Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,603 questions
Default Conditional Access Policy Not Applied to New Users
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 63%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFG%3C/text%3E%3C/svg%3E)
Francesco Gatto
20
Reputation points
I have enabled Microsoft's default Conditional Access policy, but I noticed that it is not applied to all users. Specifically, the policy seems to include only users added up to a certain date, while those created afterward are not recognized.
Additionally, when using the "What If" tool, the policy appears as "Excluded" for these new users, even though I haven't manually configured any exclusions.
I also noticed that the "Users and groups" parameter was automatically flagged by the policy, so there shouldn't be any implicit exclusions.
Has anyone else experienced this issue? Is there a way to force the policy to apply to all users, including those created after its activation?
Thanks in advance for your support!
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 22%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Sakshi Devkante 1,335 Reputation points Microsoft External Staff2025-03-11T11:04:24.15+00:00 Hello Francesco,
The scope of the Conditional Access policy is frequently determined by user categories or characteristics. It's probable that the policy was first set up for particular groups (like those that were in existence when the policy was made). Make sure that new users are automatically added to the appropriate groups if the policy depends on group membership in order for it to be effective.
Double-check if the policy is scoped to any specific Azure AD groups. If so, verify that the new users are included in these groups.
Review dynamic group membership rules, if applicable, to ensure new users are included.
There might be a delay in the policy being applied to new users, especially if there was a recent update or change in the tenant configuration.
Sign in to comment
Sign in to answer