Entra ID

Microsoft Entra Conditional Access All Resources Update

3 min read

Summary

Microsoft is updating Entra Conditional Access so policies targeting "All resources" will be enforced consistently even when resource exclusions exist, closing a gap where some sign-ins requesting only OIDC or limited directory scopes could bypass policy checks. Beginning March 27, 2026 and rolling out through June 2026, affected tenants may see more users prompted for MFA, device compliance, or other controls—making this important for organizations to review impacted Conditional Access policies and prepare for changes in sign-in behavior.

Audio Summary

0:00--:--
Need help with Entra ID?Talk to an Expert

Introduction: why this matters

Conditional Access (CA) is a cornerstone control for enforcing MFA, device compliance, and session restrictions. Microsoft is tightening CA enforcement as part of its Secure Future Initiative to reduce scenarios where sign-ins can unintentionally evade policy evaluation—particularly for client apps that request only a limited set of scopes.

What’s changing

Today, a gap can occur when a CA policy targets “All resources” but also includes resource exclusions. In specific cases—when a user signs in through a client application that requests only OIDC scopes or a limited set of directory scopes—Microsoft notes that these “All resources” policies may not be enforced.

Starting with this update:

  • CA policies targeting “All resources” will be enforced even when resource exclusions are present for these sign-ins.
  • The goal is consistent CA enforcement regardless of the scope set requested by the application.
  • Users may now receive CA challenges (for example: MFA, device compliance, or other access controls) during sign-in flows that previously did not trigger them.

Rollout timeline

  • Enforcement begins: March 27, 2026
  • Rollout model: progressive across all clouds
  • Completion window: over several weeks through June 2026

Who is affected

Only tenants with the following configuration are impacted:

  • At least one Conditional Access policy that targets All resources (All cloud apps)
  • The same policy has one or more resource exclusions

Microsoft will notify impacted tenants through Microsoft 365 Message Center posts.

Impact for admins and end users

Admin impact

  • Sign-in outcomes for certain client applications may change, especially where apps rely on requesting minimal scopes.
  • Policies that also explicitly target Azure AD Graph (where applicable in your environment/policy history) may be involved in the resulting challenges depending on your configured controls.

End-user impact

  • Users may see new prompts (MFA, compliant device requirements, etc.) when authenticating with affected applications—where previously access may have proceeded without CA enforcement.
  • Most organizations: No action required.
    • Most applications request broader scopes and are already subject to CA enforcement.
  • If you have custom apps registered in your tenant that intentionally request only the limited scopes: Review and test.
    • Validate that these applications can properly handle Conditional Access challenges.
    • If they cannot, update the app using Microsoft’s Conditional Access developer guidance so authentication flows (interactive prompts, device signals, etc.) are handled correctly.
  • Operational readiness:
    • Monitor Message Center notifications.
    • Use sign-in logs and Conditional Access troubleshooting/audience reporting to identify which apps and policies are triggering new challenges during the rollout.

This change is designed to close a defense-in-depth gap and make “All resources” Conditional Access policies behave more predictably—so it’s worth proactively validating any minimal-scope custom apps before enforcement reaches your tenant.

Need help with Entra ID?

Our experts can help you implement and optimize your Microsoft solutions.

Talk to an Expert

Stay updated on Microsoft technologies

Read the original article by Swaroop Krishnamurthy
Entra IDConditional AccessMFAOAuth scopesidentity security

Related Posts

Entra ID

Microsoft Entra Backup and Recovery Enters Preview

Microsoft has launched Microsoft Entra Backup and Recovery in public preview, giving organizations a Microsoft-managed way to restore critical identity objects and configurations to a known-good state. The service helps IT teams recover faster from accidental admin changes, provisioning errors, and malicious modifications that could otherwise disrupt access and security.

Entra ID

Microsoft Entra External MFA Now Generally Available

Microsoft has announced general availability of external MFA in Microsoft Entra ID, allowing organizations to integrate trusted third-party MFA providers using OpenID Connect. The feature lets IT teams keep Microsoft Entra ID as the central identity control plane while maintaining Conditional Access, risk evaluation, and unified authentication method management.

Entra ID

Microsoft Entra RSAC 2026 Identity Security Updates

At RSAC 2026, Microsoft announced major Microsoft Entra updates aimed at securing not only users and devices but also AI agents, workloads, and modern multi-tenant environments. The new capabilities—such as expanded Entra Agent ID governance, shadow AI detection, prompt injection protection, passkey enhancements, and adaptive risk-based access—matter because they strengthen Zero Trust identity security as organizations adopt AI and face more dynamic access risks.

Entra ID

Microsoft Entra Secure Access Report 2026 on AI Risk

Microsoft’s Entra Secure Access Report 2026 says AI adoption is significantly increasing identity and network access risk, with 97% of organizations reporting an access-related incident in the past year and 70% tying incidents to AI activity. The report argues that fragmented identity and network tools are making the problem worse, which matters because more organizations are now moving toward consolidated access platforms to better secure AI tools, agents, and machine identities.

Entra ID

Microsoft Entra Access Priorities Webinar Series

Microsoft is launching the four-part Microsoft Entra Access Priorities webinar series to help IT teams turn its identity-first security strategy into practical deployment steps, with guidance on phishing-resistant authentication, adaptive access, least privilege, and securing AI-related access. The series matters because it gives organizations concrete tools, demos, and checklists to strengthen Zero Trust and prepare for an emerging Access Fabric model that spans users, apps, devices, and AI agents.

Entra ID

Microsoft Entra Internet Access AI Gateway Preview

Microsoft has previewed a secure web and AI gateway in Entra Internet Access that adds network-layer controls for enterprise AI use, including shadow AI detection, file filtering with Purview integration, and prompt injection protection. This matters because it gives organizations an identity-first way to discover unsanctioned AI tools, prevent sensitive data leakage, and enforce consistent security policies across devices and clouds without needing to modify applications.