Auto-Remediation

Automatically detect and fix common issues across your M365 environment. Configure playbooks to respond to security alerts, compliance drift, and configuration issues without manual intervention.

Proactive Protection

Auto-remediation reduces response time from hours to seconds. When threats are detected, automated playbooks execute immediately while alerting technicians.

Dashboard

156

Issues Remediated

Last 30 days

12

Active Playbooks

45s

Avg. Response Time

98%

Success Rate

Built-in Playbooks

Compromised User Response

Triggers on high-risk sign-in or user risk detection

Active

Actions:

  1. 1. Block user sign-in immediately
  2. 2. Revoke all active sessions
  3. 3. Reset password and require MFA re-registration
  4. 4. Create ticket and notify SOC team

Device Non-Compliance

Triggers when device becomes non-compliant in Intune

Active

Actions:

  1. 1. Send notification to device owner
  2. 2. Force device sync after 4 hours
  3. 3. If still non-compliant after 24h, block access
  4. 4. Create ticket for IT review

Suspicious Mail Rule

Detects inbox rules forwarding to external addresses

Active

Actions:

  1. 1. Disable the suspicious rule immediately
  2. 2. Alert security team
  3. 3. Check for other suspicious activity
  4. 4. Notify user and manager

MFA Not Registered

Users without MFA after registration deadline

Paused

Actions:

  1. 1. Send reminder email with instructions
  2. 2. After 7 days, send final warning
  3. 3. After 14 days, block sign-in until MFA registered

Stale Account Cleanup

Users with no sign-in for 90+ days

Active

Actions:

  1. 1. Notify user's manager for confirmation
  2. 2. If confirmed inactive, disable account
  3. 3. After 30 days, remove licenses
  4. 4. After 60 days, convert mailbox to shared

Creating Custom Playbooks

Build your own automation workflows:

1. Define Trigger

  • • Security alert (Defender, Identity Protection)
  • • Compliance drift (Intune, Trust Center)
  • • Scheduled (daily, weekly)
  • • Manual (on-demand)
  • • Webhook (external system)

2. Set Conditions

  • • Alert severity (High, Medium, Low)
  • • User type (Admin, Guest, Member)
  • • Device platform (Windows, macOS, iOS)
  • • Tenant/customer selection

3. Configure Actions

  • • User actions: Block, reset password, revoke sessions
  • • Device actions: Sync, lock, wipe, retire
  • • Notification: Email, Teams, Slack, webhook
  • • Ticket: Create in PSA, assign to team
  • • Wait: Delay next action by specified time

4. Test & Deploy

  • • Run in simulation mode first
  • • Review what actions would be taken
  • • Enable for production with approval gates if needed

Execution History

View all playbook executions with full audit trail:

  • Trigger event and timestamp
  • Affected user/device/resource
  • Actions taken with success/failure status
  • Duration of execution
  • Errors and rollback information

Approval Gates

For sensitive actions, require human approval before execution:

  • Pause playbook and send approval request
  • Approve via email, Teams, or dashboard
  • Set timeout for auto-rejection or auto-approval
  • Require multiple approvers for critical actions

API Reference

GET /api/automation/playbooks

List all playbooks

POST /api/automation/playbooks

Create new playbook

POST /api/automation/playbooks/:id/run

Manually trigger playbook

GET /api/automation/executions

List execution history

POST /api/automation/approvals/:id

Approve or reject pending action