๐Ÿ“‹ Microsoft Entra Documentation Changes

Daily summary for changes since January 6th 2026, 7:44 PM PST

Report generated on January 7th 2026, 7:44 PM PST

๐Ÿ“Š Summary

19
Total Commits
0
New Files
11
Modified Files
0
Deleted Files
7
Contributors

๐Ÿ“ Modified Documentation Files

MODIFIED docs/includes/app-provisioning-sap.md
Modified by Mark Wahl on Jan 7, 2026 6:56 PM
๐Ÿ“– View on learn.microsoft.com
+5 / -5 lines changed
Commit: acrolinx
Changes:
Before
After
> - Keep user attributes synchronized between Microsoft Entra ID and SAP ECC.
 
## Out of scope
* Provisioning other object types including local activity groups, roles, and profiles are not supported. Group membership provisioning can be done by [provisioning users and groups through SAP Cloud Identity Services](~/identity/saas-apps/sap-cloud-platform-identity-authentication-provisioning-tutorial.md) instead of the provisioning agent.
* Password operations are not supported. Use the Microsoft Identity Manager to synchronize passwords from AD to SAP ECC if password management is required.
 
## Prerequisites for provisioning to SAP ECC with NetWeaver AS ABAP 7.51
|Property|Description|
|-----|-----|
|Web Service Project |Your SAP ECC template name, `sapecc`.|
|Host|SAP ECC SOAP endpoint host name, e.g. `vhcalnplci.dummy.nodomain`|
|Port|SAP ECC SOAP endpoint port, e.g. `8000`|
 
 
1. On the **Capabilities** page, fill in the boxes with the values specified in the table below and select **Next**.
Now that you have the Microsoft Entra ECMA Connector Host talking with Microsoft Entra ID, and the attribute mapping configured, you can move on to configuring who's in scope for provisioning.
 
>[!IMPORTANT]
>If you were signed in using a Hybrid Identity Administrator role, you need to sign-out and sign-in with an account that has the at least the Application Administrator role for this section. The Hybrid Identity Administrator role doesn't have permissions to assign users to applications.
 
> - Keep user attributes synchronized between Microsoft Entra ID and SAP ECC.
 
## Out of scope
* Provisioning other object types including local activity groups, roles, and profiles are not supported. Group membership provisioning is possible by [provisioning users and groups through SAP Cloud Identity Services](~/identity/saas-apps/sap-cloud-platform-identity-authentication-provisioning-tutorial.md) instead of the provisioning agent.
* Password operations are not supported. Use the Microsoft Identity Manager to synchronize passwords from AD to SAP ECC if password management is required.
 
## Prerequisites for provisioning to SAP ECC with NetWeaver AS ABAP 7.51
|Property|Description|
|-----|-----|
|Web Service Project |Your SAP ECC template name, `sapecc`.|
|Host|SAP ECC SOAP endpoint host name, such as `vhcalnplci.dummy.nodomain`|
|Port|SAP ECC SOAP endpoint port, such as `8000`|
 
 
1. On the **Capabilities** page, fill in the boxes with the values specified in the table below and select **Next**.
Now that you have the Microsoft Entra ECMA Connector Host talking with Microsoft Entra ID, and the attribute mapping configured, you can move on to configuring who's in scope for provisioning.
 
>[!IMPORTANT]
>If you were signed in using a Hybrid Identity Administrator role, you need to sign-out and sign-in with an account that has at least the Application Administrator role for this section. The Hybrid Identity Administrator role doesn't have permissions to assign users to applications.
 
