I believe that at the moment, if Huntress disables an account in M365 then anyone with the right permissions in the M365 tenant is able to unlock the account without going through the right process of reviewing/interacting with the Huntress alert. This can lead to situations where the incident report can be largely ignored in favour of other responses. I appreciate this is a human problem (eg there is a process, follow it), but it would be great if there was a technical control in place from Huntress which kept locking the account until it was released through the Huntress platform to minimise the chance of an account becoming re-activated without the Huntress remediation plan being reviewed and the "Resolve and Release Containment" being clicked/accepted. It would also be great if there were exceptions which could be placed on this lockout to ensure certain accounts did not get re-locked (eg Break glass admin account).

Use case: We had a recent case in a shared administration model where an account was flagged for isolation, but not everyone on the customers internal IT group saw the relevant alert and the account was unlocked through M365 by their helpdesk. Luckily this turned out to be a false positive, but it could have been a problem. I've also seen some techs re-enable accounts (after performing the incident response) without ticking off the steps in the incident report.