MC1395903: Completed: Conditional Access enforcement update for policies with resource exclusions
Conditional Access enforcement update completed in your tenant
The rollout of the Conditional Access enforcement update for policies targeting All resources with resource exclusions has now been completed in your tenant.
As previously communicated, this update improves enforcement consistency for certain authentication flows as part of Microsoft's Secure Future Initiative.
What changed
Conditional Access policies that target All resources and have exclusions will now also apply to sign-ins that request only baseline scopes (OIDC scopes or a limited set of directory scopes).
What this means for your organization
Users signing in through a client application that requests only the baseline scopes may receive Conditional Access challenges (such as MFA or device compliance) where previously they were allowed access without enforcement.
The specific challenge depends on the access controls configured in your policies that target All resources or policies that explicitly target Azure AD Graph as a resource.
Recommended actions
If you previously opted out or customized behavior, your tenant will continue to use your selected configuration. You can always enable the updated enforcement behavior at any time. Refer to the links below for additional guidance and configuration options.