MODIFIED docs/id-governance/sap.md
Modified by Mark Wahl on Jan 7, 2026 7:04 PM
๐Ÿ“– View on learn.microsoft.com
+4 / -4 lines changed
Commit: add links to other articles
Changes:
Before
After
 
### Provision identities into on-premises SAP systems
 
Once you have users in Microsoft Entra ID, you can provision those users from Microsoft Entra ID to SAP Cloud Identity Services or SAP ECC, to enable them to sign in to SAP applications. If you have [`SAP S/4HANA On-premise`](https://help.sap.com/docs/identity-provisioning/identity-provisioning/target-sap-s-4hana-on-premise), then provision users from Microsoft Entra ID to SAP Cloud Identity Directory. SAP Cloud Identity Services then provisions the users originating from Microsoft Entra ID that are in the SAP Cloud Identity Directory into the downstream SAP applications to SAP S/4HANA On-Premise through the SAP cloud connector.
 
Customers who have yet to transition from applications such as SAP R/3 and SAP ERP Central Component (SAP ECC) to SAP S/4HANA can still rely on the Microsoft Entra provisioning service to provision user accounts. Within SAP R/3 and SAP ECC, you expose the necessary Business Application Programming Interfaces (BAPIs) for creating, updating, and deleting users. Within Microsoft Entra ID, you have two options:
 
* Use the lightweight Microsoft Entra provisioning agent and [web services connector](../identity/app-provisioning/on-premises-web-services-connector.md) to [provision users into apps such as SAP ECC](../identity/app-provisioning/on-premises-sap-connector-configure.md).
* In scenarios where you need to do more complex group and role management, use [Microsoft Identity Manager](/microsoft-identity-manager/reference/microsoft-identity-manager-2016-ma-ws) to manage access to your legacy SAP applications.
 
You can also use Microsoft Entra ID to provision workers into Active Directory, as well as other on-premises systems that SAP Cloud Identity Services doesn't support for provisioning.
 
 
### Provision identities into on-premises SAP systems
 
Once you have users in Microsoft Entra ID, you can provision those users from Microsoft Entra ID to SAP Cloud Identity Services or SAP ECC, to enable them to sign in to SAP applications. If you have [`SAP S/4HANA On-Premise`](https://help.sap.com/docs/identity-provisioning/identity-provisioning/target-sap-s-4hana-on-premise), then provision users from Microsoft Entra ID to SAP Cloud Identity Directory. SAP Cloud Identity Services then provisions the users originating from Microsoft Entra ID that are in the SAP Cloud Identity Directory into the downstream SAP applications to SAP S/4HANA On-Premise through the SAP cloud connector.
 
Customers who have yet to transition from applications such as SAP R/3 and SAP ERP Central Component (SAP ECC) to SAP S/4HANA can still rely on the Microsoft Entra provisioning service to provision user accounts. Within SAP R/3 and SAP ECC, you expose the necessary Business Application Programming Interfaces (BAPIs) for creating, updating, and deleting users. Then you can use the lightweight Microsoft Entra provisioning agent and [web services connector](../identity/app-provisioning/on-premises-web-services-connector.md) to [provision users into apps such as SAP ECC](../identity/app-provisioning/on-premises-sap-connector-configure.md).
 
:::image type="content" source="../identity/app-provisioning/media/on-premises-sap-connector-configure/provisioning-to-sap-on-premises-apps.png" alt-text="Diagram of provisioning to SAP ECC and SAP S/4HANA On-Premise.":::
 
 
You can also use Microsoft Entra ID to provision workers into Active Directory, as well as other on-premises systems that SAP Cloud Identity Services doesn't support for provisioning.
 
MODIFIED docs/id-protection/howto-identity-protection-investigate-risk.md
Modified by Sarah Lipsey on Jan 7, 2026 9:01 PM
๐Ÿ“– View on learn.microsoft.com
+3 / -5 lines changed
Commit: idp-risky-users-010725
Changes:
Before
After
description: Learn how to investigate risky users, detections, and sign-ins in Microsoft Entra ID Protection.
ms.service: entra-id-protection
ms.topic: how-to
ms.date: 10/06/2025
author: shlipsey3
ms.author: sarahlipsey
manager: pwongera
 
