.ReadWrite.All
User-PasswordProfile.ReadWrite.All 
User.ReadWrite.All
UserAuthenticationMethod.ReadWrite.All

Why are the new permissions needed?

  • User-PasswordProfile.ReadWrite.All allows us to reset user passwords via the API.  This permission change is part of the Reset Password Entra ID response action released in June 2025.
  • SecurityIdentitiesActions.ReadWrite.All allows us to read the Security Identity Accounts endpoint within the Graph Security API (getting us the Security Identity Accounts - a roll up of all the accounts Entra knows about), and to disable / enable users within on-prem active directory via Microsoft Defender for Identities
  • SecurityIdentitiesAccount.Read.All allows us to read the Security Identity Accounts.

Cause

In March 2026, Red Canary updated the Microsoft Entra ID Suspend User response action to include the ability to remediate compromised identities directly at the Domain Controller (DC) level in hybrid AD environments.  As part of these changes, new permissions were required for the Red Canary + Azure AD Response Actions Enterprise Application, which facilitates the API connection.

If your app was created in your Azure tenant prior to these changes, the app may not have the new permission set and will need to be granted manually using the steps above or by clicking this consent link as a Global Administrator.