Favorite your Message Center and Roadmap items. Access them anytime via your Profile. Export and share with your team or your LLM.

Conditional Access policies now apply to Windows Hello for Business and macOS Platform SSO registration

Message ID
MC1326253
View in Message Center
Service
Microsoft Entra
Category
Stay Informed
Tags
New featureUser impactAdmin impact
Rollout
July 2026

Summary

Conditional Access policies will apply to Windows Hello for Business and macOS Platform SSO registration starting July 6, 2026, enforcing policy requirements like MFA and trusted locations during enrollment. Organizations should review and test policies, update documentation, and ensure users can meet requirements before rollout completes July 13, 2026.

Details

If your organization has Conditional Access policies scoped to Register security information, those policies will now apply when users set up Windows Hello for Business (WHfB) or register macOS Platform SSO credentials.

Today, these registration flows enforce MFA, but do not evaluate your registration-targeting Conditional Access policies — meaning requirements like authentication strength, trusted locations, or other CA conditions aren't enforced when users enroll WHfB or macOS Platform SSO credentials. This change closes that gap.

Organizations without these policies aren't affected.

When this will happen

July 6, 2026: Gradual rollout begins.

• July 13, 2026: Rollout complete for all tenants.

How this affects your organization

Users registering WHfB or macOS PSSO credentials will need to satisfy your registration-targeting Conditional Access policy requirements before completing enrollment. For example, a user might need to use an existing FIDO2 security key, approve a push notification in Microsoft Authenticator, or connect from a trusted network location — depending on what your policies require. Any Grant controls you've configured will apply.

Users who don't meet the requirements will be blocked from completing registration until the conditions are met.

Action recommended

  1. In Entra admin center > Protection > Conditional Access, find policies targeting Register security information.
  2. Review Grant controls — check what requirements users must satisfy during registration (authentication strength, trusted locations, MFA method).
  3. Consider whether users setting up a new device can meet your policy requirements — for example, make sure users have a FIDO2 security key or other qualifying credential available before they start device setup.
  4. Test with report-only mode before enforcement reaches your tenant.
  5. Update helpdesk docs — users may see a new authentication prompt during device setup.

If you experience issues during the rollout window (July 6–July 13), contact Microsoft Support or your account team for assistance.

Learn more: Require MFA for security info registration

Change History

Show
Published: May 29, 2026
Last Updated: May 29, 2026
No change history available

Never Miss a Microsoft 365 Update

Join thousands of IT professionals who rely on DeltaPulse for real-time Microsoft 365 change intelligence, automated notifications, and community insights.

Explore Dashboard Sign Up Free