MT.1049 - Conditional Access policies for User Risk and Sign-in Risk should be configured separately.
Overviewβ
Checks if both user risk and sign-in risk are configured in one conditional access policy.
Combining sign in risk and user risk in one policy will only block access if both types of risk are flagged for a given sign in.
This means if only one type of risk is present (eg Sign-in risk = High, User risk = None), the sign-in will be allowed to proceed. This could create a security gap since risky activities might slip through.
See Sign-in risk-based multifactor authentication - Microsoft Learn
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | MT.1049 |
| Severity | High |
| Suite | Maester |
| Category | CA |
| PowerShell test | Test-MtCaMisconfiguredIDProtection |
| Tags | CA, Maester, MT.1049 |
Sourceβ
- Pester test:
tests/Maester/Entra/Test-ConditionalAccessBaseline.Tests.ps1 - PowerShell source:
powershell/public/maester/entra/Test-MtCaMisconfiguredIDProtection.ps1