Conditional Access policies now apply to Windows Hello for Business and macOS Platform SSO registration

🚨 The Signal: Conditional Access policies for security information registration now apply to Windows Hello for Business and macOS Platform SSO setup. This closes a security gap, enforcing stronger authentication and location requirements during credential enrollment.

The Impact

Security teams and users are affected, as stronger controls will now apply during device credential registration, reducing the risk of unauthorized enrollment.

• Security Teams: Enhanced enforcement of identity and access policies for device credentials.
• Users: May experience additional authentication prompts or location checks during WHfB/macOS PSSO setup.
• Admins: Need to review existing Conditional Access policies targeting 'Register security information'.
• Organisations: Reduced risk of weak authentication for device-bound credentials.

The Action

1. Navigate to Entra admin center > Protection > Conditional Access.
2. Identify policies with the 'Register security information' action.
3. Review 'Grant controls' within these policies to understand current requirements.
4. Assess if existing policies adequately enforce desired authentication strength and location conditions for WHfB/macOS PSSO registration.
5. Adjust policies as necessary to align with organizational security posture for device credential enrollment.

Domain: Entra · Impact: high · Workload: Entra ID · Essential Eight: Multi-Factor Authentication · ISM: ISM-0109, ISM-0123, ISM-0140, ISM-0974, ISM-1173, ISM-1228, ISM-1401, ISM-1504, ISM-1505, ISM-1679, ISM-1680, ISM-1681, ISM-1682, ISM-1683, ISM-1815, ISM-1819, ISM-1872, ISM-1873, ISM-1874, ISM-1892, ISM-1893, ISM-1894, ISM-1906, ISM-1907