Forum Discussion
Multiple Policies Disabled in MCAS portal since 24th Jul'23
Hello Everyone, I recently observed that multiple policies were in disabled state and modified date shows as 24th Jull'23. This is the pattern I've observed in 4 of my accounts. Any update on this?
Adding to Greg's note, there are two main cases where policies could have been disabled:
1. a one time operation: as we introduced the concept of behavior back in end of May, we disabled a number of built in policy alerts. The detections still exist and are now risky "behaviors", as part of the incidents in the Microsoft 365 Defender Portal. In your case, this does not fit with the dates you are mentioning below.
2. more commonly, should you delete entities that are referenced in a policy, the policy will be disabled. For instance if a policy applies specifically to a group named "Germany users", and that group is deleted, all policies referencing that group will be disabled.
Does this match your case?
2 Replies
- Yoann_David_Mallet
Microsoft
Adding to Greg's note, there are two main cases where policies could have been disabled:
1. a one time operation: as we introduced the concept of behavior back in end of May, we disabled a number of built in policy alerts. The detections still exist and are now risky "behaviors", as part of the incidents in the Microsoft 365 Defender Portal. In your case, this does not fit with the dates you are mentioning below.
2. more commonly, should you delete entities that are referenced in a policy, the policy will be disabled. For instance if a policy applies specifically to a group named "Germany users", and that group is deleted, all policies referencing that group will be disabled.
Does this match your case?
- Thanks a lot for your response. Yes, there were build in policies which got disabled.