1. Investigate using other security tools, where available.
- If you have [Microsoft Sentinel](/azure/sentinel/overview), check for corresponding alerts that might indicate a larger issue.
- If you haveโ€ฏ[Microsoft Defender XDR](/defender-for-identity/understanding-security-alerts), you can follow a user risk event through other related alerts, incidents, and the **MITRE ATT&CK chain.**
- To navigate from the **Risky users report**, select a user > select the ellipsis (...)โ€ฏ> selectโ€ฏ**Investigate with Microsoft 365 Defender**.
:::image type="content" source="media/howto-identity-protection-investigate-risk/investigate-with-microsoft-365-defender.png" alt-text="Risky user details pane with the ellipsis and investigate in Microsoft Defender XDR option highlighted." lightbox="media/howto-identity-protection-investigate-risk/investigate-with-microsoft-365-defender.png":::
1. Contact the user to confirm if they recognize the sign-in; however, keep in mind that email or Teams might be compromised.
1. Confirm the information you have such as:
description: Learn how to investigate risky users, detections, and sign-ins in Microsoft Entra ID Protection.
ms.service: entra-id-protection
ms.topic: how-to
ms.date: 01/07/2026
author: shlipsey3
ms.author: sarahlipsey
manager: pwongera
 
1. Investigate using other security tools, where available.
- If you have [Microsoft Sentinel](/azure/sentinel/overview), check for corresponding alerts that might indicate a larger issue.
- If you haveโ€ฏ[Microsoft Defender XDR](/defender-for-identity/understanding-security-alerts), you can follow a user risk event through other related alerts and incidents.
- The MITRE ATT&CK chain through Microsoft Sentinel in Microsoft Defender XDR might also provide insights. In the [Microsoft Defender portal](https://security.microsoft.com), browse to **Incidents & alerts** > **Alerts** > and set the **Product name** filter to **AAD Identity Protection** to find alerts from Microsoft Entra ID Protection.
1. Contact the user to confirm if they recognize the sign-in; however, keep in mind that email or Teams might be compromised.
1. Confirm the information you have such as:
 
 
MODIFIED docs/identity/app-provisioning/plan-sap-user-source-and-target.md
Modified by Mark Wahl on Jan 7, 2026 7:04 PM
๐Ÿ“– View on learn.microsoft.com
+3 / -3 lines changed
Commit: add links to other articles
Changes:
Before
After
 
### Confirm that necessary BAPIs for SAP ECC are ready for use by Microsoft Entra
 
The Microsoft Entra provisioning agent and generic web services connector provides connectivity to on-premises SOAP endpoints, including SAP BAPIs.
 
If you aren't using SAP ECC and are only provisioning to SAP cloud services, skip to the next section.
 
1. **Confirm that the BAPIs needed for provisioning are published.** Expose the necessary APIs in SAP ECC NetWeaver 7.51 to create, update, and delete users. The [Connectors for Microsoft Identity Manager 2016](https://www.microsoft.com/download/details.aspx?id=51495) file named `Deploying SAP NetWeaver AS ABAP 7.pdf` walks through how you can expose the necessary APIs.
 
 
### Provision users to SAP ECC
 
Now that you have the users in Microsoft Entra ID, you can provision them into SAP on-premises.
 
If you aren't using SAP ECC, skip to the next section.
 
 
### Confirm that necessary BAPIs for SAP ECC are ready for use by Microsoft Entra
 
The Microsoft Entra provisioning agent and generic web services connector provides connectivity to on-premises SAP ECC SOAP endpoints, including SAP BAPIs.
 
If you aren't using SAP ECC and are only provisioning to SAP cloud services or SAP S/4HANA On-Premise, skip to the next section.
 
1. **Confirm that the BAPIs needed for provisioning are published.** Expose the necessary APIs in SAP ECC NetWeaver 7.51 to create, update, and delete users. The [Connectors for Microsoft Identity Manager 2016](https://www.microsoft.com/download/details.aspx?id=51495) file named `Deploying SAP NetWeaver AS ABAP 7.pdf` walks through how you can expose the necessary APIs.
 
 
### Provision users to SAP ECC
 
Now that you have the users in Microsoft Entra ID, you can provision them into SAP ECC on-premises.
 
