Microsoft Entra releases and announcements

This article provides information about the latest releases and change announcements across the Microsoft Entra family of products over the last six months (updated monthly). If you're looking for information that's older than six months, see: Archive for What's new in Microsoft Entra.

Get notified about when to revisit this page for updates by copying and pasting this URL: https://learn.microsoft.com/api/search/rss?search=%22Release+notes+-+Azure+Active+Directory%22&locale=en-us into your RSS feed reader icon feed reader.

February 2026

General Availability - Expanded attribute support in Lifecycle Workflows attribute changes trigger

Type: New feature
Service category: Lifecycle Workflows
Product capability: Identity Governance

The Attribute Changes trigger in Lifecycle Workflows now supports additional attribute types, enabling broader detection of organizational changes. Previously, this trigger was limited to a set of core attributes. With this update, you can configure workflows to respond when any of the following attributes change:

  • Custom security attributes
  • Directory extension attributes
  • EmployeeOrgData attributes
  • On-premises attributes 1-15

This enhancement gives administrators greater flexibility to automate lifecycle processes for mover events based on custom or extended attributes, improving governance for complex organizational structures and hybrid environments. For more information, see: Use Custom attribute triggers in lifecycle workflows.

General Availability - Delegated Workflow Management in Lifecycle Workflows

Type: New feature
Service category: Lifecycle Workflows
Product capability: Identity Governance

Lifecycle workflows can now be managed with Administrative Units (AUs), enabling organizations to segment workflows and delegate administration to specific admins. This enhancement ensures that only authorized admins can view, configure, and execute workflows relevant to their scope. Customers are able to associate workflows with AUs, assign scoped permissions to delegated admins, and ensure that workflows only impact users within their defined scope. For more information, see: Delegated workflow management.

General Availability - Device authorization grant flow in Microsoft Entra External ID

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

Similar to Microsoft Entra ID (workforce tenants), Microsoft Entra External ID (external tenants) now supports device authorization grant flow, which allows users to sign in to input-constrained devices such as a smart TV, IoT device, or a printer. For more information, see OAuth 2.0 device authorization grant.

Upcoming change - Microsoft Entra Connect security update to block hard match for privileged roles

Type: Plan for change
Service category: Entra Connect
Product capability: Entra Connect

What is Hard-matching in Microsoft Entra Connect Sync and Cloud Sync?

When Microsoft Entra Connect or Cloud Sync adds new objects from Active Directory, the Microsoft Entra ID service tries to match the incoming object with an Microsoft Entra object by looking up the incoming object’s sourceAnchor value against the OnPremisesImmutableId attribute of existing cloud managed objects in Microsoft Entra ID. If there's a match, Microsoft Entra Connect or Cloud Sync takes over the source or authority (SoA) of that object and updates it with the properties of the incoming Active Directory object in what is known as "hard-match." 

To strengthen the security posture of your Microsoft Entra ID environment, we're introducing a change that restricts certain types of hard-match operations by default.   

What’s changing

Beginning June 1 2026, Microsoft Entra ID will block any attempt by Microsoft Entra Connect Sync or Cloud Sync from hard-matching a new user object from Active Directory to an existing cloud-managed Microsoft Entra ID user object that holds privileged roles.

This means:

  • If a cloud managed user already has onPremisesImmutableId (sourceAnchor) set and is assigned a privileged role, Microsoft Entra Connect Sync or Cloud Sync will no longer be able to take over the Source of Authority of that user by hard-matching with an incoming user object from Active Directory.  

  • This safeguard prevents attackers from taking over privileged cloud managed users in Microsoft Entra by manipulating attributes of user objects in Active Directory. 

What’s not changing

  • Hard match operations for non-privileged accounts aren't affected.  
  • Soft match behavior isn't affected.  

Customer action required

If you encounter a hard match error after June 1, 2026, see our documentation for mitigation steps.

General Availability - External Auth Methods is Generally Available

Type: New feature
Service category: MFA
Product capability: User Authentication

We’re excited to announce that External Authentication Methods (EAM) in Microsoft Entra ID has reached General Availability. EAM enables organizations to integrate their preferred third-party MFA solutions seamlessly with Microsoft Entra ID for enhanced security and flexibility. This release includes full registration support and updated documentation to help you get started. For more information, see: Manage an external authentication method in Microsoft Entra ID.

