Low

Disabled Conditional Access policies

Identifies Conditional Access policies that are in the "disabled" state and may indicate abandoned or obsolete protection.

Category: Authentication
Default severity: Low
Rule key: CHECK_CA_DISABLED_POLICIES
Last updated: April 17, 2026

How to fix it

Review disabled policies. Re-enable them, move to report-only for validation, or delete them to reduce policy sprawl.

Required Microsoft Graph permissions

EntraAnalyzer needs the following read-only Graph permissions to evaluate this rule:

Policy.Read.All

Further reading

Microsoft documentation →

Run this check on your tenant

EntraAnalyzer evaluates this rule automatically on every scan and emails you the results.

Get started — free first scan →