question

Hi @TaylerL-4666,
Thanks for reaching out and apologies for delay in response.

From your query, I understood you are looking for clarity on identity protection policies work in case of risk users detected by Microsoft’s threat intelligence.

Identity Protection risks can be categorized as a
User risk - such as credentials that are known to have been leaked or compromised, or
Sign-in risk - related to the circumstances of the attempt to sign in, like the attempt coming from an anonymous IP address or a location that’s not usual for that account.

You can configure risk policies to automatically enforce remediation steps, or you can view reports of risk users and risky sign-in attempts, for manual remediation.

Risk policies and remediation has options of controls include allow access, block access, allow access but require multi factor authentication (MFA) or allow access but require a password change (depending on the policy type).
As mentioned in query, if the identity protection would not be in place for high-risk user, attacker can reset the password or do multi-factor authentication for the user. So, in that case it is recommended blocking the access rather than other control action.

It is not always required to reset the password for each user. Based on your investigation, you can decide to take action to remediate the risk, block or unblock the users.

You can also trace the login events on Azure AD.
• You can trace the Search user by typing into the search box and click on user's name
• Click Sign-in logs under the activity
• Click on failed even on the list
• Select Conditional access tab to see which policy and settings has been applied and based on that take action to remediate the user.

Hope this will help.

Thanks,
Shweta

Please remember to "Accept Answer" if answer helped you.