Microsoft Entra releases and announcements

This article provides information about the latest releases and change announcements across the Microsoft Entra family of products over the last six months (updated monthly). If you're looking for information that's older than six months, see: Archive for What's new in Microsoft Entra.

Get notified about when to revisit this page for updates by copying and pasting this URL: https://learn.microsoft.com/api/search/rss?search=%22Release+notes+-+Azure+Active+Directory%22&locale=en-us into your feed reader.

October 2025

Plan for Change - Update to Revoke Multifactor Authentication Sessions

Type: Plan for change
Service category: MFA
Product capability: Identity Security & Protection

Starting February 2026, we are replacing the current “Revoke multifactor authentication sessions” button with the “Revoke sessions” button in the MicrosoftEntra portal.

The legacy “Revoke MFA sessions” action only applies to per-user MFA enforcement, which has led to confusion. To simplify and ensure consistent behavior, the new “Revoke sessions” button will invalidate all user sessions, including MFA, regardless of whether MFA is enforced via Conditional Access or per-user policies.

Action required

Admins should update workflows and guidance to use “Revoke sessions” instead of “Revoke MFA sessions”. The “Revoke MFA sessions” option will be removed from the portal after this change.

Deprecation - Iteration 2 beta APIs for Microsoft Entra PIM will be retired. Migrate to Iteration 3 APIs.

Type: Deprecated
Service category: Privileged Identity Management
Product capability: Identity Governance

Introduction

Starting Oct 28, 2026, all applications and scripts making calls to Microsoft Entra Privileged Identity Management (PIM) Iteration 2 (beta) APIs for Azure resources, Microsoft Entra roles and Groups will fail.

How this will affect your organization

After Oct 28, 2026, any applications or scripts calling Microsoft Entra PIM Iteration 2 (beta) API endpoints will fail. These calls will no longer return data, which might disrupt workflows or integrations relying on these endpoints. These APIs were released in beta and are being retired, Iteration 3 are generally available (GA) APIs which offer improved reliability and broader scenario support.

What you need to do to prepare

We strongly recommend migrating to the Iteration 3 (GA) APIs, which are generally available. 

• Begin migration planning and testing as soon as possible.
• Halt any new development using Iteration 2 APIs.
• Review documentation for Iteration 3 APIs to ensure compatibility.

Learn more: 

• API concepts in Privileged Identity management - Microsoft Entra ID Governance | Microsoft Learn
• Privileged Identity Management iteration 2 APIs
• Migrate from PIM iteration 2 APIs to PIM iteration 3 APIs

Public Preview - Soft Delete & Restore for Conditional Access Policies and Named Locations

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

We’re thrilled to announce the Public Preview of soft delete and restore for Conditional Access (CA) policies and Named Locations in Microsoft Entra. This new capability extends our proven soft delete model to critical security configurations across Microsoft Graph APIs (in beta) and the Microsoft Entra Admin Center, helping admins recover from accidental or malicious deletions quickly and strengthen overall security posture.

With this feature, admins can:

• Restore deleted items to their exact prior state within 30 days
• Review deleted items before restoring
• Permanently delete when needed

Soft delete has already been proven at scale across Microsoft Entra (7M+ objects restored in the last 30 days). Bringing it to CA policies and Named Locations ensure quick disaster recovery, minimizes downtime, and maintains security integrity.

General Availability - Suggested Access Packages can be shown to users in My Access

Type: New feature
Service category: Entitlement Management
Product capability: Entitlement Management

In My Access, Microsoft Entra ID Governance users can see a curated list of suggested access packages in My Access. This capability allows users to quickly view the most relevant access packages for them based off their peers' access packages and previous assignments without scrolling through all their available access packages.

The suggested access packages list is created by finding people related to the user (manager, direct reports, organization, team members) and recommending access packages based on what the users’ peers have. The user is also suggested access packages that were previously assigned to them.

We recommend admins turn on the peer-based insights for suggested access packages via this setting. For more information, see: Suggested access packages in My Access

General Availability - Conversion of external users to internal members

Type: New feature
Service category: User Management
Product capability: User Management

External user conversion enables customers to convert external users to internal members without needing to delete and create new user objects. Maintaining the same underlying object ensures the user’s account and access to resources isn’t disrupted and that their history of activities remains intact as their relationship with the host organization changes. 

