Forum Discussion
What is your SOP for old risky users?
Recently have been tasked with leveraging Entra ID to it's full potential. We've a suite of different tools we use for alerting, so the Risky Users component was essentially ignored for a couple year...
Hi underQualifried,
In my case, for old risky users, I start by reviewing the historical alerts and identifying which users are still active and which ones aren’t. For those that are still active, I ensure they reset their passwords and update any compromised accounts. I also use Entra ID’s security policies to enforce additional authentication measures like MFA. For users who are no longer active or have no valid sign-ins, I consider disabling or deleting their accounts. If there are any hybrid environments involved, I enable self-clearing to make the process smoother and reduce the backlog of alerts.
Ultimately, the goal is to tighten security while cleaning up unnecessary risks from old accounts.
I hope it gives you some ideas!
Hi luchete thanks for the input... I think I've followed a similar process. Check Entra ID for "Account Enabled" or 365AC for "Sign-on Allowed" to rule out inactive accounts. For those active, I check the date of most recent password change - if this date is BEFORE the risk alert, I have them reset. If it's after, I don't force a reset. In either case, I check sign-in logs in Entra, and verify recent login details are as expected (IP/location/device are recognized, MFA passed, etc)... If the password reset occured AFTER the risk, I check that login and verify the details (to ensure it was really them resetting). Old accounts get set to sign-on disabled. We use Conditional Access for approved locations, MFA and the Entra P2 risk policies (though we're still testing these out)
Any of that stand out to you as bad practice, in your experience? I'm a little bit unsure about bothering someone with "your password was compromised 3 years ago". We're also rolling out DarkWeb scanning, so I'm just dealing with a lot of historical stuff right now, and trying to optimize the process. Thanks!
Hey underQualifried,
Your process looks solid. The checks you’re doing around account activity, sign-in logs, and MFA are all good practices. One thing to consider is how you handle older accounts that were compromised a while ago. While notifying users about something from a few years ago might feel awkward, a simple message explaining the situation and encouraging them to check their security settings (like MFA) might be helpful without causing too much concern.
As for the password reset process, if the reset happened after a risk alert, an extra verification step could give you more confidence in the user’s identity. In my opinion that should be enough.
You're on the right track overall 👌
Right, that's sorta what I'm trying to figure out. We've been rolling out darkweb scanning, and usually people are understanding if I explain this is a new service.
Thanks for your input!
