The Hidden Risks of “All Users” in Conditional Access (And Why MSPs Get Burned)
Conditional Access is often marketed as a security control you can set up once and not worry about again.
But for MSPs, relying on that mindset can be risky.
There’s one setting that leads to more client outages, emergency calls, and blame than almost anything else:
Assignments → Users → Include → All users (Azure identity & access security best practices, 2024)
At first glance, it seems secure.
It also appears straightforward.
Yet it causes more self-made problems than most zero-day exploits.
For MSPs, using “All Users” seems efficient:
All Users” feels efficient:
- One policy covers everyone
- New users are automatically protected
- Fewer exceptions to manage
- Easy to explain to clients
But here’s the problem:
Clients don’t run clean, predictable environments.
What “All Users” Really Includes (And Clients Never Tell You)
“All Users” is not limited to just people with mailboxes.
It includes:
- Break-glass accounts you didn’t create
- Service accounts tied to line-of-business apps
- Sync accounts
- Vendor accounts
- Legacy authentication users
- Forgotten automation identity (Azure AD Conditional Access Policy Design Baseline Version 6, 2023)If you apply MFA, device compliance, or session controls to these accounts, things start to break, often without immediate signs. (Device compliance and MFA not working together, 2026)
MSP Nightmare #1: Emergency Access Gets Locked
Every MSP should maintain emergency access accounts. (Manage emergency access accounts in Azure Active Directory B2C, 2024)But when “All Users” is used without exclusions:
- MFA blocks break-glass logins
- Device requirements stop sign-ins
- Session policies expire tokens
- The tenant becomes inaccessible during an incident
This is how a small configuration change can lead to a major outage.
When this happens, clients don’t blame Microsoft.
They hold you responsible.
MSP Nightmare #2: Line-of-Business Apps Stop Working
Many SMB apps:
- Can’t perform MFA
- Don’t use modern auth properly
- Depend on service accounts
- Stop working when Conditional Access is applied (Protection against Microsoft Office 365, 2020)
When “All Users” includes service accounts:
- Payroll fails
- Accounting sync breaks
- CRM integrations stop
- Often, no one notices until the end of the month. (Auto Rollout of Conditional Access Policies in Microsoft Entra ID, 2024)
That emergency call usually starts with:
“Nothing changed; it just stopped working.” (Conditional Access policy has been enforced on Global Admins and all users. The tenant is completely locked out tenant, 2025)
Something did change.
It was Conditional Access.
MSP Nightmare #3: Support Becomes Unscalable
“All Users” policies age badly.
Over time, MSPs add:
- More exclusions
- More exceptions
- More “temporary” fixes
Eventually:
- No one remembers why exclusions exist
- Techs are afraid to touch policies
- Onboarding new clients takes longer
- Offboarding becomes risky
Conditional Access can shift from being a helpful control to becoming a liability. (Common Azure AD Mistakes and How to Avoid Them, 2025)
Why This Hurts MSP Margins
Every “All Users” mistake leads to:
- Emergency after-hours work
- Unplanned troubleshooting
- SLA breaches
- Client confidence erosion (Require remediation for risky users - Microsoft Entra ID, 2025)
What’s worse is that these incidents are self-inflicted, which means:
- No vendor escalation
- No third-party blame
- No billable root cause
This leads directly to lost profit. (51% of Cyberattacks in the Managed Service Provider (MSP) Sector Lead to Unplanned Expenses to Fix Security Gaps, 2024)P Approach: Identity Segmentation
Successful MSPs move beyond thinking just in terms of “users” and instead focus on different identity types:
- Human users
- Admins
- Guests
- Service accounts
- Emergency accounts
Policies should be built with their purpose in mind, not just for convenience. (Conditional Access: Users, groups, agents, and workload identities, 2025)It does require more effort at the start.
But it saves hours of work and protects your reputation in the long run.
The MSP Rule
If you didn’t create the account and don’t fully understand how it authenticates, it should never be covered by a broad “All Users” policy.
This rule alone prevents most Conditional Access disasters. (Plan Your Microsoft Entra Conditional Access Deployment, 2023)
Final Thought
Conditional Access is one of the best security tools MSPs manage.
But when misused, it becomes one of the fastest ways to:
- Break production
- Upset clients
- Burn engineer time
- Lose trust (MSRC, 2023)
“All Users” looks secure in a policy window.
Being precise is what helps MSPs stay profitable.
If you manage Conditional Access for clients and haven’t reviewed your assignments recently, now is the time — before the next emergency call reminds you why.
Jaspreet Singh — Author at MSPinsights.ca | Founder & CEO, Accelerate IT Services Inc.
References
(2024). Azure identity & access security best practices. Microsoft Learn. https://learn.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices
(2023). Azure AD Conditional Access Policy Design Baseline Version 6. ([danielchronlund.com](https://danielchronlund.com/wp-content/uploads/2020/10/azure-ad-conditional-access-policy-design-baseline-version-6.pdf?utm_source=openai)). https://danielchronlund.com/wp-content/uploads/2020/10/azure-ad-conditional-access-policy-design-baseline-version-6.pdf
(2026). Device compliance and MFA not working together. Microsoft Q&A. https://learn.microsoft.com/en-us/answers/questions/5553431/device-compliance-and-mfa-not-working-together
(2024). Manage emergency access accounts in Azure Active Directory B2C. Microsoft Learn. https://learn.microsoft.com/en-us/azure/active-directory-b2c/tenant-management-emergency-access-account
(2020). Protection against Microsoft Office 365. Kyberturvallisuuskeskus. https://www.kyberturvallisuuskeskus.fi/sites/default/files/media/publication/T_MS365_eng2_200919.pdf
(January 25, 2024). Auto Rollout of Conditional Access Policies in Microsoft Entra ID. Microsoft Security Community Blog. https://techcommunity.microsoft.com/blog/microsoft-security-blog/auto-rollout-of-conditional-access-policies-in-microsoft-entra-id/4036935
(August 6, 2025). Conditional Access policy has been enforced on Global Admins and All users Completely locked out tenant. Microsoft Q&A. https://learn.microsoft.com/en-us/answers/questions/5516497/conditional-access-policy-has-been-enforced-on-glo
(2025). Common Azure AD Mistakes and How to Avoid Them. https://azure.criticalcloud.ai/common-azure-ad-mistakes-avoid-them/
(2025). Require remediation for risky users - Microsoft Entra ID. Microsoft Learn. https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-risk-based-user
(July 8, 2024). 51% of Cyberattacks in the Managed Service Provider (MSP) Sector Lead to Unplanned Expenses to Fix Security Gaps. PR Newswire. https://www.prnewswire.com/news-releases/51-of-cyberattacks-in-the-managed-service-provider-msp-sector-lead-to-unplanned-expenses-to-fix-security-gaps-302192035.html
(2025). Conditional Access: Users, groups, agents, and workload identities. Microsoft Entra ID. https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-users-groups
(2023). Plan Your Microsoft Entra Conditional Access Deployment. Microsoft Learn. https://learn.microsoft.com/en-us/azure/architecture/guide/security/conditional-access-framework
MSRC. (March 28, 2023). Guidance on Potential Misconfiguration of Authorization of Multi-Tenant Applications that use Azure AD. Microsoft Security Response Center. https://www.microsoft.com/en-us/msrc/blog/2023/03/guidance-on-potential-misconfiguration-of-authorization-of-multi-tenant-applications-that-use-azure-ad