Demo portal · pre-release Back us

Accepted risks

Decisions recorded once, carried forward across runs · all tenants

Risk / control Tenant Product Severity Standard Accepted by Expires
CIS.M365.1.1.1
Ensure Administrative accounts are cloud-only
Pora Inc. En Entra High CIS [email protected] 2026-08-27 details →
CIS.M365.1.3.7
Ensure 'third-party storage services' are restricted in 'Microsoft 365 on the web'
Pora Inc. En Entra Unknown CIS [email protected] 2026-09-16 details →
CISA.MS.AAD.1.1
Legacy authentication SHALL be blocked.
Pora Inc. En Entra High CISA [email protected] No expiry details →
CISA.MS.AAD.3.7
Managed devices SHOULD be required for authentication.
Pora Inc. En Entra High CISA [email protected] 2026-10-26 details →
CISA.MS.AAD.7.7
Eligible and Active highly privileged role assignments SHALL trigger an alert.
Pora Inc. En Entra High CISA [email protected] 2026-11-15 details →

An accepted risk suppresses a control from "new failures" until it expires or is revoked. The decision, owner, and date are kept in the five-year tenant history so auditors can see what was accepted, by whom, and when.