The user flagged for risk receives an email from Identity Protection
When a new risk event is identified, the user flagged for risk receives an email from Identity Protection.
If the user does not recognize this event, the user can change his or her password by following the link provided in the email without going through the administrators.
I totally agree, I really can't understand this option is not available. Why should an administrator review all those events? The risk events should be send to the affected user.
Jun Takata commented
So... curerntly, if users are flagged for risky signins, administrators need to take actions to confirm they are regitimete sign in or not before resolving the incident. As damiura suggested, if emai is sent to users from Identity Protection and the users can confirm or change password by theymselves, administration burden will be reduced.