Your CA exclusions stop working March 27
If you have “All resources” policies with app exclusions, some of those exclusions are about to be ignored.
Your CA policies are about to start enforcing on sign-ins they’ve been ignoring for years.
Not a new policy. No alert. No warning in the portal. On March 27, Microsoft changes how CA policies scoped to “All resources” with resource exclusions get evaluated. Sign-ins that slipped through before won’t anymore. If your apps can’t handle a CA challenge, they break. If your users aren’t expecting an MFA prompt, they call the help desk.
Nineteen days. Here’s what to check.
Every Monday from Adversary Lab: Azure security news for practitioners. No fluff, just the updates to stay ahead.
In This Issue
Your CA “All resources” exclusions may stop excluding what you think. Enforcement starts March 27
If you run hybrid identity with Entra Connect, Microsoft is blocking a known account takeover technique this month
If you have FIDO2 enabled, your passkey config is changing whether you opt in or not
Advanced Hunting can now block attachments and URL domains in one workflow, but there’s a query requirement buried in the MC post
Microsoft created CA policies in your tenant. Here’s where to find them
🔥 What’s Actually Breaking
Conditional Access “All Resources” Enforcement Change — MC1223829 | March 27, 2026
Your CA policies have a quiet exception that’s about to disappear.
Right now, if a client app signs in using only OIDC scopes or a limited set of directory scopes — things like openid, profile, email, or User.Read — CA policies scoped to “All resources” don’t enforce if that policy has resource exclusions. Those sign-ins slip through. Microsoft confirmed it’s been this way by design, as a workaround to avoid blocking low-privilege app authentication flows.
That changes on March 27. After that date, those sign-ins get evaluated like everything else. Users in affected flows may start seeing MFA prompts or device compliance challenges with no prior warning.
Microsoft’s exact language: “Users in affected tenants might receive Conditional Access challenges (such as MFA or device compliance) where previously they were allowed access without enforcement.”
This only hits tenants with CA policies targeting “All resources” that also have one or more resource exclusions. If that’s not you, nothing changes. If it is you, the question is whether the apps relying on those flows can handle a CA challenge, and whether your users are prepared for a new prompt.
What to do: Entra portal → Protection → Conditional Access. Filter for policies scoped to “All resources” with resource exclusions. For each one, identify which apps are using minimal OIDC scopes during sign-in and verify they can handle CA challenges. Rollout starts March 27 and runs through June across all clouds.
Source: MC1223829 | Microsoft Tech Community Blog
Official Announcements
Entra Connect SyncJacking Hardening — Enforcement Begins March 2026
If you run hybrid identity, Microsoft is closing a known attack path this month.
SyncJacking is an attack technique where an adversary with on-premises AD access manipulates object attributes to hard-match an existing Entra ID account, effectively taking over its source of authority. Once that happens, the on-prem object controls the cloud account, including privileged ones. MSRC confirmed the technique and has been building platform-level protections against it.
Enforcement starts in March 2026. The new logic checks OnPremisesObjectIdentifier to detect and block unauthorized remapping attempts, and audit logs now capture changes to both OnPremisesObjectIdentifier and DirSyncEnabled so you have visibility when this fires. If a blocked operation hits, the error is explicit: “Hard match operation blocked due to security hardening. Review OnPremisesObjectIdentifier mapping.”
June 1, 2026 brings a separate cutoff: Entra Connect will block hard-matching any AD object to a cloud-managed Entra ID account that holds privileged roles. That’s the higher-risk scenario and gets its own enforcement date.
There’s also a version deadline. You need Entra Connect 2.5.79.0 or higher by September 30, 2026 or sync stops entirely. Worth checking where you are now rather than discovering it under pressure.
Who this affects: Hybrid environments running Entra Connect Sync or Cloud Sync. Pure cloud tenants are not affected.
Action: Upgrade to the latest Entra Connect version. Then verify your hardening state:
Connect-MgGraph -Scopes "OnPremDirectorySynchronization.Read.All"
Get-MgDirectoryOnPremiseSynchronization | Select-Object -ExpandProperty Features | Format-ListIf BlockCloudObjectTakeoverThroughHardMatchEnabled and BlockSoftMatchEnabled both show False, you’re not hardened yet. Enable both flags through your Entra Connect configuration. Review audit logs for any existing OnPremisesObjectIdentifier changes before enabling.
Source: Microsoft Entra — What’s New | Hardening updates for Entra Connect Sync
Passkey (FIDO2) Profiles GA + Auto-Migration — MC1221452 | March 2026 | GA
If you have FIDO2 enabled, read this before April.
Passkey profiles and synced passkeys are hitting GA this month. What matters more is what happens if you don’t act: Microsoft migrates your existing FIDO2 configuration automatically. Worldwide tenants get migrated April through May 2026, with GCC and DoD following in June.
The migration itself isn’t destructive. Your current settings move into a “Default passkey profile,” and the new passkeyType property gets set based on your current attestation configuration. Enforce attestation? Device-bound passkeys only. Don’t enforce it? Both device-bound and synced passkeys are allowed. Existing user targeting and key restrictions carry over.
The piece that’s easy to miss: if you have synced passkeys enabled and a Microsoft-managed registration campaign running, that campaign will retarget to passkeys after migration. If it was pointing users toward Microsoft Authenticator before, it won’t be after. Worth verifying where that campaign is aimed before April gets here.
Requirements: Affects only tenants with Passkeys (FIDO2) currently enabled.
Action: Entra portal → Protection → Authentication methods → Policies → Passkey (FIDO2). Check your attestation settings, AAGUID allowlist, and registration campaign targeting. Opting in now means you configure profiles on your terms, not Microsoft’s defaults.