General Availability - Custom banned password lists supported in Microsoft Entra External ID

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

In addition to the global banned password lists already supported, EEID admins can now add specific strings to block during password creation and reset. For more information, see Password Protection - Custom banned password lists.

Upcoming Changes - Jailbreak Detection in Authenticator App

Type: New feature
Service category: Microsoft Authenticator App
Product capability: Identity Security & Protection

Starting February 2026, Microsoft Authenticator will introduce jailbreak/root detection for Microsoft Entra credentials in the Android app. The rollout progresses from warning mode → blocking mode → wipe mode. Users must move to compliant devices to continue using Microsoft Entra accounts in Authenticator.

General Availability - Microsoft Entra Connect Sync now supports Windows Server 2025

Type: New feature
Service category: Entra Connect
Product capability: Entra Connect

Microsoft Entra Connect Sync now officially supports Windows Server 2025. This means you can confidently install and run Microsoft Entra Connect Sync on servers running Windows Server 2025, enabling your hybrid identity environment to take full advantage of the latest Windows Server enhancements.

What this means for you: With this update, organizations can upgrade their identity synchronization servers to Windows Server 2025 without hesitation. Windows Server 2025 brings advanced features that improve security, performance, and flexibility, and our engineering team has thoroughly validated Microsoft Entra Connect Sync on this platform. Many customers have been eager to adopt Windows Server 2025 to leverage its enhanced security, better performance, and improved management capabilities. Now, with official support in place, you can benefit from these improvements while maintaining a reliable, fully supported hybrid identity solution.

The Microsoft Entra Connect Sync .msi installation file is exclusively available on Microsoft Entra admin center under Microsoft Entra Connect. Check our version history page for more details on available versions.

Consider moving to Cloud Sync: Microsoft Entra Cloud Sync is a sync client that works from the cloud and allows customers to set up and manage their sync preferences online. We recommend that you use Cloud Sync because we're introducing new features that improve the sync experiences through Cloud Sync.

Public Preview - New end user homepage in My Account

Type: New feature
Service category: My Profile/Account
Product capability: End User Experiences

The homepage at https://myaccount.windowsazure.cn has been updated to provide a more task-focused experience. Users will see pending actions like renewing expiring groups, approving access package requests, and setting up MFA directly on the homepage. Quick links to apps, groups, access packages, and sign-in details will be easier to find and use. This change is designed to streamline account management and help users stay on top of access and security tasks.

General Availability - Microsoft Entra Provisioning Service available in Microsoft Azure operated by 21Vianet

Type: New feature
Service category: Provisioning
Product capability: Outbound to SaaS Applications

The Microsoft Entra provisioning service can be used in the 21Vianet / China cloud for the following scenarios: API-driven provisioning, Cloud Sync, Cross-tenant sync between China tenants, SCIM provisioning for the non-gallery / custom application, and on-premises app provisioning (ECMA). Specific gallery connectors such as Workday, SuccessFactors, and AWS aren't onboarded to the environment. For more information, see: Gallery application doesn't support provisioning in US Government or 21Vianet (China) clouds.

General Availability - Revoke previously approved access package assignments in My Access

Type: New feature
Service category: Entitlement Management
Product capability: Identity Governance

By end of March Microsoft Entra ID Governance approvers can now revoke access to an access package after an approval has already been granted. This gives approvers greater control to respond to changes, mistakes, or updated business needs. With this update, an approver can undo a prior approval decision, immediately removing the requestor’s access to the access package. Only the approver who originally approved the request can revoke it, even if multiple approvers belong to the same approver group. For more information, see: Revoke a request.

January 2026

General Availability - Microsoft Entra ID Governance guest billing meter enforcement

Type: New feature
Service category: Entitlement Management, Lifecycle Workflows
Product capability: Entitlement Management, Lifecycle Workflows

Enforcement for the Microsoft Entra ID Governance guest billing meter is now in effect for Entitlement Management and Lifecycle Workflows (Access Reviews will be enforced later in CY26 Q1). To keep using Entra ID Governance premium features for guest users in workforce tenants, you must link a valid Azure subscription to activate the Microsoft Entra ID Governance for guests add-on. If a subscription isn’t linked, creation or updates of new guest-scoped governance configurations will be restricted (for example, certain access package policies, access reviews, and lifecycle workflows), and guest-specific governance actions may fail until billing is configured.

