Allow On-Premise Password Change to Reset User Risk in Microsoft Entra

Handling user risk can be a difficult task, especially today when users are based all across the globe and identity-based attacks are on the increase. Organisations need to have an understanding of the risks present to them and visibility in real-time of how it is impacting them. 

All of this of course comes as a burden to your IT or security teams who have to field off and remediate these risks, so by putting some responsibility back to the end user, we can help alleviate this burden. 

By enabling users to remediate risk associated with their account by resetting their on-premises password we can reduce the administrative burden and simply the process as a whole. Generally, it is easier for a user to reset their password locally (when possible) than to follow the password reset process in the cloud.

Understanding resetting user risk in Microsoft Entra

Risks are detected in Microsoft Entra when suspicious actions are performed by users either at the sign-in (known as a sign-in risk) or after the user is signed in (known as a user risk). Different actions by the users during or after sign-in contribute to different levels of risk, usually based on the likelihood that the user account is compromised. 

Depending on an action, or a combination of different actions performed by the user, the risk level is automatically updated in Microsoft Entra. You can view the risk from within the Microsoft Entra Admin Center:

  1. Log in to Microsoft Entra
  2. Expand Protection
  3. Select Risky activities

From here you can see a list of risky users and the associated risk level.

Risky users list
Risky users list

When Microsoft Entra calculates the risk based on the action a user has performed, some of these risks are calculated in real-time (as they are happening) and some are calculated offline (after the event has happened), this is dependent on the type of the event, which have been listed in the below tables.

Sign-in risk detections

Risk detection Detection type Type
Atypical travel Offline Premium
Anomalous Token Offline Premium
Token Issuer Anomaly Offline Premium
Malware linked IP address Offline Premium
Suspicious browser Offline Premium
Unfamiliar sign-in properties Real-time Premium
Malicious IP address Offline Premium
Suspicious inbox manipulation rules offline premium
Password spray offline premium
Impossible travel offline premium
New country offline premium
Activity from anonymous IP address offline premium
Suspicious inbox forwarding offline premium
Mass Access to Sensitive Files offline premium
Verified threat actor IP Real-time Premium
Additional risk detected Real-time or offline nonpremium
Anonymous IP addres Real-time Nonpremium
Admin confirmed user compromised Offline Nonpremium
Microsoft Entra threat intelligence Real-time or offline Nonpremium

User risk detections

Risk detection Detection type Type
Possible attempt to access Primary Refresh Token (PRT) Offline Premium
Anomalous user activity Offline Premium
User reported suspicious activity Offline Premium
Additional risk detected Real-time or Offline Nonpremium
Leaked credentials Offline Nonpremium
Microsoft Entra threat intelligence Offline Nonpremium

There are some important tasks you should complete to effectively monitor and control user risk in your environment. 

Number 1 is to configure notification emails when a high-risk alert is created. High-risk users are a cause for concern as they normally attribute to a user becoming compromised and your IT team should be immediately notified.

Number 2 is to configure the user risk or sign-in risk policy which can be used to block access based on the risk level or give the user a chance for automatic remediation, by forcing a password change through the self-service password reset mechanism. This is also controlled through Conditional Access policies.

Number 3 is to ensure all users have multi-factor authentication configured with a strong method such as the Microsoft Authenticator app that can be used for self-service password reset. Just changing the password from the office portal will not remediate the user risk.

Topology for on-premise password changes

Although it might be obvious, it is worth saying that if you want your users to be able to remediate the risk level associated with their account by resetting their password on-premises, then you need to be running identity synchronisation, either with Microsoft Entra Connect or Microsoft Entra Cloud Sync. As well as this, you also need to ensure you are using Password Hash synchronisation with either version of the sync tool.

If you are using Microsoft Entra Connect, you can use PowerShell to check if you have Password Hash Synchronisation enabled with the following command.

Get-ADSyncAADCompanyFeature

Otherwise, if you are using Microsoft Entra Cloud Sync, you can check the same information from the Microsoft Entra Admin Center by following these steps:

1. Log in to the Microsoft Entra admin center

2. Expand Identity > Hybrid Management and select Microsoft Entra Connect.

3. Select Cloud Sync > Configurations and select your Cloud Sync configuration.

4. On the Overview tab select Properties, from here you will see whether Password hash sync is enabled or disabled.

Password hash sync check
Password hash sync check

Enable 'Allow On-Premise Password Change to Reset User Risk' in Microsoft Entra

The Allow on-premises password change to reset user risk setting is found within the Identity Protection blade of the Microsoft Entra admin center, you can simply turn it on or leave it off from there. Follow the below steps to enable the setting:

1. Login to Microsoft Entra

2. Expand Protection and select Identity Protection.

3. Under the Settings heading, select Settings.

4. Check the box to enable the setting.

Allow on-premises password change to reset user risk setting
Allow on-premises password change to reset user risk setting

Using Microsoft Graph PowerShell

You can also programmatically enable this feature using Microsoft Graph PowerShell. If you haven’t installed the Microsoft Graph PowerShell modules yet, check out my tutorial: How To Install the Microsoft Graph PowerShell Module.

First, connect to Microsoft Graph with the necessary permissions: policy.readwrite.identityprotection

Connect-MgGraph -scopes policy.readwrite.identityprotection

As there is no dedicated cmdlet for this change yet, we will have to use the catch-all cmdlet Invoke-MgGraphRequest.

$body = @'
{
        "isUserRiskClearedOnPasswordReset": true
}
'@

$uri = 'https://graph.microsoft.com/beta/identityProtection/policy'

Invoke-MgGraphRequest -Uri $uri -Body $body -Method PATCH -ContentType "application/json" 

Resetting on-premise password to reset the user risk level example

Once this feature is enabled and your identity synchronisation topology supports password hash synchronisation the results will be pretty instantaneous.

For this test I have a user named Adsync User 2, I have simulated a high-risk sign-in by reporting a false MFA prompt within the Microsoft Authenticator app. A couple of minutes later the user appeared in the risky sign-in log.

User at high risk
User at high risk

A few moments after the risky sign-in log appeared, I returned to the workstation where the user was logged in to on-premises and reset the password with a simple CTRL + ALT + Delete and reset password. This log on a local domain controller demonstrates that the password was updated on-premises.

Password change on-premises
Password change on-premises

A few moments after the password was updated and it synchronised to Microsoft Entra ID, the risky sign-in log for Adsync User02 was changed to the remediated state and User changed the password on premises appeared in the log details.

user changed password on-premises
user changed password on-premises

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply