Remediate a compliance gap automatically
Close a failing control with Veri-Guard auto-remediation, using a JIT write consent that auto-revokes.
Before you start
- •Enterprise plan (Guard auto-remediation is Enterprise-only)
- •A completed scan with at least one failing control
- •Global Administrator available for the JIT write consent
What you'll have at the end
A previously failing control now passing, with an audit entry showing exactly what was changed.
Walkthrough
- 1
Open a failing control
From the Compliance Hub, click any failing control in the per-domain breakdown.
Control detail view showing "Fail" status, severity, and the frameworks it satisfies. - 2
Click "Remediate"
If the control is auto-remediable, the Remediate button is active. Controls that require a manual runbook show "Generate Runbook" instead.
Control detail view with the Remediate button highlighted. Note
330+ controls support auto-remediation today. The rest generate a step-by-step runbook instead.
- 3
Review the proposed change
A diff view shows the exact setting that will change, from/to values, and which users or groups it applies to.
Remediation diff preview with current value, proposed value, and assignment scope. - 4
Approve the JIT write consent
If you have not already granted write consent in this session, Microsoft prompts for a narrowly-scoped write permission. It auto-revokes after the remediation completes.
Microsoft consent prompt for the JIT write app with a scoped permission list. Heads up
Conditional Access changes deploy in report-only mode by default. Confirm impact before switching to enforced.
- 5
Watch the change apply
Progress shows live. A successful remediation flips the control to Pass and adds an entry to the Audit Log.
Remediation complete state with control now showing Pass and an audit log entry.