Merge pull request #218119 from MicrosoftGuyJFlo/IPRemoveSSPRReq

[Azure AD] Identity Protection - Update for SSPR from PG

Author: jborsecnik

articles/active-directory/identity-protection/concept-identity-protection-policies.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: identity-protection
 ms.topic: conceptual
-ms.date: 10/04/2022
+ms.date: 11/11/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -51,13 +51,10 @@ If risks are detected on a sign-in, users can perform the required access contro
 Identity Protection analyzes signals about user accounts and calculates a risk score based on the probability that the user has been compromised. If a user has risky sign-in behavior, or their credentials have been leaked, Identity Protection will use these signals to calculate the user risk level. Administrators can configure user risk-based Conditional Access policies to enforce access controls based on user risk, including requirements such as: 
 
 - Block access
-- Allow access but require a secure password change using [Azure AD self-service password reset](../authentication/howto-sspr-deployment.md).
+- Allow access but require a secure password change.
 
 A secure password change will remediate the user risk and close the risky user event to prevent unnecessary noise for administrators.
 
-> [!NOTE] 
-> Users must have previously registered for self-service password reset before triggering the user risk policy.
-
 ## Identity Protection policies
 
 While Identity Protection also offers a user interface for creating user risk policy and sign-in risk policy, we highly recommend that you [use Azure AD Conditional Access to create risk-based policies](howto-identity-protection-configure-risk-policies.md) for the following benefits:

articles/active-directory/identity-protection/concept-identity-protection-user-experience.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: identity-protection
 ms.topic: conceptual
-ms.date: 01/21/2022
+ms.date: 11/11/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -42,7 +42,7 @@ When an administrator has configured a policy for sign-in risks, affected users
 
 ### Risky sign-in self-remediation
 
-1. The user is informed that something unusual was detected about their sign-in. This could be something like, such as signing in from a new location, device, or app.
+1. The user is informed that something unusual was detected about their sign-in. This behavior could be something like, such as signing in from a new location, device, or app.
 
     ![Something unusual prompt](./media/concept-identity-protection-user-experience/120.png)
 
@@ -84,7 +84,7 @@ If your organization has users who are delegated access to another tenant and th
 1. An organization has a managed service provider (MSP) or cloud solution provider (CSP) who takes care of configuring their cloud environment. 
 1. One of the MSPs technicians credentials are leaked and triggers high risk. That technician is blocked from signing in to other tenants. 
 1. The technician can self-remediate and sign in if the home tenant has enabled the appropriate policies [requiring password change for high risk users](../conditional-access/howto-conditional-access-policy-risk-user.md) or [MFA for risky users](../conditional-access/howto-conditional-access-policy-risk.md). 
-   1. If the home tenant hasn't enabled self-remediation policies, an administrator in the technician's home tenant will have to [remediate the risk](howto-identity-protection-remediate-unblock.md#remediation).
+   1. If the home tenant hasn't enabled self-remediation policies, an administrator in the technician's home tenant will have to [remediate the risk](howto-identity-protection-remediate-unblock.md#risk-remediation).
 
 ## See also
 

articles/active-directory/identity-protection/howto-identity-protection-investigate-risk.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: identity-protection
 ms.topic: how-to
-ms.date: 01/24/2022
+ms.date: 11/11/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -100,7 +100,7 @@ Administrators can then choose to return to the user's risk or sign-ins report t
 Organizations may use the following frameworks to begin their investigation into any suspicious activity. Investigations may require having a conversation with the user in question, review of the [sign-in logs](../reports-monitoring/concept-sign-ins.md), or review of the [audit logs](../reports-monitoring/concept-audit-logs.md) to name a few.
 
 1. Check the logs and validate whether the suspicious activity is normal for the given user.
-   1. Look at the user’s past activities including at least the following properties to see if they are normal for the given user. 
+   1. Look at the user’s past activities including at least the following properties to see if they're normal for the given user. 
       1. Application
       1. Device - Is the device registered or compliant?
       1. Location - Is the user traveling to a different location or accessing devices from multiple locations?

articles/active-directory/identity-protection/howto-identity-protection-remediate-unblock.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: identity-protection
 ms.topic: how-to
-ms.date: 02/17/2022
+ms.date: 11/11/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -17,43 +17,41 @@ ms.collection: M365-identity-device-management
 ---
 # Remediate risks and unblock users
 
-After completing your [investigation](howto-identity-protection-investigate-risk.md), you need to take action to remediate the risk or unblock users. Organizations can enable automated remediation using their [risk policies](howto-identity-protection-configure-risk-policies.md). Organizations should try to close all risk detections that they're presented in a time period your organization is comfortable with. Microsoft recommends closing events quickly, because time matters when working with risk.
+After completing your [investigation](howto-identity-protection-investigate-risk.md), you need to take action to remediate the risky users or unblock them. Organizations can enable automated remediation by setting up [risk-based policies](howto-identity-protection-configure-risk-policies.md). Organizations should try to investigate and remediate all risky users in a time period that your organization is comfortable with. Microsoft recommends acting quickly, because time matters when working with risks.
 
