Microsoft now applies conditional access to apps using only basic login scopes
Reviewed by Helen Jones
On 15 June 2026 Microsoft started rolling out a change that routes sign-ins from apps requesting only baseline OIDC scopes through existing conditional access policies aimed at 'All resources'. Full deployment is due by mid-August. The scopes affected include openid, email, profile, User. Read and GroupMember. Read. All. Desktop clients such as Visual Studio Code are explicitly called out. Tenants receive a two-week advance notice. Policies that already exclude resources remain unaffected, but the new baseline-scope setting page needs a special URL to reach.
Before the change, an app limited to these low-privilege scopes could slip past MFA and location rules because conditional access treated the request as too narrow to evaluate. Admins therefore relied on the assumption that lightweight clients posed little risk. Now the same sign-in triggers the full policy stack. For tenants already struggling with sprawl, this means previously silent logins from developer tools and background services will start appearing in sign-in logs and may hit blocks, exposing gaps in ownership and external access that were never reviewed.
Analysis
Treat this as an audit trigger rather than a policy tweak: pull the last 30 days of sign-in logs for baseline-scope apps, identify which service principals belong to unmanaged Teams or SharePoint sites, and immediately carve those principals out of the blanket 'All resources' policy before they generate support tickets. Replace the blanket rule with a narrow Exchange-plus-SharePoint policy that still demands MFA.
Pulse published by Collab365 Spaces, reviewed by Helen Jones on . Cite as "Microsoft now applies conditional access to apps using only basic login scopes", Collab365 Spaces. 2 sources referenced.