Entra Risky Users Custom Role

terruahmad​  We’ve seen this too and unfortunately this looks to be by design.
Entra ID Protection (risky users, confirm/dismiss risk, unblock) is documented as being operated by Global Administrator and Security Administrator/ security roles, not by granular custom roles. In the Entra built‑in role permissions reference, the Identity Protection/ risky‑user actions are not exposed as custom‑role assignable, so you can’t build a minimal “Risky Users custom role” today.

So the supported solution right now is:
Assign a built‑in security role that can manage risky users (typically Security Operator or Security Administrator) and map it back into Defender XDR unified RBAC. Then reduce blast radius with role‑assignable groups + PIM + JIT activation rather than trying to solve it purely with a custom role that the platform doesn’t support yet.