Table of Contents
Apps Requesting Baseline Scopes Will be Processed by Conditional Access Policies
Microsoft originally published message center notification MC1223829 on 29 January 2026. The notification describes a change in behavior for conditional access policies. After a quiet period, rollout began on 15 June 2026, with progressive deployment across Entra ID tenants with further details provided in a June 5 update for MC1223829. Full deployment should be in place worldwide by mid-August 2026.
Microsoft says tenants will receive a notification two weeks before the new behaviour takes effect, and another after rollout completes. Even if you haven’t seen the advance notice yet, review your active conditional access policies now in case this change affects them.
Baseline Scopes and Conditional Access
The change revolves around the default set of OpenID Connect (OIDC) “well-defined scopes,” like openid, email, and profile. Because of their limited capabilities, these scopes are deemed to be low-risk permissions for the purpose of the Entra ID user consent settings for apps (Figure 1).
Entra ID adds a set of delegated and application directory scopes: User.Read, UserReadBasic.All, People.Read, People.Read.All, GroupMember.Read.All, and Member.Read.Hidden. Collectively, the set of OIDC and directory scopes are “baseline scopes.”
Before the change (i.e., now) when a user signs into Entra ID using a client application that requests only the baseline scopes, conditional access policies that target “All resources” (used to be “all Cloud apps”) are not enforced when resource exclusions exist.
After the change, the conditional access policies will be enforced. Microsoft says that this means “policies are consistently applied regardless of the scope set requested by the application.”
Microsoft gives the example of the Visual Studio Code desktop client, which only requests the User.Read permission and is therefore currently excluded from conditional access processing. The Visual Studio Code app will be processed by conditional access after the change.
The Effect of the Change
Microsoft says that no action is required in most cases because most client applications request more than the default set of OIDC scopes. Once an app requests a Graph permission like User.Read.All, Mail.Send, or Group,Read.All (requested by apps in error in many cases), conditional access policies are enforced and process the sign-in. Popular AI connectors like the Microsoft 365 Connector for Claude typically request a bunch of Graph permissions to allow them to read SharePoint Online files, calendars, and so on.
The risk lies with apps that rely solely on baseline scopes and cannot satisfy conditional access requirements (such as MFA). These apps might depend on their own authorization flow to connect to their back-end services and may fail once Entra ID enforces conditional access policies.
Tenant Configuration
The Entra admin center has a new baseline scope settings page (Figure 2) to control how a tenant handles apps with baseline scopes. The page is available in the Manage section of Conditional Access in the Entra admin center, but the page is currently exposed only if you use a special URL.
Microsoft documentation includes a table to guide tenants in what they should do. In most cases, I suspect that the recommended “enable enforcement” is the correct course of action. It’s what I have done. I expect minimal disruption, but experience suggests any change to conditional access is worth monitoring closely.
In the meantime, although it’s not designed to highlight apps that might be affected by the new conditional access regime, running the service principal analysis report will list all delegated and application permissions for apps in the tenant. Reporting permissions is one way to check for apps that only request baseline scopes. The caveat is that OIDC scopes don’t always show up as persistent OAuth delegated grants, so some might be missing.
Waiting for the Rollout
Don’t worry if your tenant uses conditional access policies but did not receive MC1223829. This means that Microsoft’s telemetry did not detect any conditional access policies targeted at “All resources” with at least one resource exclusion. In my case, the only policy that met this test enforces multifactor authentication for guests and the exclusion is for the Microsoft Rights Management service. The exclusion exists to allow guest accounts to read protected messages with the Outlook classic client.
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.