No Conditional Access policy uses sign-in risk signals
The tenant has Entra ID P2 but no enabled Conditional Access policy consumes sign-in risk levels. Risky sign-ins (anonymous IP, unfamiliar location, token replay) go unchallenged.
How to fix it
Create a Conditional Access policy that requires MFA (or blocks sign-in) when sign-in risk is Medium or High. Scope to all users (exclude break-glass accounts).
Required Microsoft Graph permissions
EntraAnalyzer needs the following read-only Graph permissions to evaluate this rule:
Policy.Read.All
Further reading
Run this check on your tenant
EntraAnalyzer evaluates this rule automatically on every scan and emails you the results.
Get started — free first scan →