icon-itdr.svg
ITDR

Running Remediation Actions for Microsoft Entra ID Issues

The Entra ID Remediation Action feature enables you to automatically run remediation actions for risky Entra ID identities, directly from the Zscaler ITDR Admin Portal. Automatically remediation risky identities improves the security posture of the Entra ID tenant. You can run a remediation action for a specific or multiple identities (in bulk).

The following remediation actions can be run from the ITDR Admin Portal. ITDR runs these remediation actions in the background via single or multiple API calls to the Entra ID tenant.

Remediation Action NameAction DescriptionBulk Remediation Supported?
Disable UserChanges the accountEnabled attribute of the Entra ID identity to false.Yes
Revoke SessionRevokes Entra ID active user sessions to ensure any potentially compromised sessions are terminated. This remediation action doesn’t revoke guest user sessions.Yes
Enforce MFACreates a conditional access policy in the Entra ID tenant that enforces users to use multi-factor authentication (MFA) for all applications. The conditional policy is created for the first user only. Subsequent users are appended to the existing policy. The policy ID is saved in the Entra ID tenant’s database. Run this remediation action with caution on administrative accounts to avoid locking yourself out of the account.Yes
Enforce phishing-resistant MFACreates a conditional access policy in the Entra ID tenant that enforces users to use MFA for all applications. FIDO2 keys or similar authentication methods are used. The conditional policy is created for the first user only. Subsequent users are appended to the existing policy. The policy ID is saved in the Entra ID tenant’s database. You can run this remediation action on global admin-level users only. Also, run this remediation action with caution on administrative accounts to avoid locking yourself out of the account.Yes
Remove Active Role AssignmentRemoves one or more role assignments from the active user. This remediation action is available for a specific identity only. You cannot run this remediation action on multiple identities (bulk).No
Remove Group MembershipRemoves one or more group memberships. You cannot run this remediation action on a group with dynamic memberships. This remediation action is available for a specific identity only. You cannot run this remediation action on multiple identities (bulk).No

To run remediation actions for Entra ID issues:

  1. Go to ITDR > Entra ID.
  2. On the Entra ID Dashboard:
    1. Select an Entra ID tenant from the Result for drop-down menu.
    2. Select a timestamp from the scanned on drop-down menu.

      The scan result for the Entra ID tenant appears.

  3. Do one of the following:
  4. In the confirmation window, click OK.

    The remediation is applied successfully.

You can view the remediation logs or history for further analysis.

Related Articles
About the Entra ID DashboardViewing the Entra ID Vulnerability ReportDownloading the Entra ID Vulnerability ReportDownloading the Zscaler ITDR Microsoft Entra ID Executive Summary ReportDownloading the Entra ID Delta ReportViewing the Entra ID Detailed Findings and Recommendations DetailsViewing the Top Vulnerable Entra ID IdentitiesViewing Affected Entra ID Identity DetailsViewing the Entra ID Issue Details Grouped by SeverityViewing Entra ID Issue Details Grouped by Risk TypeViewing the Entra ID Risk Reduction RoadmapViewing the Entra ID Issue Details Grouped by MITRE ATT&CK TechniquesRunning Remediation Actions for Microsoft Entra ID IssuesViewing Entra ID Remediation HistoryDeleting an Entra ID Scan Report