Microsoft is changing how Conditional Access policies are enforced for authentication flows with resource exclusions, starting March 2026. This security enhancement ensures consistent policy application regardless of scope requests, affecting tenants with 'All resources' policies that include exclusions.
Microsoft is implementing a significant security enhancement to its Conditional Access policies that will affect how authentication flows are enforced across Microsoft Entra ID. The change, part of Microsoft's Secure Future Initiative, addresses a gap in policy enforcement for specific authentication scenarios.
What's Changing in Conditional Access Enforcement
Currently, when users authenticate through client applications that request only OIDC scopes or a limited set of directory scopes, Conditional Access policies targeting "All resources" are not enforced if those policies include resource exclusions. This creates a potential security gap where certain authentication flows bypass intended policy controls.
Starting March 27, 2026, Microsoft will strengthen enforcement so that Conditional Access policies targeting "All resources" will be applied consistently, even when resource exclusions are present. This means that authentication requests will be subject to policy enforcement regardless of the specific scopes requested by the application.
The rollout will be progressive, spanning several weeks across all cloud environments until June 2026, allowing organizations time to prepare and adjust their configurations.
Who Will Be Affected
This change specifically impacts tenants that have configured Conditional Access policies targeting "All resources" with one or more resource exclusions. Microsoft will notify affected tenants through M365 Message Center communications. Organizations without this specific policy configuration will not experience any changes in behavior.
Impact on Authentication Flows
When the change takes effect, users signing in through client applications that request only the affected scopes may encounter Conditional Access challenges where previously they were granted access without enforcement. The specific challenges will depend on the access controls configured in your policies, which may include multi-factor authentication (MFA), device compliance requirements, or other conditional access controls.
Preparation Steps for Organizations
For Most Customers: No Action Required
Most applications naturally request additional scopes beyond the limited set affected by this change and are already subject to Conditional Access enforcement. These applications will continue to function without modification.
Microsoft is actively working with popular software vendors to ensure their applications can appropriately handle the new Conditional Access challenges that may be introduced.
For Custom Applications: Review and Update if Necessary
Organizations with custom applications intentionally designed to request only the affected scopes should evaluate their readiness:
- If applications already handle Conditional Access challenges: No changes are required
- If applications do not handle these challenges: Updates may be necessary
Microsoft provides developer guidance for updating applications to properly handle Conditional Access challenges, including MFA and device compliance requirements.
Technical Context and Background
The change addresses a specific behavior where the combination of "All resources" targeting and resource exclusions created inconsistent enforcement. By ensuring that policies are applied regardless of scope requests, Microsoft strengthens the security posture and aligns with defense-in-depth principles.
This enhancement is particularly relevant for organizations using the Azure AD Graph API or applications that make targeted scope requests. The change ensures that security policies cannot be circumvented through careful scope selection in authentication requests.
Resources for Implementation
Organizations can access several resources to understand and prepare for this change:
- Conditional Access behavior documentation for policies with app exclusions
- Developer guidance for Microsoft Entra Conditional Access
- Scopes and permissions in Microsoft identity platform
- Troubleshooting Conditional Access and viewing audience reporting
Strategic Security Implications
This change reflects Microsoft's ongoing commitment to strengthening identity security through the Secure Future Initiative. By closing enforcement gaps in Conditional Access, organizations benefit from more consistent security policy application across all authentication scenarios.
The enhancement supports the principle of least privilege by ensuring that security controls cannot be bypassed through selective scope requests. This is particularly important as organizations increasingly rely on cloud services and need robust identity protection across diverse application ecosystems.
Organizations should review their Conditional Access policies and custom applications well before the March 2026 implementation date to ensure smooth transition and maintain security compliance. The progressive rollout provides adequate time for testing and adjustments, but proactive preparation will minimize any potential disruption to user authentication experiences.
Comments
Please log in or register to join the discussion