Device Actions
| Action | Description | Impact |
|---|---|---|
| Isolate Device | Disconnects device from network, maintains management connectivity | High |
| Unisolate Device | Restores network connectivity | Medium |
| Full Scan | Comprehensive antivirus/antimalware scan | Low |
| Quick Scan | Fast scan of common threat locations | Low |
| Offboard Device | Removes device from Defender for Endpoint | High |
User Actions
| Action | Description | Impact |
|---|---|---|
| Disable Account | Disables Entra ID account | High |
| Enable Account | Re-enables disabled account | Medium |
| Reset Password | Forces password reset on next sign-in | High |
| Revoke Sessions | Invalidates all active auth tokens | Medium |
| Block Sign-in | Blocks user from authenticating | High |
Network Actions
| Action | Description | Impact |
|---|---|---|
| Block IP | Blocks IP address | Medium |
| Block URL | Blocks URL/domain | Medium |
File Actions
| Action | Description | Impact |
|---|---|---|
| Quarantine File | Isolates file to prevent execution | Medium |
Email Actions
| Action | Description | Impact |
|---|---|---|
| Soft Delete Email | Removes email from mailboxes (recoverable) | Medium |
High-impact actions may require approval workflows depending on your configuration.