If you aren't using SAP ECC, skip to the next section.
 
MODIFIED docs/identity/app-provisioning/on-premises-sap-connector-configure.md
Modified by Mark Wahl on Jan 7, 2026 6:37 PM
๐Ÿ“– View on learn.microsoft.com
+5 / -1 lines changed
Commit: add diagram
Changes:
Before
After
---
 
# Configuring Microsoft Entra ID to provision users into SAP ECC with NetWeaver AS ABAP 7.0 or later
The following documentation provides configuration and tutorial information demonstrating how to provision users from Microsoft Entra ID into SAP ERP Central Component (SAP ECC, formerly SAP R/3) with NetWeaver 7.0 or later. If you're using other versions of SAP R/3, you can still use the guides provided in the [Connectors for Microsoft Identity Manager 2016](https://www.microsoft.com/download/details.aspx?id=51495) download as a reference to build your own template for provisioning. If you are using SAP S/4HANA or other SAP SaaS applications, follow the [tutorial to configure SAP Cloud Identity Services for automatic user provisioning](~/identity/saas-apps/sap-cloud-platform-identity-authentication-provisioning-tutorial.md) instead. For more information on the SAP integrations, see [manage access to your SAP applications](~/id-governance/sap.md).
 
 
[!INCLUDE [app-provisioning-sap.md](~/includes/app-provisioning-sap.md)]
 
 
 
 
 
---
 
# Configuring Microsoft Entra ID to provision users into SAP ECC with NetWeaver AS ABAP 7.0 or later
The following documentation provides configuration and tutorial information demonstrating how to provision users from Microsoft Entra ID into SAP ERP Central Component (SAP ECC, formerly SAP R/3) with NetWeaver 7.0 or later. If you're using other versions of SAP R/3, you can still use the guides provided in the [Connectors for Microsoft Identity Manager 2016](https://www.microsoft.com/download/details.aspx?id=51495) download as a reference to build your own template for provisioning.
 
>[!NOTE]
>This article only covers provisioning to SAP ECC via the Microsoft Entra provisioning agent. If you are using SAP S/4HANA, including SAP S/4HANA On-Premise, or other SAP SaaS applications, follow the [tutorial to configure SAP Cloud Identity Services for automatic user provisioning](~/identity/saas-apps/sap-cloud-platform-identity-authentication-provisioning-tutorial.md) to provision to those applications via SAP Cloud Identity Services instead. For more information on the SAP integrations, see [manage access to your SAP applications](~/id-governance/sap.md).
 
:::image type="content" source="media/on-premises-sap-connector-configure/provisioning-to-sap-on-premises-apps.png" alt-text="Diagram of provisioning to SAP ECC and SAP S/4HANA On-Premise.":::
 
[!INCLUDE [app-provisioning-sap.md](~/includes/app-provisioning-sap.md)]
 