For more information, see: Microsoft Entra ID Governance licensing for guest users.

General Availability - Service Principal creation audit logs for alerting & monitoring

Type: New feature
Service category: Audit
Product capability: Monitoring & Reporting

New audit log properties now make it easy for admins to understand why a service principal was created and who or what triggered it. The logs now surface the provisioning mechanism, the specific SKUs or service plans that enabled just‑in‑time creation, and the home tenant of the app registration. This helps admins quickly distinguish Microsoft‑driven provisioning from tenant‑driven activity, streamlining alerting and investigations into newly created service principals. For more information, see:

General Availability - Session Control Conditional Access Policies in Entra External ID

Type: New feature
Service category: Conditional Access
Product capability: B2B/B2C

EEID admins can configure persistent browser session and sign‑in frequency in Conditional Access. For more information, see Conditional Access: Manage Session Controls Effectively.

General Availability - Improved enforcement for All resources policies with resource exclusions

Type: Changed feature
Service category: Conditional Access
Product capability: Access Control

Microsoft Entra Conditional Access is strengthening how policies that target All resources with resource exclusions are enforced in a narrow set of authentication flows. After this change, in user sign‑ins where a client application requests only OIDC or specific directory scopes, Conditional Access policies that target All resources with one or more resource exclusions, or policies that explicitly target Azure AD Graph, will be enforced. This ensures that policies are consistently applied regardless of the scope set requested by the client application. For more information, see: New Conditional Access behavior when an ALL resources policy has a resource exclusion.

December 2025

General Availability - Modernizing Microsoft Entra ID auth flows with WebView2 in Windows 11

Type: New feature
Service category: Authentications (Logins)
Product capability: SSO

Windows has many user experiences that uses webview’s to gather web information to present web information to users that looks like native content. One of the common scenarios for this is for authentication flows, where a user is prompted for their username and provides credentials. 

Microsoft Entra ID app sign-in through Web Account Manager (WAM) now has the option to be powered by WebView2, the Chromium-based web control, starting with KB5072033 (OS Builds 26200.7462 and 26100.7462) or later. This release marks a significant step forward in delivering a secure, modern, and consistent sign-in experience across apps and services.

WebView2 will become the default framework for WAM authentication in an expected future Windows release, with the EdgeHTML WebView being deprecated. Therefore, we encourage users to deploy now and participate in the opt-in process, enable this experience in their environments, and make any necessary adjustments — such as updating proxy rules or modifying code in services involved in the sign in process. Contact Customer Support Services if you'd like to provide feedback.

Moving to WebView2 is more than a technical upgrade, it’s a strategic investment in secure, user-friendly identity experiences. We’re committed to evolving Microsoft Entra ID to meet the needs of modern organizations and developers.

For more information, see:  

Now generally available: Modernizing Microsoft Entra ID auth flows with WebView2 in Windows 11 - Windows IT Pro Blog

General Availability - Microsoft Entra Connect security hardening to prevent user account takeover

Type: Fixed
Service category: Entra Connect
Product capability: Access Control

As part of ongoing security hardening, Microsoft has implemented new safeguards to block account takeover attempts via hard match abuse in Microsoft Entra Connect (known as SyncJacking). Enforcement of this change begins in March 2026. 

What’s Changing: 

  • Enforcement logic now checks OnPremisesObjectIdentifier to detect and block remapping attempts. 

  • Audit logs have been enhanced to capture changes to OnPremisesObjectIdentifier and DirSyncEnabled. 

  • Admin capability added to clear OnPremisesObjectIdentifier for legitimate recovery scenarios. 

Customer Action Required: 

  • Upgrade to the latest Microsoft Entra Connect version. 

  • Review updated hardening guidance and enable recommended flags:  

  • Disable hard match takeover 

Additional Guidance: 

  • If enforcement blocks an operation, you'll see the following error message: “Hard match operation blocked due to security hardening. Review OnPremisesObjectIdentifier mapping.” 

