Remediate User Risks in Microsoft Entra ID Protection Through On-premises Password Changes
Published Sep 28 2023 10:35 AM 23.9K Views

A Zero Trust breach prevention strategy based on user risk is critical for organizations in today's digital landscape. However, managing user risks in hybrid environments has posed several challenges. Today, we’re making it easier to manage user risk in hybrid environments in Microsoft Entra ID Protection (formerly Azure AD Identity Protection) – on-premises password change can now automatically remediate user risk! This feature is now in public preview. 


While we recommend mastering password changes in Entra ID to take advantage of Password Protection, hybrid customers who do password changes on-premises found it challenging to enable user risk policies. Users would get blocked when becoming risky and could not self-remediate by resetting passwords on-premises because the password change wasn’t visible to Entra ID, and so couldn’t dismiss the risk. This has resulted in a build-up of users marked at risk who may or may not have changed their passwords on-prem, making it challenging for some customers to take advantage of Entra ID Protection signals, and to leverage risk-based policies to protect their hybrid tenants.


To bridge this gap, we’re introducing the new setting called "Allow on-premises password change to reset user risk" in Entra ID Protection. Customers that have Password Hash Synchronization enabled on their tenants can now enable this setting. When enabled, users’ risks will be automatically remediated when their passwords are changed on-premises, and customers can confidently deploy user risk policy to effectively protect their hybrid users.


MicrosoftTeams-image (2).png


This enhancement empowers our customers with two main advantages:


  • Efficient Remediation: With this capability, risky hybrid users can efficiently self-remediate without manual interventions from administrators, reducing the administrative burden. When a password is changed on-premises, user risk will be automatically remediated within Entra ID Protection, bringing the user to a safe state.
  • Proactive Security: Organizations can now proactively deploy user risk policies that require password changes to confidently protect their hybrid users and environments. This proactive approach strengthens your organization's security posture, simplifies security management with access control policies while ensuring that user risks are promptly addressed, even in complex hybrid environments.


Enable the “Allow on-premises password change to reset user risk” setting today in Identity Protection - Microsoft Entra admin center and visit Remediate risks and unblock users in Azure AD Identity Protection to learn more.


We are committed to continually improving our services to provide the best security solutions. Thank you for trusting Entra ID Protection.


Stay safe out there, 

Alex Weinert (@Alex_T_Weinert)  

VP Director of Identity Security, Microsoft     



Learn more about Microsoft Entra: 

Version history
Last update:
‎Oct 10 2023 02:50 PM
Updated by: