Introduction
Microsoft Entra ID is adjusting the management of baseline scopes (baseline scopes), directly affecting how conditional access policies function. Starting in June 2026, applications requesting these scopes will have their access evaluated through these policies. This means uniform processing for all resources, regardless of the scope requested.
Baseline scopes include OpenID Connect (OIDC) permissions and directory permissions such as openid, email, profile, User.Read, People.Read, and many others considered low-risk.
Why this change is important
Baseline scopes and their role
Baseline scopes group together low-risk permissions, widely used for signing into Entra ID via third-party applications. Before this change, when these scopes were requested by an application, conditional access policies with resource exclusions were not applied.
Now, Microsoft ensures that policies are uniformly applicable, even for applications requesting only baseline scopes. This includes popular scenarios such as using Visual Studio Code, often limited to the User.Read permission.
Impact for administrators
Microsoft indicates that the majority of customers will require no adjustments, as applications typically request broader permissions, such as those related to Microsoft Graph. However, administrators should be vigilant about:
- Applications relying solely on baseline scopes.
- Scenarios where these applications cannot meet policy requirements (for example, mandatory MFA).
Use the principal services analysis report to identify applications in your tenant that could be affected by this change.
Configuration in Entra ID
New page for baseline scopes configuration
Microsoft now offers a dedicated page in the Entra administration center, accessible via a specific link. This new tool helps administrators:
- Configure baseline scopes application policies.
- Enable the recommended "Enforcement" option for enhanced security.
- Monitor applications that might fail after this change.
Steps to prepare your tenant
Run analyses via Entra ID or use a third-party report to list the permissions requested by each application.
Access the Entra administration center page via the dedicated link: https://aka.ms/BaselineScopesSettingsUX.
In the baseline scopes management section, enable the "Enforcement" option to ensure application compliance.
Pending deployment
Progressive deployment has been underway since June 15, 2026 and should be fully completed by August 2026. Tenants will receive:
- A first notification two weeks before the new rules are applied.
- A final confirmation once deployment is complete.
Microsoft uses telemetry to detect if your tenant is affected and sends messages via the Entra ID notification center. In the event that no notification is received, this indicates that your policies are not affected.
Rigorous monitoring of conditional access logs is essential to avoid unexpected interruptions.
Conclusion
This change marks a key step in harmonizing security across Microsoft 365. Entra ID now ensures universal application of conditional access policies, strengthening application security and their interactions with tenants. Prepare your environment now to ensure a smooth transition.