  • Use audit logs to identify which objects are currently impacted. Specifically, look for audit events where OnPremisesObjectIdentifier or DirSyncEnabledwas modified. 

  • For legitimate recovery, you can clear and reset OnPremisesObjectIdentifier using the following Microsoft Graph API: 

Request: PATCH https://microsoftgraph.chinacloudapi.cn/beta/users/<UserId>

Body:

{
onPremisesObjectIdentifier: null
}

This change will take effect on Microsoft Entra service side so it's independent of your sync client.

The Microsoft Entra Connect Sync .msi installation file for this change is exclusively available on Microsoft Entra admin center under Microsoft Entra Connect.  Check our version history page for more details on available versions.

Public Preview - Just-in-time password migration to Microsoft Entra External ID

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

The Just-in-Time (JIT) Password Migration feature is designed to provide a seamless and secure experience for customers transitioning to Microsoft Entra External ID. This capability enables external identity providers to migrate user credentials during sign-in, eliminating the need for bulk password resets and minimizing disruption for end users. When a user meets the migration conditions at sign-in, their credentials are securely transferred as part of the process, ensuring continuity and reducing friction.

By integrating migration into the authentication flow, organizations can simplify administrative tasks while maintaining security standards. This approach not only enhances user experience but also accelerates adoption of Microsoft Entra External ID without compromising operational efficiency.

November 2025

Public Preview - Externally determine the approval requirements for an access package using custom extensions

Type: New feature
Service category: Entitlement Management
Product capability: Entitlement Management

In Entitlement Management, approvers for access package assignment requests can either be directly assigned, or determined dynamically. Entitlement management natively supports dynamically determining approvers such as the requestors manager, their second-level manager, or a sponsor from a connected organization. With the introduction of this feature you can now use custom extensions for callouts to Azure Logic Apps and dynamically determine approval requirements for each access package assignment request based on your organizations specific business logic. The access package assignment request process will pause until your business logic hosted in Azure Logic Apps returns an approval stage which will then be leveraged in the subsequent approval process via the My Access portal. For more information, see: Externally determine the approval requirements for an access package using custom extensions.

General Availability - Support for eligible group memberships and ownerships in Entitlement Management access packages

Type: New feature
Service category: Entitlement Management
Product capability: Entitlement Management

This integration between Entitlement Management and Privileged Identity Management (PIM) for Groups adds support for assigning eligible group memberships and ownerships via access packages. You are now able to govern these just-in-time access assignments at scale by offering a self-service access request & extension process and integrate them into your organization's role model. For more information, see: Assign eligible group membership and ownership in access packages via Privileged Identity Management for Groups.

General Availability - Reprocess failed users and workflows in Lifecycle Workflows

Type: New feature
Service category: Lifecycle Workflows
Product capability: Identity Governance

Lifecycle Workflows now supports reprocessing of your workflows to help organizations streamline the reprocessing of workflows when errors or failures are discovered. This feature includes the ability to reprocess previous runs of workflows including failed runs or just runs that you may want to process again. Customers can choose from the following options to fit their needs:

  • Select specific workflow run to be reprocessed
  • Select which users from the workflow run to be reprocessed e.g. failed users or all users from the run

For more information, see Reprocess workflows.

General Availability - Trigger workflows for inactive employees and guests in Lifecycle Workflows

Type: New feature
Service category: Lifecycle Workflows
Product capability: Identity Governance

Lifecycle Workflows now enables customers to configure custom workflows to proactively manage dormant user accounts by automating identity lifecycle actions based on sign‑in inactivity. By detecting inactivity, the workflow automatically executes predefined tasks—such as sending notifications, disabling accounts, or initiating offboarding—when users exceed the inactivity threshold. Admins can configure the inactivity threshold and scope, ensuring dormant accounts are handled efficiently and consistently — reducing security exposure, reducing license waste, and enforcing governance policies at scale. For more information, see: Manage inactive users using Lifecycle Workflows.

