Why report-only policies are a silent risk
Conditional Access is the front door to your tenant. When every policy sits in report-only, sign-in logs look busy but nothing actually stops a password spray or stolen session.
Teams often enable report-only during a pilot and never flip to On. Auditors see "we have CA policies" on paper. Attackers see the same gap you would if the policies did not exist.
How to find report-only and inactive policies
- Open Microsoft Entra admin center → Protection → Conditional Access → Policies
- Review the State column for each policy:
- On = enforcing
- Report-only = logs only, no enforcement
- Off = disabled
- Export or screenshot the list for your change record
- Open Sign-in logs and filter by Conditional Access to see which report-only policies would have blocked access
- Check for policies named after completed projects ("Temp vendor access Q3") still in report-only or Off
What good looks like
- At least one baseline policy On and enforcing (MFA for admins, block legacy auth, or require compliant device)
- Report-only used only during active pilots with a documented end date
- No tenant-wide gap where all policies are report-only or Off
- Sign-in log review completed before any report-only policy moves to On
Step-by-step: move validated policies from report-only to On
- Inventory policy state: List every CA policy with its current state, target users, and cloud apps.
- Review report-only impact: In Sign-in logs, filter the last 14 to 30 days for entries where report-only policies would have blocked or challenged sign-ins.
- Fix exclusions first: Resolve any legitimate access needs (service accounts, break-glass, legacy apps) before enforcement, not after.
- Enable one policy at a time: Start with admin MFA or block legacy auth. Set state to On for a single validated policy.
- Monitor for 48 hours: Watch sign-in failures and helpdesk tickets. Roll back to report-only only if you hit unexpected blocks.
- Close out pilots: For each remaining report-only policy, either move to On, disable it, or document why it stays in report-only with an owner and review date.
Common mistakes
- Leaving every CA policy in report-only after a "successful" pilot
- Enforcing a broad "All users, All cloud apps" policy before testing on a pilot group
- Creating duplicate policies (one report-only, one On) and forgetting which is active
- Assuming Microsoft Secure Score or MFA registration stats mean CA is enforcing
Tenant Hawk checks whether your tenant has enforced Conditional Access policies or only report-only rules, and surfaces it in your security score. Run a free read-only scan to see your CA posture before you flip the switch.