Skip to Content

MC1326253: Conditional Access policies now apply to Windows Hello for Business and macOS Platform SSO registration

By: Author Alex Lim

Posted on

Categories Update

Home » Update » MC1326253: Conditional Access policies now apply to Windows Hello for Business and macOS Platform SSO registration

Summary

  • Conditional Access policies scoped to “Register security information” will now be enforced when users set up Windows Hello for Business (WHfB) or register macOS Platform SSO credentials.
  • Users who do not meet the targeted Conditional Access grant requirements (MFA, authentication strength, trusted location, FIDO2 key, etc.) will be blocked from completing WHfB or macOS PSSO enrollment.
  • IT admins should review policies targeting “Register security information”, verify Grant controls, test changes in report-only mode, and ensure users have qualifying MFA methods or FIDO2 keys available during device setup.
  • Update helpdesk guidance and user communications so support teams can resolve enrollment blocks quickly; organizations without such policies are not affected.

Primary Service: Entra
Admin Impact: High
User Impact: Medium
Release Start: 06 Jul 2026
Release End: 13 Jul 2026
Services: Admin, Entra, Mac, Windows
Category: Stay informed
Tags: Admin Action, New Feature, User Adoption

History

5/29/2026 Item Added to Message Center

Microsoft Message

If your organization has Conditional Access policies scoped to Register security information, those policies will now apply when users set up Windows Hello for Business (WHfB) or register macOS Platform SSO credentials.

Today, these registration flows enforce MFA, but do not evaluate your registration-targeting Conditional Access policies — meaning requirements like authentication strength, trusted locations, or other CA conditions aren’t enforced when users enroll WHfB or macOS Platform SSO credentials. This change closes that gap.

Organizations without these policies aren’t affected.

When this will happen

  • July 6, 2026: Gradual rollout begins.
  • July 13, 2026: Rollout complete for all tenants.

How this affects your organization

Users registering WHfB or macOS PSSO credentials will need to satisfy your registration-targeting Conditional Access policy requirements before completing enrollment. For example, a user might need to use an existing FIDO2 security key, approve a push notification in Microsoft Authenticator, or connect from a trusted network location — depending on what your policies require. Any Grant controls you’ve configured will apply.

Users who don’t meet the requirements will be blocked from completing registration until the conditions are met.

Action recommended

  1. In Entra admin center > Protection > Conditional Access, find policies targeting Register security information.
  2. Review Grant controls — check what requirements users must satisfy during registration (authentication strength, trusted locations, MFA method).
  3. Consider whether users setting up a new device can meet your policy requirements — for example, make sure users have a FIDO2 security key or other qualifying credential available before they start device setup.
  4. Test with report-only mode before enforcement reaches your tenant.
  5. Update helpdesk docs — users may see a new authentication prompt during device setup.

If you experience issues during the rollout window (July 6–July 13), contact Microsoft Support or your account team for assistance.

Learn more: Require MFA for security info registration