Microsoft Entra Conditional Access All Resources Update

Introduction: why this matters

Conditional Access (CA) is a cornerstone control for enforcing MFA, device compliance, and session restrictions. Microsoft is tightening CA enforcement as part of its Secure Future Initiative to reduce scenarios where sign-ins can unintentionally evade policy evaluation—particularly for client apps that request only a limited set of scopes.

What’s changing

Today, a gap can occur when a CA policy targets “All resources” but also includes resource exclusions. In specific cases—when a user signs in through a client application that requests only OIDC scopes or a limited set of directory scopes—Microsoft notes that these “All resources” policies may not be enforced.

Starting with this update:

• CA policies targeting “All resources” will be enforced even when resource exclusions are present for these sign-ins.
• The goal is consistent CA enforcement regardless of the scope set requested by the application.
• Users may now receive CA challenges (for example: MFA, device compliance, or other access controls) during sign-in flows that previously did not trigger them.

Rollout timeline

• Enforcement begins: March 27, 2026
• Rollout model: progressive across all clouds
• Completion window: over several weeks through June 2026

Who is affected

Only tenants with the following configuration are impacted:

• At least one Conditional Access policy that targets All resources (All cloud apps)
• The same policy has one or more resource exclusions

Microsoft will notify impacted tenants through Microsoft 365 Message Center posts.

Impact for admins and end users

Admin impact

• Sign-in outcomes for certain client applications may change, especially where apps rely on requesting minimal scopes.
• Policies that also explicitly target Azure AD Graph (where applicable in your environment/policy history) may be involved in the resulting challenges depending on your configured controls.

End-user impact

• Users may see new prompts (MFA, compliant device requirements, etc.) when authenticating with affected applications—where previously access may have proceeded without CA enforcement.

Recommended actions / next steps

• Most organizations: No action required.
  • Most applications request broader scopes and are already subject to CA enforcement.
• If you have custom apps registered in your tenant that intentionally request only the limited scopes: Review and test.
  • Validate that these applications can properly handle Conditional Access challenges.
  • If they cannot, update the app using Microsoft’s Conditional Access developer guidance so authentication flows (interactive prompts, device signals, etc.) are handled correctly.
• Operational readiness:
  • Monitor Message Center notifications.
  • Use sign-in logs and Conditional Access troubleshooting/audience reporting to identify which apps and policies are triggering new challenges during the rollout.

This change is designed to close a defense-in-depth gap and make “All resources” Conditional Access policies behave more predictably—so it’s worth proactively validating any minimal-scope custom apps before enforcement reaches your tenant.