Users detected as high risk SHALL be blocked.

Why This Matters

High risk user detections indicate compromised accounts or suspicious activity that could lead to data breaches. If these users are not blocked, attackers maintain access to sensitive resources, escalate privileges, or move laterally across your tenant. Blocking high risk users is a critical security control to stop ongoing attacks before damage occurs.

What Aether365 Checks

This check verifies that your Microsoft Entra ID conditional access policy is configured to block sign-ins for users detected as high risk. It appears in the Aether365 dashboard under the entra-id service checks.