Public Preview - Soft Deletion for Cloud Security Groups

Type: New feature
Service category: Group Management
Product capability: Identity Security & Protection

Soft deletion for cloud security groups introduces a safety mechanism that allows administrators to recover deleted groups within a 30‑day retention period. When a cloud security group is deleted, it is not immediately removed from the directory; instead, it enters a soft‑deleted state, preserving its membership and configuration. This feature helps prevent accidental data loss and supports business continuity by enabling quick restoration of groups without requiring manual recreation. Administrators can restore soft‑deleted groups through the Microsoft Entra admin center or Microsoft Graph API during the retention window.

Public Preview - User centric access reviews including disconnected applications

Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

This capability enables organizations to manage access reviews for applications that are not yet integrated with Microsoft Entra ID. For more information, see: Include custom data provided resource in the catalog for catalog user Access Reviews (Preview).

Public Preview - User centric access reviews

Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

User centric access reviews (UAR) provide a user‑centric review model that lets reviewers view a user’s access across multiple resources in a catalog in one unified view, streamlining the process of ensuring the right access at the right time. Resources include Entra groups, and both connected and disconnected (BYOD) applications, providing customers with a consolidated, holistic review experience. For more information, see: Catalog Access Reviews (Preview).

Public Preview - New experience for Entra account registration page on Windows

Type: New feature
Service category: Device Registration and Management
Product capability: User Authentication

We are introducing a new modernized user experience for the Entra account registration flow on Windows. The new user experience is updated to be consistent with Microsoft design patterns and splits the experience into two separate pages for registration and enrollment.

We are also introducing a new admin property in public preview to control the MDM enrollment option in the account registration flow. This is targeted at customers who want to enable Windows MAM for their work or school accounts. The new setting controls the user experience screen for end users to MDM enroll in this flow. For more information, see: Set up automatic enrollment for Windows devices.

Public preview - Microsoft Entra ID with Entra Kerberos has added support for cloud‑only identities

Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

Microsoft Entra ID with Entra Kerberos has added support for cloud-only identities which allows Entra-joined session hosts to authenticate and access cloud resources like Azure file shares and Azure virtual desktop without relying on traditional Active Directory infrastructure. This capability is essential for organizations adopting a cloud-only strategy, as it removes the need for domain controllers while preserving enterprise-grade security, access control, and encryption. For more information, see: Cloud only identity (Preview).

October 2025

Plan for Change - Update to Revoke Multifactor Authentication Sessions

Type: Plan for change
Service category: MFA
Product capability: Identity Security & Protection

Starting February 2026, we are replacing the current “Revoke multifactor authentication sessions” button with the “Revoke sessions” button in the Microsoft Entra admin center.

The legacy “Revoke MFA sessions” action only applies to per-user MFA enforcement, which has led to confusion. To simplify and ensure consistent behavior, the new “Revoke sessions” button will invalidate all user sessions, including MFA, regardless of whether MFA is enforced via Conditional Access or per-user policies.

Action required

Admins should update workflows and guidance to use “Revoke sessions” instead of “Revoke MFA sessions”. The “Revoke MFA sessions” option will be removed from the portal after this change.

Deprecation - Iteration 2 beta APIs for Microsoft Entra PIM will be retired. Migrate to Iteration 3 APIs.

Type: Deprecated
Service category: Privileged Identity Management
Product capability: Identity Governance

Introduction

Starting Oct 28, 2026, all applications and scripts making calls to Microsoft Entra Privileged Identity Management (PIM) Iteration 2 (beta) APIs for Azure resources, Microsoft Entra roles and Groups will fail.

How this will affect your organization

After Oct 28, 2026, any applications or scripts calling Microsoft Entra PIM Iteration 2 (beta) API endpoints will fail. These calls will no longer return data, which might disrupt workflows or integrations relying on these endpoints. These APIs were released in beta and are being retired, Iteration 3 are generally available (GA) APIs which offer improved reliability and broader scenario support.

What you need to do to prepare

We strongly recommend migrating to the Iteration 3 (GA) APIs, which are generally available. 

  • Begin migration planning and testing as soon as possible.
  • Halt any new development using Iteration 2 APIs.
  • Review documentation for Iteration 3 APIs to ensure compatibility.

