All security groups assigned to Conditional Access Policies should be protected by RMAU
Why This Matters
Conditional Access policies are a critical layer of your identity security. If a security group assigned to a Conditional Access policy is compromised, an attacker could modify the group's membership to bypass your security controls, exposing your tenant to unauthorized access.
What Aether365 Checks
Aether365 verifies that every security group used in a Conditional Access policy is protected by either a Restricted Management Administrative Unit (RMAU) or marked as a role-assignable group. This check appears in your Aether365 dashboard under microsoft-365 checks.