Microsoft’s Upcoming Change to Entra Conditional Access: Low-Risk Sign-Ins to Trigger All Resources Policies – Are You Prepared?

Get Ready: Microsoft’s Game-Changer Update to Entra Conditional Access

Attention tech professionals! A new wave is coming, and it’s time to brace yourselves for Microsoft’s latest update to Entra Conditional Access. This game-changer, effective March 27, 2026, will significantly impact how you manage low-scope sign-ins and resource exclusions.

Low-Scope Sign-Ins: All Resources Policies Apply

Microsoft is expanding the scope of its All resources policies to include low-risk sign-ins, such as OpenID Connect (OIDC) and directory sign-ins.

“This update is designed to enhance security and simplify policy management,”

Microsoft stated.

Resource Exclusions: No Longer an Exemption

The days of bypassing Conditional Access enforcement with resource exclusions are numbered.

“Resource exclusions will no longer exempt these authentication flows from Conditional Access enforcement,”

Microsoft clarified.

Impacted Tenants and Rollout Timeline

Tenants with policies targeting All resources and one or more exclusions will be affected. The rollout begins March 27, 2026, and is expected to complete across all clouds by June 2026.

Custom Apps: Handle MFA or Device Compliance Challenges

Custom apps using only listed scopes must handle Multi-Factor Authentication (MFA) or device compliance challenges to maintain access.

“This update empowers organizations to secure their applications and data more effectively,”

Microsoft emphasized.

In summary, Microsoft’s update to Entra Conditional Access signifies a new era of enhanced security and streamlined policy management. Prepare your tenants and applications for this change to ensure a smooth transition and maintain uninterrupted access.

Stay informed and ahead of the curve. Keep an eye on Microsoft’s official documentation and community forums for more details and updates.

Are you ready for this game-changer? Share your thoughts and experiences in the comments below!

Key points from the article:

Starting March 27, 2026, low-risk sign-ins, including OpenID Connect (OIDC) and directory sign-ins, will now be subject to Microsoft’s All resources policies.

Resource exclusions will no longer bypass Conditional Access enforcement for these authentication flows.

The rollout begins March 27, 2026, and is expected to complete across all clouds by June 2026.

Tenants with policies targeting All resources and one or more exclusions will be impacted.

Custom apps using only listed scopes must implement Multi-Factor Authentication (MFA) or device compliance challenges to maintain access.

Related Coverage:

• What’s New in Microsoft Intune – January 2026
• Microsoft SDL: Evolving security practices for an AI-powered world
• What’s in store for Intune at Microsoft Technical Takeoff 2026

From the Microsoft Entra Blog articles

---