Learn more: 

Public Preview - Soft Delete & Restore for Conditional Access Policies and Named Locations

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

We’re thrilled to announce the Public Preview of soft delete and restore for Conditional Access (CA) policies and Named Locations in Microsoft Entra. This new capability extends our proven soft delete model to critical security configurations across Microsoft Graph APIs (in beta) and the Microsoft Entra Admin Center, helping admins recover from accidental or malicious deletions quickly and strengthen overall security posture.

With this feature, admins can:

  • Restore deleted items to their exact prior state within 30 days
  • Review deleted items before restoring
  • Permanently delete when needed

Soft delete has already been proven at scale across Microsoft Entra (7M+ objects restored in the last 30 days). Bringing it to CA policies and Named Locations ensure quick disaster recovery, minimizes downtime, and maintains security integrity.

General Availability - Suggested Access Packages can be shown to users in My Access

Type: New feature
Service category: Entitlement Management
Product capability: Entitlement Management

In My Access, Microsoft Entra ID Governance users can see a curated list of suggested access packages in My Access. This capability allows users to quickly view the most relevant access packages for them based off their peers' access packages and previous assignments without scrolling through all their available access packages.

The suggested access packages list is created by finding people related to the user (manager, direct reports, organization, team members) and recommending access packages based on what the users’ peers have. The user is also suggested access packages that were previously assigned to them.

We recommend admins turn on the peer-based insights for suggested access packages via this setting. For more information, see: Suggested access packages in My Access

General Availability - Conversion of external users to internal members

Type: New feature
Service category: User Management
Product capability: User Management

External user conversion enables customers to convert external users to internal members without needing to delete and create new user objects. Maintaining the same underlying object ensures the user’s account and access to resources isn’t disrupted and that their history of activities remains intact as their relationship with the host organization changes. 

The external to internal user conversion feature includes the ability to convert on-premises synchronized users as well.

General Availability - Granular, Least-Privileged Permissions for UserAuthenticationMethod APIs

Type: New feature
Service category: MS Graph
Product capability: Developer Experience

Summary

We're introducing new, granular permissions for the UserAuthenticationMethod APIs in Microsoft Entra ID. This update enables organizations to apply the principle of least privilege when managing authentication methods, supporting both security and operational efficiency.

What’s New?

  • New per-method permissions: Fine-grained permissions for each authentication method (for example, Password, Microsoft Authenticator, Phone, Email, Temporary Access Pass, Passkey, Windows Hello for Business, QR+PIN, and others).
  • Read-only policy permission: A new permission allows read-only access to authentication method policies, improving role separation and auditability.

For more information, see Microsoft Graph permissions reference - Microsoft Graph | Microsoft Learn

Plan for Change - Jailbreak Detection in Authenticator App

Type: Plan for change
Service category: Microsoft Authenticator App
Product capability: Identity Security & Protection

Starting February 2026, we'll introduce Jailbreak/Root detection for Microsoft Entra credentials in the Authenticator app. This update strengthens security by preventing Microsoft Entra credentials from functioning on jail-broken or rooted devices. All existing credentials on such devices will be wiped to protect your organization.

This capability is secure by default and requires no admin configuration or control. The change applies to both iOS and Android.This change won't apply to personal or third party accounts.

Action required: Notify end users about this upcoming change. Authenticator will become unusable for Microsoft Entra accounts on jail-broken or rooted devices.

For more information, see: About Microsoft Authenticator.

September 2025

General Availability - Dedicated new 1st party resource application to enable AD to Microsoft Entra ID sync using Microsoft Entra Connect Sync

Type: Plan for change
Service category: Microsoft Entra Connect
Product capability: Microsoft Entra Connect

As part of ongoing security hardening, Microsoft has deployed a dedicated first-party application to enable the synchronization between Active Directory and Microsoft Entra ID. This new application will manifest as a first party service principal called the "Microsoft Entra AD Synchronization Service" (Application ID: 6bf85cfa-ac8a-4be5-b5de-425a0d0dc016) and will be visible in the Enterprise Applications experience within the Microsoft Entra admin center. This application is critical for the continued operation of on-premises to Microsoft Entra ID synchronization functionality through Microsoft Entra Connect.

Microsoft Entra Connect now uses this first party application to synchronize between Active Directory and Microsoft Entra ID. Customers are required to upgrade to version 2.5.79.0 or later by September 2026

We auto-upgrade customers where supported. For customers who wish to be auto-upgraded, ensure that you have auto-upgrade configured.  

