This guide will show an administrator how to confirm a system identified risky user as a true positive.
Role Requirements
Procedure Scope: Administrators
Required Group Membership: Admin.Security
Handbook Reference
Package: TBD
Domain: TBD
Modifies: TBD
Risky Users Confirm User Compromised Action
- Navigate to the Risky Users – Azure Active Directory portal, locate and select a desired risky user from the list.
- From the Risky User Details flyout, select the Confirm user compromised action. This action should be taken after investigating and confirming that the user account is compromised. A disclaimer will be displayed detailing that the user risk will be set to high, and a new detection will be added. Select Yes to identify the user risk as real. If a risk-based conditional access policy wasn’t triggered and the risk wasn’t self-remediated as a result, you will need to carry out additional actions such as conducting a User Block, Password Reset, Revoking Active Sessions, Resetting MFA, Reregistering MFA, etc.
Need Assistance?
Reach out to your Customer Success Manager to discuss how a Sittadel cybersecurity analyst can assist in managing these tasks for you. New to our services? Inquire about arranging a consultation to explore optimizing your Azure environment for painless management.