Manage risky users

To manage the risks detected by Microsoft Entra ID Protection:

• Identify users at risk and take action
• Dismiss user risk and unblock user sign-in

For more information about investigating risk, see the Microsoft Entra ID Protection documentation.

To view and manage your customer's risky users in Cloud Commander, your customer must have a user in the tenant with Microsoft Entra ID P2 license. Microsoft requires a P2 license to access the risky users API, which Cloud Commander uses to gather the data.

Requirements

• You must be assigned the Identity Protection Writer role scoped to the customer.

Identify users at risk and take action

1. On the left navigation, select Security > Risky Users.
2. If not already selected, use the global customer selector - Customers drop-down menu to select the customers.
3. Filter or search to find users at risk. For example, use the Risk state or Risk level column filters to quickly see users at risk.
4. Select the checkbox for one or more users. To reset password, you can only select one user.

   

5. To take action on the user(s), select:

   Action	Note
   Reset password	If a user is compromised or is at risk of being compromised, you should reset the user's password to protect their account and your organization. You can only reset the password for one user at a time.
   Block user	When there are security concerns for a user, such as suspicious activity or a possible compromised account, block the user to prevent anyone from signing in as that user. Blocking users restricts their access to services and resources within their organization.
   Confirm as compromised	If you've investigated and verified that one or more user accounts are compromised or is at risk, confirm the users as compromised. By confirming their compromised status, you acknowledge that the accounts are vulnerable to security threats and needs immediate attention. When you confirm a user as compromised, their risk level increases significantly, and the system considers them more likely to be targeted by malicious actors or involved in suspicious activities.

Dismiss user risk and unblock user sign-in

If after investigation you determine that one or more users are not at risk or the users resolve all security issues, dismiss the risk, and unblock the user sign-in.

1. On the left navigation, select Security > Risky Users.
2. Select the checkbox for one or more users.
3. To take action on the user(s), select:

   Action	Description
   Unblock user	If you determine that previously blocked users were blocked unnecessarily or if the users resolved any security issues, you can unblock the users. When you unblock users, you allow the users to regain access to their accounts and services.
   Dismiss risk	If you determine that one or more users are not at risk of being compromised, and it's safe to allow their access, reduce their risk level by dismissing their user risk. This action cannot be reversed. It may take a few minutes to apply on Microsoft Entra ID.

Related articles

• Risky users reporting and remediation
• What is a risky user?
• View risky users

Updated: Jul 09, 2024