Browse all topics
All guidesGlossary
Microsoft 365 essentials

Microsoft 365 incident response runbook

A structured incident response runbook for Microsoft 365 — detection, triage, containment, eradication, recovery, lessons.

An incident response runbook for Microsoft 365 is essential preparation for the day something bad happens — confirmed account compromise, suspected data exfiltration, ransomware, business email compromise. The runbook isn't a long document; it's a clear, step-by-step procedure that lets responders act fast without inventing process during a crisis.

The phases

Incident response in Microsoft 365 follows the standard SANS model — detection, triage, containment, eradication, recovery, lessons learned — with Microsoft-specific tooling at each phase.

Detection

How incidents surface:

  • Defender XDR alerts — automatic detection from Defender for Office 365, Endpoint, Identity, Cloud Apps.
  • User reports — "I think my account was hacked" via the IT support channel.
  • External notification — partner or customer reports unusual email from a colleague.
  • SIEM correlation — Microsoft Sentinel cross-source correlation.
  • Audit log review — proactive hunting.

For high-fidelity sources (Defender XDR), automatic escalation to the SOC team is the right pattern. For user reports, a clear "report a security issue" path matters.

Triage

When an incident is reported, decide severity and scope quickly:

  • Severity 1 — confirmed widespread compromise, ransomware in progress, major data exfiltration. All-hands response.
  • Severity 2 — single confirmed compromise, contained but real impact. Standard response team.
  • Severity 3 — suspicious activity, investigation needed. Single analyst.
  • Severity 4 — informational, low confidence. Routine log review.

The triage call decides the resource allocation and communication posture for what follows.

Containment

Cut the attacker's access. Standard Microsoft 365 actions:

  • Revoke session tokens for affected users — Revoke-MgUserSignInSession.
  • Disable user accounts that are confirmed compromised.
  • Reset passwords of affected users.
  • Reset MFA methods that may have been registered by attacker.
  • Isolate devices via Defender for Endpoint.
  • Remove malicious OAuth consents the attacker granted.
  • Disable any newly created mailbox rules (forwarding rules are a classic attacker move).
  • Stop active sharing links if mass-share is part of the attack.

If Defender XDR Automatic Attack Disruption is enabled, much of this is automatic.

Eradication

Remove the attacker's footholds:

  • Find every malicious artefact — files, scripts, scheduled tasks, accounts.
  • Hunt for similar patterns across the tenant — sometimes one compromised user is the visible tip of broader compromise.
  • Patch the entry point — phishing campaign? Update DLP, phish-resistant MFA, training.
  • Block the attacker's infrastructure — IPs, domains, file hashes.

The Threat Explorer in Defender for Office 365 P2 and advanced hunting in Defender XDR are the right tools for cross-tenant hunting.

Recovery

Restore normal operations:

  • Re-enable users with new strong credentials and fresh MFA registration.
  • Recall malicious emails if they were sent — via Defender Soft Delete or AIR.
  • Restore from Microsoft 365 Backup if files were encrypted or destroyed.
  • Verify integrity of restored content.
  • Communicate to users that the incident is contained.

Lessons learned

Within 1–2 weeks after closure:

  • Root cause analysis — what specifically went wrong, what controls failed.
  • What worked — what should we keep doing.
  • What didn't work — gaps to close.
  • New controls — Conditional Access tightening, training updates, monitoring gaps.
  • Runbook updates — what would we do differently next time.

Without the lessons-learned discipline, the same incident happens again.

Communications

In every phase, communications matter:

  • Internal IT — clear channel for responders to coordinate.
  • Affected users — what happened, what they need to do.
  • Leadership — status updates appropriate to severity.
  • Customers / partners — if their data or interactions are affected.
  • Regulators — if notification requirements apply.

Pre-define templates for severity 1 / 2 / 3 communications. During an incident is not the time to draft from scratch.

Tabletop exercises

Quarterly tabletop exercises with the response team are how you find weaknesses without paying for real incidents:

  • Specific scenario — BEC, ransomware, insider threat.
  • Walk through the runbook — who does what, when.
  • Identify gaps — missing tooling, unclear roles, broken procedures.
  • Update the runbook based on findings.

Practice matters. The team that practiced last quarter responds dramatically better than the team that hasn't done one in years.