MODIFIED docs/identity/authentication/concept-fido2-hardware-vendor.md
Modified by Justinha on Jan 7, 2026 2:03 PM
๐Ÿ“– View on learn.microsoft.com
+3 / -3 lines changed
Commit: Added USB support for Hyper FIDO keys
Changes:
Before
After
---
title: Microsoft Entra ID attestation for FIDO2 security key vendors
description: Explains requirements to prepare FIDO2 hardware for attestation with Microsoft Entra ID
ms.date: 12/08/2025
ms.service: entra-id
ms.subservice: authentication
author: justinha
HID Crescendo Key V2|2d3bec26-15ee-4f5d-88b2-53622490270b|❌|✅|✅|❌
HID Crescendo Key V3|7991798a-a7f3-487f-98c0-3faf7a458a04|❌|✅|✅|❌
Hideez Key 4 FIDO2 SDK|4e768f2c-5fab-48b3-b300-220eb487752b|❌|✅|✅|✅
Hyper FIDO Bio Security Key|d821a7d4-e97c-4cb6-bd82-4237731fd4be|✅|❌|❌|❌
Hyper FIDO Pro|9f77e279-a6e2-4d58-b700-31e5943c6a98|❌|❌|❌|❌
Hyper FIDO Pro (CTAP2.1, CTAP2.0, U2F)|6999180d-630c-442d-b8f7-424b90a43fae|❌|✅|❌|❌
Hyper FIDO Pro NFC|23195a52-62d9-40fa-8ee5-23b173f4fb52|❌|✅|✅|❌
HYPR FIDO2 Authenticator|0076631b-d4a0-427f-5773-0ec71c9e0279|✅|❌|❌|❌
---
title: Microsoft Entra ID attestation for FIDO2 security key vendors
description: Explains requirements to prepare FIDO2 hardware for attestation with Microsoft Entra ID
ms.date: 01/07/2026
ms.service: entra-id
ms.subservice: authentication
author: justinha
HID Crescendo Key V2|2d3bec26-15ee-4f5d-88b2-53622490270b|❌|✅|✅|❌
HID Crescendo Key V3|7991798a-a7f3-487f-98c0-3faf7a458a04|❌|✅|✅|❌
Hideez Key 4 FIDO2 SDK|4e768f2c-5fab-48b3-b300-220eb487752b|❌|✅|✅|✅
Hyper FIDO Bio Security Key|d821a7d4-e97c-4cb6-bd82-4237731fd4be|✅|✅|❌|❌
Hyper FIDO Pro|9f77e279-a6e2-4d58-b700-31e5943c6a98|❌|✅|❌|❌
Hyper FIDO Pro (CTAP2.1, CTAP2.0, U2F)|6999180d-630c-442d-b8f7-424b90a43fae|❌|✅|❌|❌
Hyper FIDO Pro NFC|23195a52-62d9-40fa-8ee5-23b173f4fb52|❌|✅|✅|❌
HYPR FIDO2 Authenticator|0076631b-d4a0-427f-5773-0ec71c9e0279|✅|❌|❌|❌
MODIFIED docs/identity/monitoring-health/reference-reports-data-retention.md
Modified by csmulligan on Jan 7, 2026 12:48 PM
๐Ÿ“– View on learn.microsoft.com
+4 / -2 lines changed
Commit: Added FedRAMP and DoD info.
Changes:
Before
After
 
Log storage within Microsoft Entra varies by report type and license type. You can retain the audit and sign-in activity data for longer than the default retention period outlined in the previous table by routing it to an Azure storage account using Azure Monitor. For more information, see [Archive Microsoft Entra logs to an Azure storage account](./howto-archive-logs-to-storage-account.md).
 
In the [Microsoft Entra External ID Basic plan](https://azure-int.microsoft.com/pricing/details/microsoft-entra-external-id/), logs are retained for 7 days. For more information, see [Supported features in workforce and external tenants](/entra/external-id/customers/concept-supported-features-customers#activity-logs-and-reports). To retain logs for longer periods, use [Azure Monitor](/entra/external-id/customers/how-to-azure-monitor) in your external tenant.
 
### Activity reports
 
| Report | Microsoft Entra ID Free | Microsoft Entra ID P1 | Microsoft Entra ID P2 |
> [!NOTE]
> Risky users and workload identities are not deleted until the risk has been remediated.
 
## Can I see last month's data after getting a premium license?
 
**No**, you can't. Azure stores up to seven days of activity data for a free version. When you switch from a free to a premium version, you can only see up to 7 days of data.
 
 
 
Log storage within Microsoft Entra varies by report type and license type. You can retain the audit and sign-in activity data for longer than the default retention period outlined in the previous table by routing it to an Azure storage account using Azure Monitor. For more information, see [Archive Microsoft Entra logs to an Azure storage account](./howto-archive-logs-to-storage-account.md).
 
### Activity reports
 
| Report | Microsoft Entra ID Free | Microsoft Entra ID P1 | Microsoft Entra ID P2 |
> [!NOTE]
> Risky users and workload identities are not deleted until the risk has been remediated.
 