-## Remediation
+## Risk remediation
 
-All active risk detections contribute to the calculation of a value called user risk level. The user risk level is an indicator (low, medium, high) for the probability that an account has been compromised. As an administrator, you want to get all risk detections closed, so that the affected users are no longer at risk.
+All active risk detections contribute to the calculation of the user's risk level. The user risk level is an indicator (low, medium, high) of the probability that the user's account has been compromised. As an administrator, after thorough investigation on the risky users and the corresponding risky sign-ins and detections, you want to remediate the risky users so that they're no longer at risk and won't be blocked.
 
-Some risks detections may be marked by Identity Protection as "Closed (system)" because the events were no longer determined to be risky.
+Some risk detections and the corresponding risky sign-ins may be marked by Identity Protection as dismissed with risk state "Dismissed" and risk detail "Azure AD Identity Protection assessed sign-in safe" because those events were no longer determined to be risky.
 
 Administrators have the following options to remediate:
-
-- Self-remediation with risk policy
+- Set up [risk-based policies](howto-identity-protection-configure-risk-policies.md) to allow users to self-remediate their risks
 - Manual password reset
 - Dismiss user risk
-- Close individual risk detections manually
 
-### Remediation framework
+### Self-remediation with risk-based policy
 
-1. If the account is confirmed compromised:
-   1. Select the event or user in the **Risky sign-ins** or **Risky users** reports and choose "Confirm compromised".
-   1. If a risk policy or a Conditional Access policy wasn't triggered at part of the risk detection, and the risk wasn't [self-remediated](#self-remediation-with-risk-policy), then:
-      1. [Request a password reset](#manual-password-reset).
-      1. Block the user if you suspect the attacker can reset the password or do multi-factor authentication for the user.
-      1. Revoke refresh tokens.
-      1. [Disable any devices](../devices/device-management-azure-portal.md) considered compromised.
-      1. If using [continuous access evaluation](../conditional-access/concept-continuous-access-evaluation.md), revoke all access tokens.
+You can allow users to self-remediate their sign-in risks and user risks by setting up [risk-based policies](howto-identity-protection-configure-risk-policies.md). If users pass the required access control, such as Azure AD multifactor authentication (MFA) or secure password change, then their risks are automatically remediated. The corresponding risk detections, risky sign-ins, and risky users will be reported with the risk state "Remediated" instead of "At risk". 
 
-For more information about what happens when confirming compromise, see the section [How should I give risk feedback and what happens under the hood?](howto-identity-protection-risk-feedback.md#how-should-i-give-risk-feedback-and-what-happens-under-the-hood).
+Here are the prerequisites on users before risk-based policies can be applied to them to allow self-remediation of risks:
+- To perform MFA to self-remediate a sign-in risk: 
+   - The user must have registered for Azure AD MFA.
+- To perform secure password change to self-remediate a user risk:
+   -  The user must have registered for Azure AD MFA.
+   -  For hybrid users that are synced from on-premises to cloud, password writeback must have been enabled on them.
+
+If a risk-based policy is applied to a user during sign-in before the above prerequisites are met, then the user will be blocked because they aren't able to perform the required access control, and admin intervention will be required to unblock the user. 
 
-### Self-remediation with risk policy
+Risk-based policies are configured based on risk levels and will only apply if the risk level of the sign-in or user matches the configured level. Some detections may not raise risk to the level where the policy will apply, and administrators will need to handle those risky users manually. Administrators may determine that extra measures are necessary like [blocking access from locations](../conditional-access/howto-conditional-access-policy-location.md) or lowering the acceptable risk in their policies.
 
-If you allow users to self-remediate, with Azure AD multifactor authentication (MFA) and self-service password reset (SSPR) in your risk policies, they can unblock themselves when risk is detected. These detections are then considered closed. Users must have previously registered for Azure AD MFA and SSPR for use when risk is detected.
+### Self-remediation with self-service password reset
 
-Some detections may not raise risk to the level where a user self-remediation would be required but administrators should still evaluate these detections. Administrators may determine that extra measures are necessary like [blocking access from locations](../conditional-access/howto-conditional-access-policy-location.md) or lowering the acceptable risk in their policies.
+If a user has registered for self-service password reset (SSPR), then they can also remediate their own user risk by performing a self-service password reset.
 
 ### Manual password reset
 
-If requiring a password reset using a user risk policy isn't an option, administrators can close all risk detections for a user with a manual password reset.
+If requiring a password reset using a user risk policy isn't an option, administrators can remediate a risky user by requiring a password reset.
 
