Signal Roundup — 20 June 2026
Five items this week: Conditional Access extends to baseline-scope sign-ins, self-service password reset will require registered authentication methods, a North Korean npm supply-chain compromise, an AI-agent host takeover from a single web page, and central authorization for Claude's MCP connectors.
Conditional Access now applies to apps requesting only baseline scopes
Microsoft is extending Conditional Access enforcement to sign-ins where an application requests only the baseline OpenID Connect scopes (openid, profile, email, offline_access), closing a path that previously slipped past policy. The change is rolling out now and completes by mid-August 2026. Review any policies you assumed already covered every sign-in, and confirm break-glass and service accounts behave as expected once enforcement lands.
Source: Office 365 for IT Pros — Entra ID Tightens Conditional Access Processing for Baseline Scopes
Self-service password reset will require registered authentication methods
From 6 September 2026, Microsoft Entra self-service password reset stops verifying against directory attributes such as a phone number or email set on the user object, and will require methods the user has actually registered. This removes a weaker reset path and aligns SSPR with the authentication methods policy. Check your SSPR registration coverage now so people are not locked out when the change takes effect, and nudge any stragglers to register before the deadline.
Source: Office 365 for IT Pros — Microsoft Tightens Security for Self-Service Password Reset
North Korean actor poisons 140-plus npm packages in a supply-chain compromise
Microsoft attributes a fresh npm supply-chain attack to Sapphire Sleet, a North Korean state actor, who took over a maintainer account and injected a malicious typosquat dependency that ran an obfuscated dropper during package install. The payload harvested credentials and established persistence on developer machines. If your automation or CI pipelines pull npm packages, this is another reminder to pin versions, vet dependencies, and treat postinstall scripts as untrusted.
Researchers show a single web page can take over an AI agent's host
Microsoft detailed AutoJack, an exploit chain where a malicious page rendered by an AI browsing agent triggers remote code execution on the machine running the agent, stemming from three compounding weaknesses in an MCP WebSocket implementation. The issue was fixed before any package release, so real-world exposure was limited to developers building from source. The wider lesson holds: agents that browse untrusted content need the same isolation and least-privilege treatment as any other code-execution surface. Factor this into how you sandbox and scope any agent tooling you let near client environments.
Source: Microsoft Security Blog — AutoJack: How a single page can RCE the host running your AI agent
Claude adds central authorization management for MCP connectors
Anthropic now lets enterprise administrators centrally manage authorization for MCP connectors, so an organisation can control which connectors users may authenticate and connect to rather than leaving it to individuals. For teams adopting Claude and agent tooling in delivery work, this brings connector access under admin policy instead of ad-hoc per-user consent. Worth reviewing if you are standardising how a team uses MCP-based integrations.
Source: Anthropic — Centrally manage authorization for MCP connectors