### Microsoft Entra External ID logs
 
In the [Microsoft Entra External ID Basic plan](https://azure-int.microsoft.com/pricing/details/microsoft-entra-external-id/), logs are retained for 7 days. For more information, see [Supported features in workforce and external tenants](/entra/external-id/customers/concept-supported-features-customers#activity-logs-and-reports). To retain logs for longer periods, use [Azure Monitor](/entra/external-id/customers/how-to-azure-monitor) in your external tenant.
 
## Can I see last month's data after getting a premium license?
 
**No**, you can't. Azure stores up to seven days of activity data for a free version. When you switch from a free to a premium version, you can only see up to 7 days of data.
MODIFIED docs/identity/monitoring-health/recommendation-remove-unused-apps.md
Modified by Sarah Lipsey on Jan 7, 2026 9:55 PM
๐Ÿ“– View on learn.microsoft.com
+1 / -4 lines changed
Commit: recommendations-maintenance-010726
Changes:
Before
After
ms.service: entra-id
ms.topic: how-to
ms.subservice: monitoring-health
ms.date: 04/09/2025
ms.author: sarahlipsey
ms.reviewer: saumadan
ms.custom: sfi-image-nochange
# Customer intent: As an IT Admin I need to know what applications haven't been used so I can remove them to improve security.
---
# Microsoft Entra recommendation: Remove unused applications (preview)
1. Select the **Resource** link to go directly to the app registration for the app.
- Alternatively, you can browse to **Entra ID** > **App registrations** and locate the application that was surfaced as part of this recommendation.
 
:::image type="content" source="media/recommendation-remove-unused-apps/app-registrations-list.png" alt-text="Screenshot of the Microsoft Entra app registration page." lightbox="media/recommendation-remove-unused-apps/app-registrations-list-expanded.png":::
 
### Determine if the application is needed
 
There are many reasons why an app might be unused. Consider the app's usage scenario and business function. For example:
ms.service: entra-id
ms.topic: how-to
ms.subservice: monitoring-health
ms.date: 01/07/2026
ms.author: sarahlipsey
ms.reviewer: saumadan
# Customer intent: As an IT Admin I need to know what applications haven't been used so I can remove them to improve security.
---
# Microsoft Entra recommendation: Remove unused applications (preview)
1. Select the **Resource** link to go directly to the app registration for the app.
- Alternatively, you can browse to **Entra ID** > **App registrations** and locate the application that was surfaced as part of this recommendation.
 
### Determine if the application is needed
 
There are many reasons why an app might be unused. Consider the app's usage scenario and business function. For example:
 
 
 
MODIFIED docs/id-protection/concept-identity-protection-risks.md
Modified by Sarah Lipsey on Jan 7, 2026 9:01 PM
๐Ÿ“– View on learn.microsoft.com
+2 / -3 lines changed
Commit: idp-risky-users-010725
Changes:
Before
After
ms.service: entra-id-protection
 
ms.topic: article
ms.date: 09/11/2025
 
author: shlipsey3
ms.author: sarahlipsey
 
- Calculated offline
- License requirement:
- Microsoft Entra ID P2 and a standalone license for Microsoft Defender for Cloud Apps
- Microsoft 365 E5 with Enterprise Mobility + Security E5
 
### Leaked credentials
 
### User reported suspicious activity
 
This risk detection is reported when a user denies a multifactor authentication (MFA) prompt andโ€ฏreports it as suspicious activity. An MFA prompt not initiated by a user might mean their credentials are compromised.
 
- Calculated offline
ms.service: entra-id-protection
 
ms.topic: article
ms.date: 01/07/2026
 
author: shlipsey3
ms.author: sarahlipsey
 
- Calculated offline
- License requirement:
- Microsoft 365 E5 with Enterprise Mobility + Security E5
 
### Leaked credentials
 
### User reported suspicious activity
 
This risk detection is reported when a user denies a multifactor authentication (MFA) prompt andโ€ฏreports it as suspicious activity. An MFA prompt not initiated by a user might mean their credentials are compromised. For this detection to work, you must have the **Report suspicious activity** feature turned on. For more information, see [Configure Microsoft Entra MFA settings](../identity/authentication/howto-mfa-mfasettings.md#report-suspicious-activity).
 
