A Zero Trust breach prevention strategy based on user risk is critical for organizations in today's digital landscape. However, managing user risks in hybrid environments has posed several challenges. Today, we’re making it easier to manage user risk in hybrid environments in Microsoft Entra ID Protection (formerly Azure AD Identity Protection) – on-premises password change can now automatically remediate user risk! This feature is now in public preview.
While we recommend mastering password changes in Entra ID to take advantage of Password Protection, hybrid customers who do password changes on-premises found it challenging to enable user risk policies. Users would get blocked when becoming risky and could not self-remediate by resetting passwords on-premises because the password change wasn’t visible to Entra ID, and so couldn’t dismiss the risk. This has resulted in a build-up of users marked at risk who may or may not have changed their passwords on-prem, making it challenging for some customers to take advantage of Entra ID Protection signals, and to leverage risk-based policies to protect their hybrid tenants.
To bridge this gap, we’re introducing the new setting called "Allow on-premises password change to reset user risk" in Entra ID Protection. Customers that have Password Hash Synchronization enabled on their tenants can now enable this setting. When enabled, users’ risks will be automatically remediated when their passwords are changed on-premises, and customers can confidently deploy user risk policy to effectively protect their hybrid users.
This enhancement empowers our customers with two main advantages:
Efficient Remediation: With this capability, risky hybrid users can efficiently self-remediate without manual interventions from administrators, reducing the administrative burden. When a password is changed on-premises, user risk will be automatically remediated within Entra ID Protection, bringing the user to a safe state.
Proactive Security: Organizations can now proactively deploy user risk policies that require password changes to confidently protect their hybrid users and environments. This proactive approach strengthens your organization's security posture, simplifies security management with access control policies while ensuring that user risks are promptly addressed, even in complex hybrid environments.