Conditional Access tightens: resource exclusions now enforced

Conditional Access is Microsoft's rule engine for when a user may access a resource, and under which conditions. A typical rule reads: "If someone signs in to Outlook from outside, require multi-factor authentication."

MFA stands for multi-factor authentication, meaning you confirm your identity with more than just a password, for example an authenticator app on your phone.

Conditional Access requires Entra ID P1, included with Microsoft 365 Business Premium, Microsoft 365 E3, E5 and E7. It is the foundation under much of a NIS2- and D-mærke-ready setup, because requirements for MFA and compliant devices are enforced right here.

A Conditional Access policy can target "all resources". At the same time you can exclude individual resources from the policy (a so-called resource exclusion).

Today, in certain sign-in scenarios the policy is not activated at all if a resource exclusion exists. Microsoft is changing that.

After the change the policy is applied even when resource exclusions are configured. That means a user can be met with extra requirements, for example MFA or a requirement for a compliant device, in situations where access previously went through without.

Microsoft describes it as improved and more consistent enforcement. The rollout begins 22 June 2026 and happens gradually in your environment over the following roughly two weeks. You receive a confirmation once it is complete.

The change only affects you if you have Conditional Access policies targeting all resources and using resource exclusions. If you don't, nothing happens.

Here is how to prepare:

• •Review your policies. Find the ones targeting all resources with exclusions, and assess whether the new, stricter enforcement causes problems for legitimate users.
• •Test with report-only mode. Optionally set a policy to "report-only" so you can see the effect before it is enforced.
• •Keep the old behavior if needed. Microsoft recommends accepting the new behavior, but if you need to keep the old one you can adjust it via "Baseline scope settings".

Conditional Access is not a free feature. It requires Entra ID P1, and it is worth knowing which plans include it:

If you run Business Basic or Standard and want to use Conditional Access to for example require MFA from outside, you must either purchase Entra ID P1 or move up to Business Premium. For most smaller businesses Business Premium is the most complete path, because you also get device management and threat protection.

Source: Microsoft Message Center MC1400649, and Microsoft Learn on Conditional Access.