All excluded objects should have a fallback include in another policy.

Why This Matters

When you exclude users or groups from a conditional access policy without ensuring they are explicitly covered by another policy, you create security gaps. Attackers or compromised accounts in these excluded groups may bypass critical controls. IT administrators should review exclusions regularly to avoid unintentional blind spots in their access defenses.

What Aether365 Checks

This check identifies objects (users, groups, or roles) that are excluded from a conditional access policy but are not explicitly included in any other policy. It appears in the Aether365 dashboard under the microsoft-365 checks category as ID AE.1036.