Remediation settings and performance

  • Last update on August 13th, 2025

Table of Contents

Remediation elements

Remediation in CoreView consists of three element types: alerts, actions, and attestations.

  • Alert: sends an email to the designated stakeholder or manager containing details on the policy violation and remediation instructions for the affected item.
    • Example: the predefined policyUsers without default MFA method” in the Security & Identity Playbook sends users an email with a link to the MFA enrollment portal and instructions for selecting a default authentication method.
  • Action: executes specified automation steps such as attribute changes, disabling accounts, or enforcing password resets for objects matching the policy criteria.
    • Example: the predefined policy “Admin on Cloud without strong password” in the Security & Identity Playbook uses the “Set password required” action to enforce a password reset for affected admins. The new password must meet the organization’s configured complexity requirements.
  • Attestation: pauses the remediation workflow to request approval via email from a designated manager or stakeholder. Subsequent remediation steps execute only upon approval via the attestation portal.
    • Example: the predefined policy “Inactive Microsoft 365 E3 Plan” in the License Management Playbook sends an approval request email to the manager with a 15-day expiration. If approved, the workflow removes the license, converts the mailbox to shared, assigns the manager account access, and updates OneDrive ownership.

Attestation steps are integrated into remediation workflows and require approval before subsequent actions are triggered. Alerts are notification-only and are not represented as actions in the workflow.

 

Remediation process

Remediation can be configured in several operational modes:

  1. Alert only
    • Example: the “Users without default MFA method” policy sends an email notification to affected users with remediation steps but does not trigger any automatic change.
  2. Action only
    • Example: the “Empty Teams groups” policy in the Teams Management Playbook applies archive or delete operations to Teams groups with zero members, according to policy configuration; no alert or attestation is sent.
  3. Attestation before action
    • Example: for “Inactive Microsoft 365 E3 Plan”, the workflow requests manager approval via attestation email; upon confirmation, workflow actions execute (license removal, mailbox conversion, etc.).

Monitoring remediation progress

  • If no specific objects are selected before remediation, workflows execute actions for all objects matching the policy filter.
  • When a policy is run manually or automatically on its recurrence schedule, a notification is displayed in the Task Notifications panel for each processed object, indicating remediation status and results.

Related Articles

DID THIS PAGE HELP YOU?