 Administrators are given two options when resetting a password for their users:
 
@@ -63,24 +61,37 @@ Administrators are given two options when resetting a password for their users:
 
 ### Dismiss user risk
 
-If a password reset isn't an option for you, you can choose to dismiss user risk detections.
+If after investigation and confirming that the user account isn't at risk of being compromised, then you can choose to dismiss the risky user.
 
-When you select **Dismiss user risk**, all events are closed and the affected user is no longer at risk. However, because this method doesn't have an impact on the existing password, it doesn't bring the related identity back into a safe state. 
+To **Dismiss user risk**, search for and select **Azure AD Risky users** in the Azure portal or the Entra portal, select the affected user, and select **Dismiss user(s) risk**.
 
-To **Dismiss user risk**, search for and select **Azure AD Risky users**, select the affected user, and select **Dismiss user(s) risk**.
+When you select **Dismiss user risk**, the user will no longer be at risk, and all the risky sign-ins of this user and corresponding risk detections will be dismissed as well. 
 
-### Close individual risk detections manually
+Because this method doesn't have an impact on the user's existing password, it doesn't bring their identity back into a safe state. 
 
-You can close individual risk detections manually. By closing risk detections manually, you can lower the user risk level. Typically, risk detections are closed manually in response to a related investigation. For example, when talking to a user reveals that an active risk detection isn't required anymore. 
- 
-When closing risk detections manually, you can choose to take any of the following actions to change the status of a risk detection:
+#### Risk state and detail based on dismissal of risk
 
-- Confirm user compromised
-- Dismiss user risk
-- Confirm sign-in safe
-- Confirm sign-in compromised
+- Risky user: 
+   - Risk state: "At risk" -> "Dismissed"
+   - Risk detail (the risk remediation detail): "-" -> "Admin dismissed all risk for user" 
+- All the risky sign-ins of this user and the corresponding risk detections:
+   - Risk state: "At risk" -> "Dismissed"
+   - Risk detail (the risk remediation detail): "-" -> "Admin dismissed all risk for user" 
 
-#### Deleted users
+### Confirm a user to be compromised
+
+If after investigation, an account is confirmed compromised:
+   1. Select the event or user in the **Risky sign-ins** or **Risky users** reports and choose "Confirm compromised".
+   2. If a risk-based policy wasn't triggered, and the risk wasn't [self-remediated](#self-remediation-with-risk-based-policy), then do one or more of the followings:
+      1. [Request a password reset](#manual-password-reset).
+      1. Block the user if you suspect the attacker can reset the password or do multi-factor authentication for the user.
+      1. Revoke refresh tokens.
+      1. [Disable any devices](../devices/device-management-azure-portal.md) that are considered compromised.
+      1. If using [continuous access evaluation](../conditional-access/concept-continuous-access-evaluation.md), revoke all access tokens.
+
+For more information about what happens when confirming compromise, see the section [How should I give risk feedback and what happens under the hood?](howto-identity-protection-risk-feedback.md#how-should-i-give-risk-feedback-and-what-happens-under-the-hood).
+
+### Deleted users
 
 It isn't possible for administrators to dismiss risk for users who have been deleted from the directory. To remove deleted users, open a Microsoft support case.
 
@@ -92,9 +103,9 @@ An administrator may choose to block a sign-in based on their risk policy or inv
 
 To unblock an account blocked because of user risk, administrators have the following options:
 
-1. **Reset password** - You can reset the user's password.
-1. **Dismiss user risk** - The user risk policy blocks a user if the configured user risk level for blocking access has been reached. You can reduce a user's risk level by dismissing user risk or manually closing reported risk detections.
-1. **Exclude the user from policy** - If you think that the current configuration of your sign-in policy is causing issues for specific users, you can exclude the users from it. For more information, see the section Exclusions in the article [How To: Configure and enable risk policies](howto-identity-protection-configure-risk-policies.md#exclusions).
+1. **Reset password** - You can reset the user's password. If a user has been compromised or is at risk of being compromised, the user's password should be reset to protect their account and your organization. 
+1. **Dismiss user risk** - The user risk policy blocks a user if the configured user risk level for blocking access has been reached. If after investigation you're confident that the user isn't at risk of being compromised, and it's safe to allow their access, then you can reduce a user's risk level by dismissing their user risk.
+1. **Exclude the user from policy** - If you think that the current configuration of your sign-in policy is causing issues for specific users, and it's safe to grant access to these users without applying this policy to them, then you can exclude them from this policy. For more information, see the section Exclusions in the article [How To: Configure and enable risk policies](howto-identity-protection-configure-risk-policies.md#exclusions).
 1. **Disable policy** - If you think that your policy configuration is causing issues for all your users, you can disable the policy. For more information, see the article [How To: Configure and enable risk policies](howto-identity-protection-configure-risk-policies.md).
 
 ### Unblocking based on sign-in risk