Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreiduka3m4j7ja7kfqsymyj67eydpfgrr66ja4zsjovosnwbnnszgnm",
    "uri": "at://did:plc:xxrzfynfiasdpbxteqxi4jgq/app.bsky.feed.post/3molzxbddl7w2"
  },
  "description": "Conditional Access enforcement update completed in your tenant\n\nThe rollout of the Conditional Access enforcement update for policies targeting All resources with resource exclusions has now been completed in your tenant.\n\nAs previously communicated, this update improves enforcement consistency for certain authentication flows as part of Microsoft's Secure Future Initiative.\n\nWhat changed\n\nConditional Access policies that target All resources and have exclusions will now also apply to sign-ins t",
  "path": "/m365-message-center/message/mc1395903/",
  "publishedAt": "2026-06-19T00:00:05.000Z",
  "site": "https://blog.tophhie.cloud",
  "tags": [
    "Secure Future Initiative",
    "OIDC scopes",
    "directory scopes",
    "Microsoft Learn documentation",
    "Access the configuration"
  ],
  "textContent": "Conditional Access enforcement update completed in your tenant\n\n**The rollout of the Conditional Access enforcement update for policies targeting All resources with resource exclusions has now been completed in your tenant.**\n\nAs previously communicated, this update improves enforcement consistency for certain authentication flows as part of Microsoft's Secure Future Initiative.\n\n**What changed**\n\nConditional Access policies that target All resources and have exclusions will now also apply to sign-ins that request only baseline scopes (OIDC scopes or a limited set of directory scopes).\n\n**What this means for your organization**\n\nUsers signing in through a client application that requests only the baseline scopes may receive Conditional Access challenges (such as MFA or device compliance) where previously they were allowed access without enforcement.\n\nThe specific challenge depends on the access controls configured in your policies that target All resources or policies that explicitly target Azure AD Graph as a resource.\n\n**Recommended actions**\n\nIf you previously opted out or customized behavior, your tenant will continue to use your selected configuration. You can always enable the updated enforcement behavior at any time. Refer to the links below for additional guidance and configuration options.\n\n  * Microsoft Learn documentation\n  * Access the configuration\n\n",
  "title": "MC1395903: Completed: Conditional Access enforcement update for policies with resource exclusions",
  "updatedAt": "2026-06-19T00:00:06.017Z"
}