Sign-in risk and user risk conditions should be configured in separate Conditional Access policies
Why This Matters
Combining both sign-in risk and user risk conditions in a single Conditional Access policy creates a security blind spot. IT administrators lose granular control over risk-based responses, potentially misapplying protection for high-risk sign-ins versus compromised user accounts. This misconfiguration can lead to either overly permissive access for dangerous scenarios or unnecessary friction for legitimate users.
What Aether365 Checks
This scan verifies that your Conditional Access policies do not configure both sign-in risk and user risk conditions in the same policy. It appears in the Aether365 dashboard under the microsoft-365 checks category.