Forum Discussion
AD Identity Protection - Self-Remediation for Confirmed Compromised users?
Can a "Confirmed Compromised" user be self-remediated via MFA? We currently have a Conditional Access policy to force MFA on "High" risk level users. Microsoft documentation indicates that MFA or Password Reset will self-remediate the risk level, however during testing 'the self-remediation did not take effect on the Confirmed Compromised account.
Context: We are automating Incident Response in Sentinel, using a Logic App to set a user to "Confirmed Compromised" (only because there is no option to set a user to "at Risk"). We want the user risk status to be set back to Remediated or Dismissed after completing MFA. I thought a risk-based policy would self-remediate those users. If this isn't the case then I supposed I'll have to build another Logic App to "dismiss" risk after users sign in via MFA.
Thanks.
- raphaelcustodiosoaresIron Contributorhello
are you using with a hybrid environment?
are you using writeback? - P4tr8kBrass ContributorHi,
I had this same problem. In our case I created another logic app and dissmiss risk. In my case this logic app start working when user successful perform MFA.