5-MIN READ
Microsoft just gave your Conditional Access policies a quiet upgrade
Something I've noticed when reviewing Microsoft 365 environments with business leaders. Most organisations that have Conditional Access switched on assume it's covering everything. It's a reasonable assumption. You set the policies, you turned on MFA, your IT team confirmed it was working. Done.
What I've seen in practice is that "configured" and "covering everything" aren't always the same thing. Conditional Access had a specific gap built into how it handled certain sign-ins. Microsoft has now closed it, in June 2026, and most organisations won't have noticed it was ever there.
Before I explain what changed, it's worth understanding what Conditional Access actually does.
It's the part of Microsoft 365 that acts as a checkpoint for every sign-in to your environment. When a staff member logs in, it decides whether to let them through, prompt them for multi-factor authentication (MFA), or block access entirely. Most sign-ins were already being evaluated correctly. But a narrow category was slipping through.
Why were some sign-ins not being checked?
The gap existed because of how Conditional Access handled sign-ins from applications requesting only basic identity information.
Some tools that connect to your Microsoft 365 environment for simple tasks like calendar lookups or staff directory access only request low-privilege access. They're not asking for your files or emails. They just want to confirm who someone is. Because many Conditional Access policies had resource exclusions in place (exceptions carved out for specific applications), these sign-ins passed through without being checked at all.
A practice manager at an allied health clinic connected a third-party patient scheduling app to their Microsoft 365 account for calendar syncing and staff directory lookups. The app requested only basic profile data, so it was never evaluated by the clinic's Conditional Access policy. Nobody had reviewed its access since it was set up. From June 2026, sign-ins through that app are properly evaluated, and staff may see an MFA prompt they haven't seen before.
From 15 June 2026, those sign-ins are now properly evaluated.
What does this mean for my organisation day-to-day?
For most organisations, very little changes. Standard logins to Microsoft 365, Teams, SharePoint, and Outlook were always being evaluated. That doesn't change.
What might change is this.
Staff using certain third-party or custom applications may see MFA prompts they haven't encountered before. That's not something going wrong. It's the policy working correctly for the first time. A short period of unexpected prompts is a reasonable trade for a more complete picture of who is accessing your environment.
Brief your team. Let your helpdesk know what to expect.
There is a second change to act asap
Alongside the enforcement update, Microsoft is also retiring an older Conditional Access grant control called Require approved client app.
This control ensured staff on mobile devices could only access corporate data through approved Microsoft apps like Outlook and Teams. After 30 June 2026, Microsoft stops enforcing it. Any policy relying only on this control will stop protecting what it was built to protect.
The important thing. Nothing will alert you when that happens. The policy will still appear active. It will still show up in your security reports. The protection will simply no longer be there.
The replacement is a control called Require app protection policy, which works with Microsoft Intune to apply the same and stronger controls. If your mobile access policies haven't been reviewed in the last twelve months, check before the end of June.
What should I do now?
For organisations working with a managed IT provider, both changes will typically be part of your regular service review. If you want to check yourself, there are two questions to ask:
- Do any of your Conditional Access policies have resource exclusions? If yes, confirm whether any custom or third-party applications might now trigger MFA prompts your team hasn't seen before.
- Do any of your policies use the Require approved client app control? If yes, those need to be updated to Require app protection policy.
Neither is a large project for a well-managed environment. Both are worth a short conversation with your IT team or provider this month.
Summary
Microsoft's June 2026 Conditional Access updates close a gap that was always there, just not visible. Some sign-ins that were passing through without being evaluated will now be properly checked. An older mobile access control is also being retired and needs replacing.
What this update reflects, more broadly, is that a well-configured environment and a fully covered environment are not always the same thing. A regular review is what keeps them aligned.
If you want to understand how these updates affect your environment, the ADITS Microsoft Hub has the latest Microsoft guidance and resources for businesses like yours.
Stay up to date
Subscribe to our newsletter for IT news, case studies and promotions

