Blog Post

Microsoft Entra Blog
2 MIN READ

Remediate User Risks in Microsoft Entra ID Protection Through On-premises Password Changes

Alex Weinert's avatar
Alex Weinert
Icon for Microsoft rankMicrosoft
Sep 28, 2023

A Zero Trust breach prevention strategy based on user risk is critical for organizations in today's digital landscape. However, managing user risks in hybrid environments has posed several challenges. Today, we’re making it easier to manage user risk in hybrid environments in Microsoft Entra ID Protection (formerly Azure AD Identity Protection) – on-premises password change can now automatically remediate user risk! This feature is now in public preview. 

 

While we recommend mastering password changes in Entra ID to take advantage of Password Protection, hybrid customers who do password changes on-premises found it challenging to enable user risk policies. Users would get blocked when becoming risky and could not self-remediate by resetting passwords on-premises because the password change wasn’t visible to Entra ID, and so couldn’t dismiss the risk. This has resulted in a build-up of users marked at risk who may or may not have changed their passwords on-prem, making it challenging for some customers to take advantage of Entra ID Protection signals, and to leverage risk-based policies to protect their hybrid tenants.

 

To bridge this gap, we’re introducing the new setting called "Allow on-premises password change to reset user risk" in Entra ID Protection. Customers that have Password Hash Synchronization enabled on their tenants can now enable this setting. When enabled, users’ risks will be automatically remediated when their passwords are changed on-premises, and customers can confidently deploy user risk policy to effectively protect their hybrid users.

 

 

This enhancement empowers our customers with two main advantages:

 

  • Efficient Remediation: With this capability, risky hybrid users can efficiently self-remediate without manual interventions from administrators, reducing the administrative burden. When a password is changed on-premises, user risk will be automatically remediated within Entra ID Protection, bringing the user to a safe state.
  • Proactive Security: Organizations can now proactively deploy user risk policies that require password changes to confidently protect their hybrid users and environments. This proactive approach strengthens your organization's security posture, simplifies security management with access control policies while ensuring that user risks are promptly addressed, even in complex hybrid environments.

 

Enable the “Allow on-premises password change to reset user risk” setting today in Identity Protection - Microsoft Entra admin center and visit Remediate risks and unblock users in Azure AD Identity Protection to learn more.

 

We are committed to continually improving our services to provide the best security solutions. Thank you for trusting Entra ID Protection.

  

Stay safe out there, 

Alex Weinert (@Alex_T_Weinert)  

VP Director of Identity Security, Microsoft     

 

 

Learn more about Microsoft Entra: 

Updated Oct 10, 2023
Version 4.0
  • swhitestrath's avatar
    swhitestrath
    Brass Contributor

    Do you have any timelines of when this feature will be out of public preview? 

  • matt91070's avatar
    matt91070
    Brass Contributor

    If this feature is on preview, will it add extra cost or license when it moves to GA? 

  • Hi Alex - you say that "Customers that have Password Hash Synchronization enabled on their tenants can now enable this setting. " but this setting is restricted to Entra ID Plan 2 licenced tenants only. If you have only Plan 1, or the Basic plan (where Password Hash Sync is available) then you cannot reach the settings page as it is grayed out. If I look at the setting via the Graph, I get 

    "message": "Your tenant is not licensed for this feature. Please upgrade your subscription to access it." (https://graph.microsoft.com/beta/identityProtection/policy)
  • Spindle8551's avatar
    Spindle8551
    Copper Contributor

    If you have password hash sync (PHS) enabled as a back up method, does this work too? We have PTA enabled as our default method, but PHS as a back method, so keen to know if this will suffice. 

  • SPCIO's avatar
    SPCIO
    Copper Contributor

    This says it's in Preview on our tenant too. But your screenshot shows it is not. Is this in preview or not? Docs don't mention this setting.

  • This says it's in Preview on my tenant. But your screenshot shows it is not. Is this in preview or not? Docs don't mention this setting.