fixes

MicrosoftGuyJFlo · MicrosoftGuyJFlo · commit 8ef72a20bee3 · 2022-10-03T16:52:19.000-04:00
diff --git a/articles/active-directory/identity-protection/howto-identity-protection-configure-risk-policies.md b/articles/active-directory/identity-protection/howto-identity-protection-configure-risk-policies.md
@@ -32,11 +32,16 @@ Choosing to apply access control on a **High** risk level reduces the number of
 
 Configured trusted [network locations](../conditional-access/location-condition.md) are used by Identity Protection in some risk detections to reduce false positives.
 
-## Risk remediation
+### Risk remediation
 
 Organizations can choose to block access when risk is detected. Blocking sometimes stops legitimate users from doing what they need to. A better solution is to allow self-remediation using Azure AD Multi-Factor Authentication (MFA) and secure self-service password reset (SSPR).
 
-## Microsoft's recommendation
+> [!WARNING]
+> Users must register for Azure AD MFA and SSPR before they face a situation requiring remediation. Users not registered are blocked and require administrator intervention.
+> 
+> Password change (I know my password and want to change it to something new) outside of the risky user policy remediation flow does not meet the requirement for secure password reset.
+
+### Microsoft's recommendation
 
 Microsoft recommends the below risk policy configurations to protect your organization:
 
@@ -47,11 +52,6 @@ Microsoft recommends the below risk policy configurations to protect your organi
 
 Requiring access control when risk level is low will introduce more user interrupts. Choosing to block access rather than allowing self-remediation options, like secure password reset and multi-factor authentication, will impact your users and administrators. Weigh these choices when configuring your policies.
 
-> [!WARNING]
-> Users must register for Azure AD MFA and SSPR before they face a situation requiring remediation. Users not registered are blocked and require administrator intervention.
-> 
-> Password change (I know my password and want to change it to something new) outside of the risky user policy remediation flow does not meet the requirement for secure password reset.
-
 ## Exclusions
 
 Policies allow for excluding users such as your [emergency access or break-glass administrator accounts](../roles/security-emergency-access.md). Organizations may need to exclude other accounts from specific policies based on the way the accounts are used. Exclusions should be reviewed regularly to see if they're still applicable.
