How remediation is performed

  • Last update on September 1st, 2023

Understand how remediation works

As explained in the previous article, remediation can involve alerts, actions, and attestations. So, a remediation can:

Simply send an alert

For example, the Out-of-the-Box policy “Users without default MFA method” in the Security & Identity playbook will email the user asking them to complete the MFA enrollment process and identify a default authentication method.

Execute an action without sending an alert

For example, the remediation for the “Empty Teams groups” Out-of-the-Box policy in the Teams Management playbook involves archiving or removing detected Teams groups that have no members. In this case, no attestation is requested, and no alert is sent.

Request an attestation before executing the action

For example, the remediation process for the Out-of-the-Box “Inactive Microsoft 365 E3 Plan” policy in the License Management playbook involves sending an email to the inactive account's manager (or another custom account) asking them to confirm within 15 days whether the license is needed. If confirmed, the process removes the license, converts the user's mailbox to a shared mailbox, grants the manager permission to access it, and adds the manager as the new owner of the user's OneDrive.

Learn how to configure remediation for Out-of-the-Box policies.

Monitor remediation progress

If you do not select specific items before running a remediation, the remediation action will be executed for each matched item. 

As a result, after manually running a policy or when the policy runs automatically according to the set recurrence schedule, you will see a notification in the “Task notifications” panel for each executed workflow, that is, for each detected matched item.

Discover how to monitor policy execution.