Authentication Method - General Settings - Report suspicious activity - Included users/groups
Why This Matters
When users report suspicious activity through the authentication methods settings, only those who are included in the target group receive the functionality. If the report suspicious activity feature is not applied to all users, some users may inadvertently bypass this critical security control. This can delay detection of unauthorized access attempts and reduce the overall effectiveness of your Microsoft 365 security posture.
What Aether365 Checks
Aether365 verifies that the reportSuspiciousActivitySettings.includeTarget.id setting in the authentication methods policy is configured for all_users. This check appears in the Aether365 dashboard under the entraid checks section.
How to Fix
Follow these steps to apply the report suspicious activity feature to all users: