We’re strengthening how Microsoft Entra Conditional Access is enforced for a narrow set of authentication flows to improve your security posture.
In alignment with Microsoft’s Secure Future Initiative, we are taking the following proactive security measures for defense-in-depth. Please review the changes and take any required actions to prepare.
What is changing?
- Today, when a user signs in through a client application that requests only OIDC scopes or a limited set of directory scopes, Conditional Access policies that target All resources are not enforced if the policy has one or more resource exclusions.
- After this change, Conditional Access policies that target All resources will be enforced for these sign-ins, even when resource exclusions are present. This ensures that policies are consistently applied regardless of the scope set requested by the application. Read more about this change.
When will you see this change?
Microsoft Entra ID will begin enforcing this change starting March 27, 2026. This will be rolled out progressively across all clouds over several weeks until June 2026.
Who will be affected by this change?
This change only affects tenants that have a Conditional Access policy targeting All resources with one or more resource exclusions, and these tenants will be notified through M365 Message Center messages. Tenants without this policy configuration will not be impacted.
How will this affect your organization?
When a user signs in through a client application that requests only the scopes listed above, they may now receive Conditional Access challenges (such as MFA or device compliance) where previously they were allowed access without enforcement. The specific challenge depends on the access controls configured in your policies that target All resources or explicitly target Azure AD Graph as the resource.
What do you need to do to prepare?
✔ Most customers: No action required
Most applications request additional scopes beyond the scopes listed above and are already subject to Conditional Access enforcement. In such cases, there is no change in behavior. We’re working with popular software vendors where updates may be needed to ensure their applications handle Conditional Access challenges appropriately.
⚠ Apps registered in your tenant and requesting only these scopes: Review recommended
If you have custom applications that are intentionally designed to request only the scopes listed above, evaluate whether they can handle Conditional Access challenges such as MFA or device compliance.
If they already handle Conditional Access challenges: no changes are required. If they do not, updates may be needed. Refer to the Microsoft Conditional Access developer guidance on how to update your application appropriately.
-Swaroop Krishnamurthy
Additional resources
- Conditional Access behavior when an “All cloud apps” policy has an app exclusion
- Developer guidance for Microsoft Entra Conditional Access - Microsoft identity platform | Microsoft Learn
- Scopes and permissions in the Microsoft identity platform - Microsoft identity platform | Microsoft Learn
- Troubleshoot Conditional Access and view audience reporting
Learn more about Microsoft Entra
Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.
Microsoft