Entra Risky Users Custom Role

My customer implemented unified RBAC (Defender Portal) and removed the Entra Security Operator role.  They lost the ability to manage Risky Users in Entra. Two options explored by the customer - Protected Identity Administrator role (licensing unclear) or create a custom role with microsoft.directory/identityProtection/riskyUsers/update, which they couldn't find under custom role.  Do you know if there are other options to manage Risky Users without using the Security Operator role?