ITDR
Running Remediation Actions for Microsoft Entra ID Issues
The Entra ID Remediation Action feature enables you to automatically run remediation actions for risky Entra ID identities, directly from the Zscaler ITDR Admin Portal. Automatically remediation risky identities improves the security posture of the Entra ID tenant. You can run a remediation action for a specific or multiple identities (in bulk).
The following remediation actions can be run from the ITDR Admin Portal. ITDR runs these remediation actions in the background via single or multiple API calls to the Entra ID tenant.
| Remediation Action Name | Action Description | Bulk Remediation Supported? |
| Disable User | Changes the accountEnabled attribute of the Entra ID identity to false. | Yes |
| Revoke Session | Revokes Entra ID active user sessions to ensure any potentially compromised sessions are terminated. This remediation action doesn’t revoke guest user sessions. | Yes |
| Enforce MFA | Creates a conditional access policy in the Entra ID tenant that enforces users to use multi-factor authentication (MFA) for all applications. The conditional policy is created for the first user only. Subsequent users are appended to the existing policy. The policy ID is saved in the Entra ID tenant’s database. Run this remediation action with caution on administrative accounts to avoid locking yourself out of the account. | Yes |
| Enforce phishing-resistant MFA | Creates a conditional access policy in the Entra ID tenant that enforces users to use MFA for all applications. FIDO2 keys or similar authentication methods are used. The conditional policy is created for the first user only. Subsequent users are appended to the existing policy. The policy ID is saved in the Entra ID tenant’s database. You can run this remediation action on global admin-level users only. Also, run this remediation action with caution on administrative accounts to avoid locking yourself out of the account. | Yes |
| Remove Active Role Assignment | Removes one or more role assignments from the active user. This remediation action is available for a specific identity only. You cannot run this remediation action on multiple identities (bulk). | No |
| Remove Group Membership | Removes one or more group memberships. You cannot run this remediation action on a group with dynamic memberships. This remediation action is available for a specific identity only. You cannot run this remediation action on multiple identities (bulk). | No |
To run remediation actions for Entra ID issues:
- Go to ITDR > Entra ID.
- On the Entra ID Dashboard:
- Select an Entra ID tenant from the Result for drop-down menu.
Select a timestamp from the scanned on drop-down menu.
The scan result for the Entra ID tenant appears.
- Do one of the following:
- Run a remediation action for a specific risky identity.
On the Summary tab, click Actions, and then select an appropriate remediation action. For example, select Remove Active Role Assignment.
Select a role.
- Click Save.
- Run a remediation action for multiple risky identities.
- Do one of the following:
Under Detailed Findings and Recommendations, click an issue.
- Under Top 10 Identities:
Click an identity.
- Select the Posture tab.
See image.
- Scroll down to the Who is affected? table, and then select more than one risky identity.
- Click Actions, and then select an appropriate remediation action. For example, select Enforce MFA.
See image.
- Do one of the following:
- Run a remediation action for a specific risky identity.
In the confirmation window, click OK.
The remediation is applied successfully.
You can view the remediation logs or history for further analysis.