Source: MC1221452
Advanced Hunting: Block Attachments and URL Domains from Query Results — MC1237728 | March 2026 | GA
Shorter path from detection to response in Advanced Hunting this month.
Two new remediation actions are rolling out in the “Take action” wizard, both in the Email table. You can now block malicious email attachments directly from query results and block top-level URL domains associated with phishing campaigns — no need to leave Advanced Hunting. Both actions write to your Tenant Allow/Block List.
There’s a query requirement buried in the MC post worth knowing before you need it in a live investigation. Attachment blocking only works if your query includes the Attachment column, and that column only comes in via a join with EmailAttachmentInfo on NetworkMessageId. If it’s not in your results, the action won’t surface. Same goes for “Submit to Microsoft”: unavailable if required columns are missing.
This is email only. Not available for endpoint or identity tables.
Requirements: Microsoft Defender for Office 365 Plan 2 or Microsoft 365 E5. Enabled by default, no config required. Rollout runs through end of March 2026.
Action: Open Advanced Hunting, run an Email query, and click “Take action” to confirm the new options are live in your environment. Before you need this in a real investigation, test the EmailAttachmentInfo join and confirm the Attachment column populates.
Source: MC1237728
Baseline Security Mode Auto-Created CA Policies — MC1246002
Worth a quick check if your tenant was active between November 2025 and early February 2026.
Any admin who navigated to the Baseline Security Mode page in the M365 admin center during that window may have had two draft CA policies quietly created in their tenant, attributed to that admin’s account. Not labeled as Microsoft-created. Disabled, in draft state, doing nothing, but sitting there looking intentional.
Microsoft confirmed it, says a fix is in progress, and will remove the drafts before doing so. Nothing is actively breaking. Just worth knowing if you spot unexplained policies in your CA list.
Action: Entra portal → Protection → Conditional Access → Policies. Look for disabled drafts from that window that your team didn’t create.
Source: Microsoft Learn — Baseline Security Mode Settings
CA Token Protection — New Deployment Guides for Apple and Windows | March 2026
Quick one. Two new platform-specific deployment guides dropped in the Entra docs this week: one for Apple, one for Windows.
Token protection binds a CA token to the device it was issued on. Per Microsoft’s docs, it “attempts to reduce attacks using token theft by ensuring a token is usable only from the intended device.” The feature has been around for a while. What’s new are the platform-specific guides that make deployment clearer for each environment.
Requirements: Entra ID P1 or P2. Configured via Conditional Access → Session controls.
Action: Entra portal → Protection → Conditional Access → create or edit a policy → Session → Token protection. Pull the Apple or Windows guide depending on your primary device platform.
Source: MicrosoftDocs/entra-docs — GitHub commit March 5, 2026
📋 What You Should Actually Do This Week
🚨 CRITICAL (March 10, 2026):
Patch Tuesday: Deploy this month’s patches. Review the release notes before pushing to production.
⚠️ HIGH PRIORITY (This Week):
Audit “All resources” CA policies with exclusions (deadline: March 27): Entra portal → Protection → Conditional Access. Filter for policies scoped to “All resources” with resource exclusions. Identify which sign-in flows those exclusions were covering and verify whether apps in those flows can handle a CA challenge. Enforcement starts March 27, that’s 19 days from now.
Review your FIDO2 config before April: Entra portal → Protection → Authentication methods → Passkey (FIDO2). Check whether attestation is enforced, review your AAGUID allowlist, and check your registration campaign settings. If your campaign is set to Microsoft-managed, it will retarget to passkeys after migration.
Entra Connect: verify hardening state (hybrid environments only): Run the PowerShell query in the SyncJacking section above. If both flags show
False, you’re not hardened. Enable BlockCloudObjectTakeoverThroughHardMatchEnabled and confirm you’re on version 2.5.79.0. Enforcement is active this month.
📋 MEDIUM PRIORITY (Before Month-End):
Test the Advanced Hunting attachment block join: If you’re on MDO P2 or M365 E5, run a test query joining EmailEvents with EmailAttachmentInfo on NetworkMessageId and confirm the Attachment column populates. Verify “Take action” shows the new block options. Better to learn the query requirement now than mid-investigation.
Check for BSM ghost CA policies: Entra portal → Protection → Conditional Access → Policies. Look for disabled draft policies from November 2025 through February 2026 that your team didn’t create. They’ll appear attributed to a specific admin account, not to Microsoft.
Evaluate CA Token Protection deployment: Review the new Apple or Windows deployment guide depending on your environment. Check whether your device fleet meets the prerequisites before building the CA policy.
Looking Ahead
March 10, 2026: Patch Tuesday (this week)
March 27, 2026: CA “All resources” enforcement change takes effect. Policies with resource exclusions will now enforce on OIDC-only sign-ins.
End of March 2026: Advanced Hunting attachment and URL block action rollout completes.
April–May 2026: Automatic FIDO2 passkey profile migration begins for tenants that haven’t opted in (worldwide). GCC/DoD follows in June.
June 1, 2026: Entra Connect blocks hard-matching AD objects to privileged cloud accounts.
April 8, 2026: Next Patch Tuesday
💡 Get Hired as a Detection Engineer
Not “learn detection engineering.” Not “understand the concepts.”
Get. Hired.
When they ask “show me something you’ve built” — you pull up your portfolio and walk them through 11 detections you created yourself. APT29. Scattered Spider. LAPSUS$. Real techniques. Your work.
That’s the interview. That’s the job.
$150/month. Founding member pricing — locks in forever.
📚 About Adversary Lab
Azure security news for practitioners. No fluff, just the updates to stay ahead.
📤 Worth sharing? Forward it.
— Charles Garrett | LinkedIn | theadversarylab.com
See you next time! 👋