Administrators may determine that additional measures are necessary like blocking access from locations or lowering the acceptable risk in their policies. Some detections may not raise risk to the level where a user self-remediation would be required but administrators should still evaluate these detections. Users must have previously registered for Azure AD MFA and SSPR in order to use when risk is detected.
These detections are then considered closed. If you allow users to self-remediate, with Azure AD Multi-Factor Authentication (MFA) and self-service password reset (SSPR) in your risk policies, they can unblock themselves when risk is detected. Close individual risk detections manually.Some risks detections may be marked by Identity Protection as "Closed (system)" because the events were no longer determined to be risky.Īdministrators have the following options to remediate: As an administrator, you want to get all risk detections closed, so that the affected users are no longer at risk. The user risk level is an indicator (low, medium, high) for the probability that an account has been compromised.
RemediationĪll active risk detections contribute to the calculation of a value called user risk level. Microsoft recommends closing events as soon as possible because time matters when working with risk. Organizations should try to close all risk detections that they are presented with in a time period your organization is comfortable with.
Organizations also have the option to enable automated remediation using their risk policies. After completing your investigation, you will want to take action to remediate the risk or unblock users.
0 kommentar(er)
