Microsoft to Close Conditional Access Loophole in Entra ID Sign‑Ins

Microsoft has announced a major update to Conditional Access (CA) enforcement in Microsoft Entra ID. This upcoming change closes a long-standing loophole and ensures security measures are applied consistently across all sign-ins.

Currently, Microsoft Entra ID Conditional Access policies set to apply to “All resources” may not always be enforced in certain situations. This can happen when the policy includes one or more resource exclusions, or when a client application signs in using only OpenID Connect (OIDC) scopes or a limited set of directory scopes.

What’s changing in Entra ID Conditional Access enforcement?

With this upcoming update, Microsoft Entra ID will enforce these Conditional Access policies even when resource exclusions exist. It should help to ensure policy evaluation happens regardless of the scope set requested by the application. This change aims to strengthen defense‑in‑depth and remove an enforcement loophole.

“When a user signs in through a client application that requests only the scopes listed above, they may now receive Conditional Access challenges (such as MFA or device compliance) where previously they were allowed access without enforcement. The specific challenge depends on the access controls configured in your policies that target “All resources” or explicitly target Azure AD Graph as the resource,” Microsoft explained.

Microsoft mentioned that this update is a part of its Secure Future Initiative that launched in November 2023. It will enforce Conditional Access more consistently to reduce the risk that certain sign‑ins unintentionally bypass protections like MFA or device compliance checks.

What IT admins should do to prepare?

This upcoming change will affect organizations that have Conditional Access policies configured to apply to “All resources” and that also include one or more resource exclusions. However, it won’t affect commercial customers who do not use this specific policy setup.

Microsoft will begin rolling out this change on March 27, with full deployment across all cloud environments expected by June 2026. Organizations using custom-built or legacy applications that request only limited scopes should review and test these apps to ensure they can handle Conditional Access challenges, such as MFA or device compliance. Administrators may need to plan updates if their apps cannot fully support these security requirements.