Microsoft Entra ID Protection Eases Password Change Remediations

Users authenticating on premises deemed at risk will be able to reset their passwords with a new setting.

Microsoft has improved the remediation process when users authenticating via on-premises methods are deemed to be at risk by the Microsoft Entra ID Protection service, per a Thursday announcement.

Typically, such users could get blocked because Microsoft's cloud-based service "couldn't dismiss the risk." Now, a new setting will let users change passwords as a remediation step, which can even occur on machines that get authenticated via on-premises methods or "hybrid" (local plus cloud) methods.

Organizations using Microsoft Entra ID Protection can enable this self-remediation capability for end users by activating a new setting in the Microsoft Entra Admin Center, which is called "Allow on-premises password change to reset user risk." This self-remediation capability is not just a convenience for IT pros. Microsoft views it as removing a block that some organizations have faced in implementing user risk policies.

Here's how Alex Weinert, vice president and director of identity security at Microsoft, characterized the issue for those organizations, per the announcement:

While we recommend mastering password changes in Entra ID to take advantage of Password Protection, hybrid customers who do password changes on-premises found it challenging to enable user risk policies. Users would get blocked when becoming risky and could not self-remediate by resetting passwords on-premises because the password change wasn't visible to Entra ID, and so couldn't dismiss the risk.

That situation made it "challenging" for those organizations to fully leverage Entra ID Protection signals, he added.

The new setting is available in the Microsoft Entra Admin Center portal, but it's not clear if it's at "preview" or at "general availability" (commercial release) status. Organizations can use the setting if they have "Password Hash Synchronization" enabled.

"Customers that have Password Hash Synchronization enabled on their tenants can now enable this setting," Weinert clarified. When it's enabled, passwords changed on premises will be "automatically remediated within Entra ID Protection."

This new setting will let IT pros more confidently deploy user risk policies, Weinert contended.

"This proactive approach strengthens your organization's security posture, simplifies security management with access control policies while ensuring that user risks are promptly addressed, even in complex hybrid environments," he indicated.

Remediation nuances for Entra ID Identity Protection are described in this Microsoft document.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube