Update entra-conditional-access-integration.md (#32434)

Expanded group assignment for the conditional access policy. To help admins understand that if they want to properly enforce access for certain applications, they need to scope the broadest group possible for their application. This will make sure that any devices not managed by Fleet will be prompted to enroll in Fleet and be marked as compliant before access is granted.
2026-05-05 22:39:17 +00:00 · 2025-09-02 09:34:43 -04:00 · 2025-09-02 09:34:43 -04:00 · e6e8f3ed6c
commit e6e8f3ed6c
parent 31190dfe65
1 changed files with 9 additions and 1 deletions
--- a/articles/entra-conditional-access-integration.md
+++ b/articles/entra-conditional-access-integration.md
@ -172,7 +172,15 @@ After you add policies in Fleet, you also need to add an Entra "Conditional Acce
 As an example, you can create a policy to "block access to Office 365 on macOS devices reported as non-compliant by Fleet":
 ![Entra ID Conditional Access policy example](../website/assets/images/articles/entra-conditional-access-policy-554x506@2x.png)

-Make sure to assign the "Fleet conditional access" group to the Entra policy.
+Then assign the policy to the "Fleet conditional access" group.
+
+**Start with a pilot**, then expand gradually. Begin by adding test users—maybe your IT team or a department—to this group. As you gain confidence with the setup, expand the "Fleet conditional access" group to include more users.
+
+**Your end goal should be to include everyone.** For the broadest protection, add all users who access your protected applications to the "Fleet conditional access" group. 
+
+This matters because if a user isn't in the group, they'll bypass the policy entirely. 
+
+A macOS user outside the group can access Office 365 without any Fleet enrollment or compliance checks. When all are added, any access from unmanaged macOS devices will get prompted to enroll their device with Fleet.

 ### Disabling "Conditional Access" on a team