Skip to main content

Microsoft 365 | Users with Risk Policy Disabled

Actionable Alerts, M365, Microsoft, Risk Policy, Microsoft 365, Policy Disabled, Alerts

Updated over 2 weeks ago

Overview ✨

This article explains the alert Microsoft 365 | Users with Risk Policy Disabled, which indicates one or more active users are not protected by a User Risk Conditional Access Policy.

User Risk Policies evaluate the likelihood that an account is compromised (based on signals such as leaked credentials or unusual activity). When triggered, these policies can enforce security responses such as requiring Multi-Factor Authentication (MFA) or blocking access until the risk is remediated.

This Liongard alert is driven by Microsoft Secure Score evaluations and highlights a potential exposure when users are excluded from User Risk Policies. Even a single unprotected account can create a gap in conditional access coverage and increase organizational risk.

Sample Alert :

Why Does This Happen? 🤔

Microsoft Secure Score evaluates coverage of the User Risk Policy control. The metric used by Liongard is:

SecureScores.controlScores[?controlName == `UserRiskPolicy`].subtract(to_number(total), to_number(count)) | [0]

In plain terms:

  • total = number of users expected to be protected

  • count = number of users actually covered by the policy

  • total − count = number of users left unprotected

If the result is greater than 0, the alert fires. Secure Score treats anything less than full coverage as incomplete protection, so even one uncovered user will trigger this alert.

Common causes

  • Conditional Access / Identity Protection policies scoped only to specific groups or users.

  • Service or “break-glass” accounts intentionally excluded from protection.

  • Newly created users not yet added to protected groups.

  • Misconfigured assignments in Microsoft Entra ID Identity Protection.

Steps to Resolve 👨‍💻

Option 1: Use Microsoft Entra Admin Center

  1. Sign in to Microsoft Entra Admin Center.

  2. Go to ID Protection → Conditional Access → Policies (or your tenant’s Conditional Access location).

  3. Locate your User Risk policy.

  4. Under Assignments → Users, verify whether All users is selected.

    • If only specific groups are included, review them carefully.

    • Check the Exclude section for intentional or accidental exclusions.

  5. If groups are used, open each group and confirm membership.

  6. Export the assigned group members and compare them to a full export of Active Users to identify gaps.

Option 2: Review and Resolve on Microsoft 365 Security Center

  1. Sign in to Microsoft 365 Security Center.

  2. Select "Recommended actions" tab on dashboard.

  3. Select "Enable Microsoft Entra ID Identity Protection user risk policies"

  4. Review the Information available to get additional insights on current scope of the policy like Implementation status and User impact.

  5. If some accounts are intentionally excluded (for valid reasons like break-glass accounts), update the Secure Score action plan via Edit status & action plan and choose an appropriate justification:

    • Resolved through third party

    • Resolved through alternate mitigation

Contact Support 🙋‍♂️

Still seeing alerts after confirming the policy covers everyone?

Reach out to our support team with the following:

  1. Complete page screenshot of the alert reflecting the title and changes it detected.

  2. Screenshot of the Actionable Alert rule configuration page:

    1. Go to Admin > Actionable Alerts > Rules

    2. Locate the same Actionable Alert mentioned

    3. Click on the Clone button (two squares icon)

    4. Take a screenshot of the whole page in 2 parts

  3. Screenshot of your Conditional Access policy assignments

  4. Your current Secure Score details from Microsoft 365 Security Center

We're here to help troubleshoot further and are happy to assist in any way possible.

Did this answer your question?