MC1339879: Upcoming Conditional Access change: Improved enforcement for policies with resource exclusions
Upcoming Conditional Access change in your tenant
You're receiving this notification because your tenant has at least one Conditional Access policy that targets All resources with resource exclusions. As announced in the Microsoft Entra Blog post and earlier admin center messages, Microsoft is enhancing how these policies are enforced for a subset of authentication flows. This update strengthens security by ensuring more consistent enforcement as part of Microsoft's Secure Future Initiative. This change will be enabled in your tenant over the next 2 weeks. You will receive another notification after the rollout is complete in your tenant.
What is changing?
Today, for certain sign-ins—specifically when client applications request only baseline scopes (OIDC scopes or a limited set of directory scopes)—Conditional Access policies that target All resources are not enforced if resource exclusions are present.
After this change, Conditional Access policies that target All resources will apply to these sign-ins, even when resource exclusions are present.
How will this affect your organization?
After this update, users signing in through a client application that requests only the baseline scopes may receive Conditional Access challenges (such as MFA or device compliance) where previously they were allowed access without enforcement. The specific challenge depends on the access controls configured in your policies that target All resources or policies that explicitly target Azure AD Graph as a resource.
Required action
Microsoft recommends transitioning to the updated enforcement behavior. However, if your organization has specific scenarios that need to retain the legacy behavior, you can use Baseline scope settings to:
- Opt-out of this change, or
- Customize enforcement behavior on a per-policy basis
If you choose to opt out, your tenant will not be included in the upcoming rollout. Opting out is not recommended and should be considered a temporary measure until you can enable the recommended enforcement. If you choose to customize enforcement behavior, the configured behavior will remain in effect until you change it. You can update these settings at any time. Refer to the links below for additional guidance and configuration options.