- through Microsoft Sentinel left menu, go to "Automation", "playbook template" and then choose and build the playbook called "Block AAD user - Incident"
- it is required that you understand how to create or edit Azure Logic Apps (out of scope of this repo)
- make sure the Playbook (Logic App) is built and running properly
- attach the playbook to a specific Analytic Query at Microsoft Sentinel
- Simulate a user anonymous access according to the instructions from this link below: https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-simulate-risk#anonymous-ip-address