Researchers warn that an undocumented Conditional Access behaviour could allow attackers to quietly bypass safeguards in corporate environments.
[Stockholm, 14th April 2026] New security research from cybersecurity consulting Reversec has revealed that Microsoft Entra’s Conditional Access service contains a hidden, undocumented time-based control that can be used to silently bypass critical security policies without any visibility in the Microsoft Azure portal, Microsoft Graph, or standard administrative tools.
This discovery has significant implications for organisations relying on Conditional Access to protect identities, enforce compliance, and secure access to corporate systems.
Conditional Access policies sit at the heart of modern identity protection, enforcing requirements such as multifactor authentication (MFA), trusted devices, and secure access for administrators. The newly uncovered issue shows that a privileged actor – legitimate or malicious – could add a time-restricted exception into any Conditional Access policy that:
- Temporarily disables protections at specific hours or days
- Leaves no visible trace in any standard management interface
- Cannot be detected using Microsoft’s own policy testing tools
- Appears fully compliant to administrators reviewing their policies
The only existing record of such a change is buried deep within complex audit logs.
“Although it requires significant privileges to execute, the security and governance risk it poses to organizations is very serious and hard to ignore” said Christian Philipov, Principal Consultant at Reversec. “Conditional Access is meant to be a key security pillar in all organizations that make use of Microsoft’s offerings. And yet, a small gap in the proverbial armor can quietly undermine that trust by providing attackers a way into a tenant during specific time windows.
“For attackers, this becomes a stealthy and low noise persistence method. With the right permissions, they can add a time-based bypass, wait for the window to open, and re-enter the environment undetected. It’s subtle, hard to spot, and significantly changes how organisations need to think about protecting their identity systems.
“Because Microsoft’s standard tools don’t show this behaviour, businesses may believe they’re protected when they’re not, creating a dangerous visibility gap with real compliance implications across frameworks like ISO 27001, SOC 2 and GDPR.”
The issue was reported to Microsoft in early 2025, and Microsoft confirmed the behaviour but stated that it is “working as expected” because the capability is part of a private preview. However, most organisations are unaware that such a preview feature is active within their production Conditional Access environment, and that standard tools do not expose it.
Philipov adds, “While organisations can’t disable this behaviour, they can and should take steps to reduce risk. Conditional Access Administrator must be treated as treated as equivalent to tier-0 high privileged roles, with strict access controls and oversight.
“Businesses should actively monitor changes to Conditional Access policies, strengthen governance around identity configuration, and ensure no single individual can make high impact changes without review. This risk also needs to be factored into threat modelling, audits, and supplier and merger due diligence, because identity security failures rarely occur in isolation.”
The full research can be found here: https://labs.reversec.com/posts/2026/04/its-just-a-matter-of-time-backdooring-conditional-access-policies
About Reversec
Reversec, a new name in cybersecurity consulting, helps organizations worldwide tackle their most complex cybersecurity challenges.
With a focus on continuous research, practical solutions and knowledge sharing, Reversec’s findings provide the rationale behind informed security decisions.
With over 30 years of experience, Reversec brings together the expertise of renowned companies MWR Infosecurity, F-Secure, WithSecure, Digital Assurance, nSense, and Inverse Path.
Media Contact
Kelly Friend
Kelly.friend@reversec.com
+44 (0)7880 488357
