Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

AD Identity Protection - Self-Remediation for Confirmed Compromised users?

Copper Contributor

Can a "Confirmed Compromised" user be self-remediated via MFA? We currently have a Conditional Access policy to force MFA on "High" risk level users. Microsoft documentation indicates that MFA or Password Reset will self-remediate the risk level, however during testing 'the self-remediation did not take effect on the Confirmed Compromised account.

https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protecti... 

 

Context: We are automating Incident Response in Sentinel, using a Logic App to set a user to "Confirmed Compromised" (only because there is no option to set a user to "at Risk"). We want the user risk status to be set back to Remediated or Dismissed after completing MFA. I thought a risk-based policy would self-remediate those users. If this isn't the case then I supposed I'll have to build another Logic App to "dismiss" risk after users sign in via MFA.

 

Thanks.

 

 

2 Replies
hello

are you using with a hybrid environment?
are you using writeback?
Hi,
I had this same problem. In our case I created another logic app and dissmiss risk. In my case this logic app start working when user successful perform MFA.