Forum Discussion
What is your SOP for old risky users?
Recently have been tasked with leveraging Entra ID to it's full potential. We've a suite of different tools we use for alerting, so the Risky Users component was essentially ignored for a couple year...
Hi luchete thanks for the input... I think I've followed a similar process. Check Entra ID for "Account Enabled" or 365AC for "Sign-on Allowed" to rule out inactive accounts. For those active, I check the date of most recent password change - if this date is BEFORE the risk alert, I have them reset. If it's after, I don't force a reset. In either case, I check sign-in logs in Entra, and verify recent login details are as expected (IP/location/device are recognized, MFA passed, etc)... If the password reset occured AFTER the risk, I check that login and verify the details (to ensure it was really them resetting). Old accounts get set to sign-on disabled. We use Conditional Access for approved locations, MFA and the Entra P2 risk policies (though we're still testing these out)
Any of that stand out to you as bad practice, in your experience? I'm a little bit unsure about bothering someone with "your password was compromised 3 years ago". We're also rolling out DarkWeb scanning, so I'm just dealing with a lot of historical stuff right now, and trying to optimize the process. Thanks!
Hey underQualifried,
Your process looks solid. The checks you’re doing around account activity, sign-in logs, and MFA are all good practices. One thing to consider is how you handle older accounts that were compromised a while ago. While notifying users about something from a few years ago might feel awkward, a simple message explaining the situation and encouraging them to check their security settings (like MFA) might be helpful without causing too much concern.
As for the password reset process, if the reset happened after a risk alert, an extra verification step could give you more confidence in the user’s identity. In my opinion that should be enough.
You're on the right track overall 👌
Right, that's sorta what I'm trying to figure out. We've been rolling out darkweb scanning, and usually people are understanding if I explain this is a new service.
Thanks for your input!
