Microsoft Entra ID is changing how Conditional Access evaluates a narrow set of sign-in flows. Starting March 27, 2026, some sign-ins that previously bypassed enforcement will trigger policies again. The goal is consistent policy application when “All resources” policies include resource exclusions.
Main change: stronger Conditional Access enforcement with exclusions
Today, if a client app requests only OIDC scopes or a limited set of directory scopes, Conditional Access can fail to apply. This happens when a policy targets “All resources” and also excludes one or more resources. Microsoft will enforce “All resources” policies for these sign-ins even when exclusions exist. The change closes a bypass condition and improves defense-in-depth.
Practical implications for MFA, device compliance, and app behavior
Users signing in through affected client apps may see new Conditional Access prompts, including MFA or device compliance checks. The exact challenge depends on your access controls in policies targeting “All resources” or Azure AD Graph. Most tenants will not need changes because most apps request broader scopes already covered today. Custom apps using only the listed scopes should be tested for Conditional Access handling.
“After this change, Conditional Access policies that target All resources will be enforced for these sign-ins, even when resource exclusions are present.”
Microsoft will roll this out progressively across all clouds from March 27, 2026 through June 2026. If you have “All resources” policies with exclusions, review M365 Message Center notices and validate critical apps. Prioritize fixing any custom clients that cannot complete interactive challenges, before enforcement reaches your tenant.
Key points from the article:
- Low-scope OIDC/directory sign-ins will now trigger All resources Conditional Access.
- Resource exclusions no longer bypass enforcement for those authentication flows.
- Rollout starts March 27, 2026, completing across clouds by June 2026.
- Affected tenants: policies targeting All resources with one or more exclusions.
- Custom apps using only listed scopes must handle MFA or device compliance challenges.
Related Coverage:
- Simplify your identity landscape, reduce risk, and modernize access for any identity
- 4 priorities for AI-powered identity and network access security in 2026
- Announcing General Availability of RDP Shortpath Configuration via GPO and Microsoft Intune
From the Microsoft Entra Blog articles