- Calculated offline
- License requirement: Microsoft Entra ID P2
MODIFIED docs/id-protection/concept-identity-protection-policies.md
Modified by Sarah Lipsey on Jan 7, 2026 9:01 PM
๐Ÿ“– View on learn.microsoft.com
+2 / -2 lines changed
Commit: idp-risky-users-010725
Changes:
Before
After
description: Identifying risk-based Conditional Access policies
ms.service: entra-id-protection
ms.topic: conceptual
ms.date: 10/30/2025
author: shlipsey3
ms.author: sarahlipsey
manager: pwongera
 
- [Microsoft Entra ID P2](https://www.microsoft.com/security/business/microsoft-entra-pricing) is required to use the Microsoft-managed remediation policy.
- The **Require Risk Remediation** setting remediates user risk, not sign-in risk.
- If a user is assigned to both a policy with **Require Risk Remediation** and another policy with **Require Password Change** or **Block** a conflict will occur, causing the user to be forced through all policies or blocked. Ensure each user is assigned to only one such policy at a time.
- **Require authentication strength** and **Sign-in frequency - Every time** are automatically applied to the policy for two reasons:
- Users need to be prompted to reauthenticate after their sessions are revoked.
- Requiring auth strength ensures that password-based and passwordless users are covered by the policy.
description: Identifying risk-based Conditional Access policies
ms.service: entra-id-protection
ms.topic: conceptual
ms.date: 01/07/2026
author: shlipsey3
ms.author: sarahlipsey
manager: pwongera
 
- [Microsoft Entra ID P2](https://www.microsoft.com/security/business/microsoft-entra-pricing) is required to use the Microsoft-managed remediation policy.
- The **Require Risk Remediation** setting remediates user risk, not sign-in risk.
- If a user is assigned to both a policy with **Require Risk Remediation** and another policy with **Require Password Change** or **Block**, a conflict will occur, causing the user to be forced through all policies or blocked. Ensure each user is assigned to only one such policy at a time.
- **Require authentication strength** and **Sign-in frequency - Every time** are automatically applied to the policy for two reasons:
- Users need to be prompted to reauthenticate after their sessions are revoked.
- Requiring auth strength ensures that password-based and passwordless users are covered by the policy.
MODIFIED docs/id-protection/howto-identity-protection-remediate-unblock.md
Modified by Sarah Lipsey on Jan 7, 2026 9:01 PM
๐Ÿ“– View on learn.microsoft.com
+1 / -1 lines changed
Commit: idp-risky-users-010725
Changes:
Before
After
 
### Self-remediation of user risk
 
If a user is prompted to use self-service password reset (SSPR) to remediate user risk, they are prompted to update their password as shown in the [Microsoft Entra ID Protection user experience](concept-identity-protection-user-experience.md) article. Once they update their password, the user risk is remediated. The user can then proceed to sign in with their new password. The risk state and risk details for the user, sign-ins, and corresponding risk detections are updated as follows:
 
- Risk state: "At risk" -> "Remediated"
- Risk detail: "-" -> "User performed secured password reset"
 
### Self-remediation of user risk
 
If a user is prompted to use self-service password reset (SSPR) to remediate user risk, they are prompted to update their password as shown in the [Microsoft Entra ID Protection user experience](concept-identity-protection-user-experience.md) article. Once they update their password, the user risk is remediated. A secure password change (MFA and password change) can also remediate user risk. The user can then proceed to sign in with their new password. The risk state and risk details for the user, sign-ins, and corresponding risk detections are updated as follows:
 
- Risk state: "At risk" -> "Remediated"
- Risk detail: "-" -> "User performed secured password reset"

๐Ÿค– This report was automatically generated by the Entra Docs Monitor

๐Ÿ“ง Delivered to merill@merill.net

๐Ÿ”— Visit Repository