The Microsoft Entra Connect Sync .msi installation file for this change is exclusively available on Microsoft Entra admin center under Microsoft Entra Connect.

Check our version history page for more details on available versions.

Public Preview - App management policies portal experience

Type: New feature
Service category: Enterprise Apps
Product capability: Directory

App management policies allow administrators to improve the security of their organization by setting rules on how applications in their organization can be configured. They can use them to block insecure configurations like password credentials. These policies have been available through the Microsoft Graph API, but can now also be configured using the Microsoft Entra admin center, under the Enterprise applications experience.

Learn more about how to configure app management policies.

Retirement - Microsoft Authentication Library to MSAL Recommendations API

Type: Deprecated
Service category: Other
Product capability: Developer Experience

We’re retiring the ADAL to MSAL Recommendations API on December 15, 2025.

To continue monitoring authentication library usage, customers can query sign-in logs manually via Microsoft Graph API. The relevant data is available in the authenticationProcessingDetails field under the key "Azure AD App Authentication Library".

For guidance, see:

No action is required to disable the API.

August 2025

Plan for change - New end user homepage in My Account

Type: New feature
Service category: My Profile/Account
Product capability: End User Experiences

By the end of September 2025, the homepage at https://myaccount.windowsazure.cn will be updated to provide a more task-focused experience. Users will see pending actions like renewing expiring groups, approving access package requests, and setting up MFA directly on the homepage. Quick links to apps, groups, access packages, and sign-in details will be easier to find and use. This change is designed to streamline account management and help users stay on top of access and security tasks.

Plan for change - Requestors can view who their access package approvers are in My Access

Type: New feature
Service category: Entitlement Management
Product capability: Entitlement Management

By the end of September 2025, requestors will be able to see the name and email address of approvers for their pending access package requests directly in the My Access portal. This feature improves transparency and helps streamline communication between requestors and approvers. At the tenant level, approver visibility is enabled by default for all members (non-guests) and can be controlled through the Entitlement Management settings in the Microsoft Entra Admin Center. At the access package level, admins and access package owners can configure the approver visibility and choose to override the tenant level setting under the advanced request settings in the access package policy.

Public Preview - Externally determine the approval requirements for an access package using custom extensions

Type: New feature
Service category: Entitlement Management
Product capability: Entitlement Management

In Entitlement Management, approvers for access package assignment requests can either be directly assigned, or determined dynamically. Entitlement management natively supports dynamically determining approvers such as the requestors manager, their second-level manager, or a sponsor from a connected organization. With the introduction of this feature you can now use custom extensions for callouts to Azure Logic Apps and dynamically determine approval requirements for each access package assignment request based on your organizations specific business logic. The access package assignment request process will pause until your business logic hosted in Azure Logic Apps returns an approval stage which will then be leveraged in the subsequent approval process via the My Access portal.

For more information, see: Externally determine the approval requirements for an access package using custom extensions (Preview).

Public Preview - Support for eligible group memberships and ownerships in Entitlement Management access packages

Type: New feature
Service category: Entitlement Management
Product capability: Entitlement Management

This integration between Entitlement Management and Privileged Identity Management (PIM) for Groups adds support for assigning eligible group memberships and ownerships via access packages. You will now be able to govern these just-in-time protected access assignments at scale by offering a self-service access request & extension process and can integrate them into your organization's role model. For more information, see: Assign eligible group membership and ownership in access packages via Privileged Identity Management for Groups (Preview)

General Availability - Platform SSO for macOS with Microsoft Entra ID

Type: New feature
Service category: Authentications (Logins)
Product capability: SSO

Today we’re announcing that Platform SSO for macOS is Generally Available with Microsoft Entra ID. Platform SSO is an enhancement to the Microsoft Enterprise SSO plug-in for Apple Devices that makes usage and management of Mac devices more seamless and secure than ever. At the start of public preview, Platform SSO will work with Microsoft Intune. Other Mobile Device Management (MDM) providers will be coming soon. Please contact your MDM provider for more information on support and availability. For more information, see:

  • Last updated on