Beyond the password reset: what identity incident response really looks like in Microsoft 365

At 11pm, a compromised account is discovered. By midnight, the password has been reset and the ticket is closed. By morning, the attacker is still inside. Mailbox rules are actively forwarding finance emails to an external address, and you are staring down financial loss, a costly POPIA breach, and the kind of reputational damage that follows a vendor into every future RFP.

For CISOs, IT leaders, and security decision-makers running Microsoft 365 security, this is one of the most common sequences we see in identity incident response. It is also one of the most expensive.

The team involved is usually capable, calm, and highly experienced. The instinct to reset the password and move on feels responsible. It isn’t. It is the exact moment the incident stops being visible and starts becoming costly.

This article highlights what actually has to happen between the initial alert and the final all-clear—and why the gap between thinking an incident is resolved and it actually being resolved is where real business liability lives.

Why a Password Reset Feels Like Enough (But Fails)

A password is the security credential most of us understand intuitively. Resetting it feels decisive. It creates a false sense of closure, which is exactly what a tired IT lead at 11pm is looking for.

However, a password is only one minor piece of a modern identity. Modern access in Microsoft 365 relies on:

• Active authentication tokens

• Persistent user sessions

• Multi-factor authentication (MFA) states

• Automated mailbox rules

• Conditional access exceptions

• Granular sign-in histories

Resetting a password addresses the credential, but it does absolutely nothing to terminate the session. If an active token remains live, attacker access persists. Mailbox rules created during the breach window will continue forwarding, filtering, or hiding communications without anyone noticing. The team that believes it has closed the incident is simply no longer watching.

What Real Identity Incident Response Looks Like

When we audit or step into a compromised Microsoft 365 tenant, we follow a strict incident response playbook. The true value isn’t just in the playbook itself; it’s in configuring these guardrails before the phone rings.

Here are the six stages of a comprehensive response strategy:

1. Map the Scope

Before altering anything, you must establish what has actually occurred. That means diving into the Microsoft 365 Security and Compliance portal to review signals comprehensively—not just the headline alert that triggered the initial call. Sign-in logs must be audited for anomalies like impossible travel, unfamiliar IP addresses, or unrecognized devices appearing in new geographies.

The Risk of Partial Scope: Containing five compromised accounts while leaving a sixth one open is exactly how security incidents recur two weeks down the line.

2. Containment

Once the scope is clear, affected accounts must be locked down immediately. Passwords and MFA methods are reset, active sessions are forcefully revoked, tokens are cleared, and force re-authentication is applied globally across the affected environment. This step stops the structural bleeding, but it does not heal the wound.

3. Investigation

With the attacker kicked out, the deeper investigation begins. Security teams must search for persistent footprint changes made during the compromise. Attackers heavily favor creating hidden mailbox rules to quietly forward financial invoices or delete incoming security warnings. Every forwarding address, administrative role change, and conditional access policy exception created during the window must be comprehensively audited.

Knowing your precise entry point—whether it was a phishing link, token theft, or legacy authentication vulnerabilities—is what prevents a repeat incident.

4. Hardening

The security gaps exploited by the attacker are the exact gaps that must now be permanently sealed. This typically involves tightening conditional access architecture, completely disabling legacy authentication protocols, reviewing active privileged admin accounts, and strengthening systemic MFA policies.

5. Validation

Before signing off, data indicators must be verified. Sign-in logs must show clean telemetry, no new suspicious inbox rules can be active, and no unexpected configuration changes should be present. The accounts involved must behave normally for a full business cycle to confirm remediation.

6. Debrief

Finally, security leaders must review the timeline with stakeholders. Walking through what happened, why it succeeded, what configurations changed, and what indicators to monitor transforms a chaotic security crisis into an institutional security capability.

The Real Gap is Preparation, Not Response

Every internal IT team is capable of running this sequence. The difference between organizations that recover cleanly and those that suffer compounding losses isn’t raw talent—it’s structural preparation.

If your organization lacks a written incident response playbook for Microsoft 365, the first time you write one will be in the middle of an active breach. Panic writes exceptionally poor playbooks.

Critical Questions to Ask Your IT Team Today:

1. When an account is compromised, do we have a defined, written sequence that goes beyond a password reset?

2. Do our internal engineers know how to systematically revoke active user sessions and clear tokens?

3. Can we pull targeted sign-in logs for a specific window rapidly, and do we know what a baseline looks like?

4. Do we audit mailbox rules, forwarding addresses, and admin role changes as part of standard incident response?

5. Is there a named individual who owns the post-incident debrief so lessons are converted into hardening policies?

Takeaway: Don’t Wait for the 11 PM Call

A password reset ends a credential’s life cycle. It does not end a live incident. The organizations that recover quickly are the ones who have already decided, in writing, what the other five steps are. They aren’t more lucky; they are just less surprised.

Book a Quick Security Assessment

If this article has highlighted gaps in your existing Microsoft 365 tenant security, let’s address them before an alert occurs. We help South African organizations design practical, resilient incident response strategies that protect corporate reputation and ensure POPIA compliance.

👉 Book your strategic security assessment with the Crimson Line team