No Conditional Access policy uses user-risk signals
The tenant has Entra ID P2 but no enabled Conditional Access policy consumes user-risk levels from Identity Protection. Compromised accounts therefore trigger no automated response.
How to fix it
Create a Conditional Access policy that targets High user risk and requires a secure password change or blocks sign-in. Scope to all users (exclude break-glass accounts).
Required Microsoft Graph permissions
EntraAnalyzer needs the following read-only Graph permissions to evaluate this rule:
Policy.Read.All
Further reading
Run this check on your tenant
EntraAnalyzer evaluates this rule automatically on every scan and emails you the results.
Get started — free first scan →