(Updated) Upcoming Conditional Access change: Improved enforcement for policies with resource exclusions

Updated March 20, 2026: We have updated the timeline and content. Thank you for your patience. 

You are receiving this message because our telemetry indicates that you have at least one Conditional Access policy targeting All resources with one or more resource exclusions.

As described in this Microsoft Entra Blog post, we’re enhancing how Conditional Access policies that target All resources and have resource exclusions are enforced for a narrow set of authentication flows. This is a proactive security measure in alignment with Microsoft’s ongoing commitment to defense-in-depth.

What is changing?

Today, when a user signs in through a client application that requests only OIDC scopes or a limited set of directory scopes, Conditional Access policies that target All resources are not enforced if the policy has one or more resource exclusions.

After this change, Conditional Access policies that target All resources will be enforced for these sign-ins, even when resource exclusions are present. Read more about this change.

In addition, customers who have scenarios that may be impacted by this change will have the ability to retain the current behavior while they assess impact and transition to the recommended Conditional Access enforcement. Additional details and guidance on this capability will be communicated in a future update.

When will you see this change?

Enforcement will now begin starting May 13, 2026, and will be rolled out progressively over several weeks.

How will this affect your organization?

When a user signs in through a client application that requests only the scopes listed above, users may now receive Conditional Access challenges (such as MFA or device compliance) where previously they were allowed access without enforcement. The exact challenge depends on the access controls configured in your policies that target All resources or policies that explicitly target Azure AD Graph as a resource.

What do you need to do to prepare?

In most cases, no action is required, as most client applications request additional scopes beyond those listed above and are already subject to Conditional Access enforcement. In such cases, there is no change in behavior.

If you have custom applications that are intentionally designed to request only the scopes listed above, evaluate whether they can handle Conditional Access challenges such as MFA or device compliance.

• If they already handle Conditional Access challenges: no changes are required.
• If they do not, updates may be needed. Refer to the Microsoft Conditional Access developer guidance on how to update your application appropriately. 

Learn more: 

• Conditional Access behavior when an all resources policy has an app exclusion | Conditional Access | Microsoft Learn
• OpenID Connect scopes - Scopes and permissions in the Microsoft identity platform | Microsoft Entra | Microsoft Learn
• Upcoming Conditional Access change: Improved enforcement for policies with resource exclusions | Microsoft Entra Blog

[Compliance considerations]

No compliance considerations identified. Review as appropriate for your organization.

Updated January 30, 2026: We have updated the content. Thank you for your patience. 

You are receiving this message because our telemetry indicates that you have at least one Conditional Access policy targeting All resources with one or more resource exclusions.

As described in this Microsoft Entra Blog post, we’re enhancing how Conditional Access policies that target All resources and have resource exclusions are enforced for a narrow set of authentication flows. This is a proactive security measure in alignment with Microsoft’s ongoing commitment to defense-in-depth.

What is changing?

Today, when a user signs in through a client application that requests only OIDC scopes or a limited set of directory scopes, Conditional Access policies that target All resources are not enforced if the policy has one or more resource exclusions.

After this change, Conditional Access policies that target All resources will be enforced for these sign-ins, even when resource exclusions are present. Read more about this change.

When will you see this change?

Microsoft Entra ID will begin enforcing this change starting March 27, 2026. This will be rolled out progressively over several weeks until June 2026.

How will this affect your organization?

When a user signs in through a client application that requests only the scopes listed above, users may now receive Conditional Access challenges (such as MFA or device compliance) where previously they were allowed access without enforcement. The exact challenge depends on the access controls configured in your policies that target All resources or policies that explicitly target Azure AD Graph as a resource.

What do you need to do to prepare?

In most cases, no action is required, as most client applications request additional scopes beyond those listed above and are already subject to Conditional Access enforcement. In such cases, there is no change in behavior.

If you have custom applications that are intentionally designed to request only the scopes listed above, evaluate whether they can handle Conditional Access challenges such as MFA or device compliance.

• If they already handle Conditional Access challenges: no changes are required.
• If they do not, updates may be needed. Refer to the Microsoft Conditional Access developer guidance on how to update your application appropriately. 

Learn more: 

• Conditional Access behavior when an all resources policy has an app exclusion | Conditional Access | Microsoft Learn
• OpenID Connect scopes - Scopes and permissions in the Microsoft identity platform | Microsoft Entra | Microsoft Learn
• Upcoming Conditional Access change: Improved enforcement for policies with resource exclusions | Microsoft Entra Blog

[Compliance considerations]

No compliance considerations identified. Review as appropriate for your organization.