Conditional Access enforcement change coming to Microsoft Entra

Microsoft will change how Conditional Access policies are enforced in Microsoft Entra starting March 27, 2026, with a phased rollout continuing through June 2026.

The change affects sign-ins through client applications that request only OIDC scopes or a limited set of directory scopes when Conditional Access policies target all resources and include resource exclusions.

After the change, these policies will be enforced during sign-in even when resource exclusions are present.

“When a user signs in through a client application that requests only the scopes listed above, they may now receive Conditional Access challenges such as MFA or device compliance where previously they were allowed access without enforcement. The specific challenge depends on the access controls configured in your policies that target All resources or explicitly target Azure AD Graph as the resource,” Swaroop Krishnamurthy, Principal Product Lead, Microsoft, explained.

The change applies only to tenants that have Conditional Access policies targeting all resources with one or more resource exclusions. Tenants without this policy configuration are not affected.