You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After completing your [investigation](howto-identity-protection-investigate-risk.md), you need to take action to remediate the risky users or unblock them. Organizations can enable automated remediation by setting up [risk-based policies](howto-identity-protection-configure-risk-policies.md). Organizations should try to investigate and remediate all risky users in a time period that your organization is comfortable with. Microsoft recommends acting quickly, because time matters when working with risks.
21
21
22
-
## Risk Remediation
22
+
## Risk remediation
23
23
24
24
All active risk detections contribute to the calculation of the user's risk level. The user risk level is an indicator (low, medium, high) of the probability that the user's account has been compromised. As an administrator, after thorough investigation on the risky users and the corresponding risky sign-ins and detections, you want to remediate the risky users so that they're no longer at risk and won't be blocked.
25
25
26
26
Some risk detections and the corresponding risky sign-ins may be marked by Identity Protection as dismissed with risk state "Dismissed" and risk detail "Azure AD Identity Protection assessed sign-in safe" because those events were no longer determined to be risky.
27
27
28
28
Administrators have the following options to remediate:
29
-
-Setup[risk-based policies](howto-identity-protection-configure-risk-policies.md) to allow users to self-remediate their risks
29
+
-Set up[risk-based policies](howto-identity-protection-configure-risk-policies.md) to allow users to self-remediate their risks
30
30
- Manual password reset
31
31
- Dismiss user risk
32
32
@@ -36,16 +36,16 @@ You can allow users to self-remediate their sign-in risks and user risks by sett
36
36
37
37
Here are the prerequisites on users before risk-based policies can be applied to them to allow self-remediation of risks:
38
38
- To perform MFA to self-remediate a sign-in risk:
39
-
-the user must have registered for Azure AD MFA
39
+
-The user must have registered for Azure AD MFA.
40
40
- To perform secure password change to self-remediate a user risk:
41
-
-the user must have registered for Azure AD MFA
42
-
-for hybrid users that are synced from on-premises to cloud, password writeback must have been enabled on them
41
+
-The user must have registered for Azure AD MFA.
42
+
-For hybrid users that are synced from on-premises to cloud, password writeback must have been enabled on them.
43
43
44
44
If a risk-based policy is applied to a user during sign-in before the above prerequisites are met, then the user will be blocked because they aren't able to perform the required access control, and admin intervention will be required to unblock the user.
45
45
46
46
Risk-based policies are configured based on risk levels and will only apply if the risk level of the sign-in or user matches the configured level. Some detections may not raise risk to the level where the policy will apply, and administrators will need to handle those risky users manually. Administrators may determine that extra measures are necessary like [blocking access from locations](../conditional-access/howto-conditional-access-policy-location.md) or lowering the acceptable risk in their policies.
47
47
48
-
### Self-remediation with Self-service password reset
48
+
### Self-remediation with self-service password reset
49
49
50
50
If a user has registered for self-service password reset (SSPR), then they can also remediate their own user risk by performing a self-service password reset.
0 commit comments