![Conditional Access policies now apply to Windows Hello for Business and macOS Platform SSO registration [MC1326253]](https://mwpro.co.uk/wp-content/uploads/2025/06/pexels-scottwebb-614227-1024x683.webp "Conditional Access policies now apply to Windows Hello for Business and macOS Platform SSO registration [MC1326253] 1")
If your organization has Conditional Access policies scoped to Register security information, those policies will now apply when users set up Windows Hello for Business (WHfB) or register macOS Platform SSO credentials.
Today, these registration flows enforce MFA, but do not evaluate your registration-targeting Conditional Access policies — meaning requirements like authentication strength, trusted locations, or other CA conditions aren’t enforced when users enroll WHfB or macOS Platform SSO credentials. This change closes that gap.
Organizations without these policies aren’t affected.
When this will happen
• July 6, 2026: Gradual rollout begins.
• July 13, 2026: Rollout complete for all tenants.
How this affects your organization
Users registering WHfB or macOS PSSO credentials will need to satisfy your registration-targeting Conditional Access policy requirements before completing enrollment. For example, a user might need to use an existing FIDO2 security key, approve a push notification in Microsoft Authenticator, or connect from a trusted network location — depending on what your policies require. Any Grant controls you’ve configured will apply.
Users who don’t meet the requirements will be blocked from completing registration until the conditions are met.
Action recommended
- In Entra admin center > Protection > Conditional Access, find policies targeting Register security information.
- Review Grant controls — check what requirements users must satisfy during registration (authentication strength, trusted locations, MFA method).
- Consider whether users setting up a new device can meet your policy requirements — for example, make sure users have a FIDO2 security key or other qualifying credential available before they start device setup.
- Test with report-only mode before enforcement reaches your tenant.
- Update helpdesk docs — users may see a new authentication prompt during device setup.
If you experience issues during the rollout window (July 6–July 13), contact Microsoft Support or your account team for assistance.
Learn more: Require MFA for security info registration
Source: Microsoft
Latest Posts
- Microsoft Purview Data Security Triage Agent will include sensitive data remediation through Microsoft Teams [MC1326260]
- Conditional Access policies now apply to Windows Hello for Business and macOS Platform SSO registration [MC1326253]
- Microsoft 365 Archive: file-level archiving public preview [MC1326254]
- (Updated) Create Excel spreadsheets from Copilot Notebook content [MC1262567]
