Forum Discussion

SEN_Azure's avatar
SEN_Azure
Copper Contributor
Aug 03, 2023

AD Identity Protection - Self-Remediation for Confirmed Compromised users?

Can a "Confirmed Compromised" user be self-remediated via MFA? We currently have a Conditional Access policy to force MFA on "High" risk level users. Microsoft documentation indicates that MFA or Password Reset will self-remediate the risk level, however during testing 'the self-remediation did not take effect on the Confirmed Compromised account.

https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-remediate-unblock 

 

Context: We are automating Incident Response in Sentinel, using a Logic App to set a user to "Confirmed Compromised" (only because there is no option to set a user to "at Risk"). We want the user risk status to be set back to Remediated or Dismissed after completing MFA. I thought a risk-based policy would self-remediate those users. If this isn't the case then I supposed I'll have to build another Logic App to "dismiss" risk after users sign in via MFA.

 

Thanks.

 

 

  • P4tr8k's avatar
    P4tr8k
    Brass Contributor
    Hi,
    I had this same problem. In our case I created another logic app and dissmiss risk. In my case this logic app start working when user successful perform MFA.

Resources