What are You Looking For?

Conditional Access Now Applies to WHfB Registration

Conditional Access

๐Œ๐จ๐ฌ๐ญ ๐š๐๐ฆ๐ข๐ง๐ฌ ๐š๐ฌ๐ฌ๐ฎ๐ฆ๐ž๐ ๐‚๐จ๐ง๐๐ข๐ญ๐ข๐จ๐ง๐š๐ฅ ๐€๐œ๐œ๐ž๐ฌ๐ฌ ๐š๐ฅ๐ซ๐ž๐š๐๐ฒ ๐ฉ๐ซ๐จ๐ญ๐ž๐œ๐ญ๐ž๐ ๐–๐ข๐ง๐๐จ๐ฐ๐ฌ ๐‡๐ž๐ฅ๐ฅ๐จ ๐ซ๐ž๐ ๐ข๐ฌ๐ญ๐ซ๐š๐ญ๐ข๐จ๐ง.

โŒ It didn’t.

If you have Conditional Access policies targeting “Register security information”, they currently aren’t evaluated when users register:
โ€ข Windows Hello for Business (WHfB)
โ€ข macOS Platform SSO credentials

That means requirements like Authentication strength and trusted locations haven’t been enforced during these registration flows.

๐Œ๐ข๐œ๐ซ๐จ๐ฌ๐จ๐Ÿ๐ญ ๐ข๐ฌ ๐ง๐จ๐ฐ ๐œ๐ฅ๐จ๐ฌ๐ข๐ง๐  ๐ญ๐ก๐š๐ญ ๐ ๐š๐ฉ.

Starting July 6, 2026, users registering WHfB or macOS Platform SSO credentials will need to satisfy your Conditional Access requirements before enrollment can complete.

๐Ÿ‘‰ Device setup may fail if users can’t meet policy requirements.
๐Ÿ‘‰ New authentication prompts may appear during enrollment.
๐Ÿ‘‰ Users may need an existing FIDO2 key, Microsoft Authenticator approval, or access from a trusted location.

Before the rollout reaches your tenant:

โ€ข Review Conditional Access policies targeting “Register security information”
โ€ข Check authentication strength and grant controls
โ€ข Test in report-only mode
โ€ข Update helpdesk documentation

Sometimes the most important security updates aren’t new featuresโ€”they’re fixes for assumptions we didn’t realize were wrong.

Message ID: MC1326253
Write a Comment

Leave a Comment

Your email address will not be published. Required fields are marked *

Subscribe to Newsletter

Subscribe to our email newsletter to get the latest posts delivered right to your email.
Powered by Amail.