Conditional Access policies stuck in report-only
Detects Conditional Access policies that have been in report-only mode for more than 30 days without being enforced.
How to fix it
Report-only is a short-term validation state. Move the policy to "On" to enforce it, or delete it if no longer needed.
Required Microsoft Graph permissions
EntraAnalyzer needs the following read-only Graph permissions to evaluate this rule:
Policy.Read.All
Further reading
Run this check on your tenant
EntraAnalyzer evaluates this rule automatically on every scan and emails you the results.
Get started — free first scan →