Can a "Confirmed Compromised" user be self-remediated via MFA? We currently have a Conditional Access policy to force MFA on "High" risk level users. Microsoft documentation indicates that MFA or Password Reset will self-remediate the risk level, however during testing 'the self-remediation did not take effect on the Confirmed Compromised account.
https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protecti...
Context: We are automating Incident Response in Sentinel, using a Logic App to set a user to "Confirmed Compromised" (only because there is no option to set a user to "at Risk"). We want the user risk status to be set back to Remediated or Dismissed after completing MFA. I thought a risk-based policy would self-remediate those users. If this isn't the case then I supposed I'll have to build another Logic App to "dismiss" risk after users sign in via MFA.
Thanks.
