Conditional Access Enforcement Change Coming to Microsoft Entra

Microsoft Entra’s Conditional Access engine has long been a cornerstone for zero‑trust security, allowing organizations to dictate when multi‑factor authentication or device compliance is required. By extending enforcement to sign‑ins that request only OpenID Connect (OIDC) scopes, Microsoft is closing a loophole that some enterprises have inadvertently exploited. The March 27 2026 launch, followed by a gradual rollout to June, signals a shift toward more uniform policy application, ensuring that even lightweight client applications cannot sidestep critical security checks.

The technical nuance lies in how resource exclusions are handled. Previously, if a Conditional Access policy targeted all resources but listed specific exclusions, sign‑ins from OIDC‑only clients could bypass the policy’s controls. Post‑change, those exclusions no longer shield the sign‑in flow; MFA prompts or device compliance requirements will fire based on the policy’s original intent. This adjustment affects tenants with broad‑scope policies that also contain exclusions, potentially increasing authentication prompts for users accessing SaaS apps, mobile clients, or custom APIs that rely on minimal scopes.

For IT leaders, the immediate action is a comprehensive audit of Conditional Access rules. Identify policies that target all resources and contain exclusions, then evaluate whether those exclusions remain necessary or should be re‑architected. Adjusting policy scope, consolidating exclusions, or leveraging named locations can mitigate unexpected user friction. By proactively updating configurations before the June 2026 deadline, organizations can preserve a seamless user experience while reinforcing their zero‑trust posture, a critical balance in today’s security landscape.