Plan for change – Conditional Access enforcement during credential registration

March 2026
Plan for change – Conditional Access enforcement during credential registration for Windows Hello for Business and macOS Platform SSO

Type: Plan for Change
Service category: Conditional Access
Product capability: User Authentication

Starting in May 2026, if your organization has Conditional Access policies scoped to the Register security information user action, those policies will be evaluated during credential registration for Windows Hello for Business and macOS Platform SSO. Rollout begins in late April 2026. This ensures that your security requirements are met when users set up these credentials, not just when they sign in. Organizations without CA policies targeting this user action aren't affected by this change.

Important: Even without Conditional Access policies protecting the Register security information user action, MFA continues to be required by default for all passwordless credential registration — including Windows Hello for Business, macOS Platform SSO, and all passkey types.

What's changing
Beginning in May 2026, when a user provisions Windows Hello for Business on a new device or registers macOS Platform SSO credentials, Microsoft Entra ID evaluates any Conditional Access policies that target the Register security information user action. If the user doesn't meet the policy requirements, they're prompted to satisfy them before completing registration. This only applies to organizations that have configured CA policies protecting this user action.

Depending on your organization's Conditional Access policies, users may be asked to:

• Authenticate with additional credentials before completing setup
• Use a specific authentication method, such as a phishing-resistant credential
• Be on a compliant device or connect from a trusted network location
• Satisfy other requirements defined in the policy
  This appears as a standard Conditional Access prompt during the setup process — the same experience users already see during sign-in.

What's not changing

• Organizations without CA policies targeting the Register security information user action aren't affected by this change.
• MFA remains required by default for all passwordless credential registration — including Windows Hello for Business, macOS Platform SSO, and all passkey types — regardless of whether CA policies are configured.
• Sign-in behavior and existing CA policy evaluation for sign-in aren't affected.
• Credential registration through My Security Info in continues to work as before.
• Customer action required

Review your Conditional Access policies for possible impact before enforcement reaches your tenant:

1. In the Microsoft Entra admin center, go to Protection>Conditional Access >Policies.
2. Identify policies where the target is set to User actions > Register security information.
3. Review the Grant controls on those policies — these will apply during Windows Hello for Business and macOS Platform SSO registration.
4. Check the Users and groups scope to understand which users are affected.
5. Consider whether users setting up a new device for the first time can satisfy your policy requirements. If your policy requires methods users may not have during initial provisioning, you may need to adjust conditions or add exclusions.
6. Enable report-only mode on relevant policies to understand the impact before enforcement begins.