The external to internal user conversion feature includes the ability to convert on-premises synchronized users as well.

General Availability - Granular, Least-Privileged Permissions for UserAuthenticationMethod APIs

Type: New feature
Service category: MS Graph
Product capability: Developer Experience

Summary

We're introducing new, granular permissions for the UserAuthenticationMethod APIs in Microsoft Entra ID. This update enables organizations to apply the principle of least privilege when managing authentication methods, supporting both security and operational efficiency.

What’s New?

• New per-method permissions: Fine-grained permissions for each authentication method (for example, Password, Microsoft Authenticator, Phone, Email, Temporary Access Pass, Passkey, Windows Hello for Business, QR+PIN, and others).
• Read-only policy permission: A new permission allows read-only access to authentication method policies, improving role separation and auditability.

For more information, see Microsoft Graph permissions reference - Microsoft Graph | Microsoft Learn

Plan for Change - Jailbreak Detection in Authenticator App

Type: Plan for change
Service category: Microsoft Authenticator App
Product capability: Identity Security & Protection

Starting February 2026, we'll introduce Jailbreak/Root detection for Microsoft Entra credentials in the Authenticator app. This update strengthens security by preventing Microsoft Entra credentials from functioning on jail-broken or rooted devices. All existing credentials on such devices will be wiped to protect your organization.

This capability is secure by default and requires no admin configuration or control. The change applies to both iOS and Android.This change won't apply to personal or third party accounts.

Action required: Notify end users about this upcoming change. Authenticator will become unusable for Microsoft Entra accounts on jail-broken or rooted devices.

For more information, see: About Microsoft Authenticator.

Public Preview - Global Secure Access Internet profile support for iOS client

Type: New feature
Service category: Internet Access
Product capability: Network Access

Kerberos SSO experience for users on mobile devices with Global Secure Access is now supported. On IOS, create and deploy profile for Single sign-on app extension, see: Single sign-on app extension. On Android. You need to install and configure a 3rd party SSO client.

September 2025

General Availability - Dedicated new 1st party resource application to enable AD to Microsoft Entra ID sync using Microsoft Entra Connect Sync

Type: Plan for change
Service category: Microsoft Entra Connect
Product capability: Microsoft Entra Connect

As part of ongoing security hardening, Microsoft has deployed a dedicated first-party application to enable the synchronization between Active Directory and Microsoft Entra ID. This new application will manifest as a first party service principal called the "Microsoft Entra AD Synchronization Service" (Application ID: 6bf85cfa-ac8a-4be5-b5de-425a0d0dc016) and will be visible in the Enterprise Applications experience within the Microsoft Entra admin center. This application is critical for the continued operation of on-premises to Microsoft Entra ID synchronization functionality through Microsoft Entra Connect.

Microsoft Entra Connect now uses this first party application to synchronize between Active Directory and Microsoft Entra ID. Customers are required to upgrade to version 2.5.79.0 or later by September 2026. 

We'll auto-upgrade customers where supported. For customers who wish to be auto-upgraded, ensure that you have auto-upgrade configured.  

The Microsoft Entra Connect Sync .msi installation file for this change is exclusively available on Microsoft Entra admin center under Microsoft Entra Connect.

Check our version history page for more details on available versions.

Public Preview - App management policies portal experience

Type: New feature
Service category: Enterprise Apps
Product capability: Directory

App management policies allow administrators to improve the security of their organization by setting rules on how applications in their organization can be configured. They can use them to block insecure configurations like password credentials. These policies have been available through the Microsoft Graph API, but can now also be configured using the Microsoft Entra admin center, under the Enterprise applications experience.

Learn more about how to configure app management policies.

Retirement - Microsoft Authentication Library to MSAL Recommendations API

Type: Deprecated
Service category: Other
Product capability: Developer Experience

We’re retiring the ADAL to MSAL Recommendations API on December 15, 2025.

To continue monitoring authentication library usage, customers can query sign-in logs manually via Microsoft Graph API. The relevant data is available in the authenticationProcessingDetails field under the key "Azure AD App Authentication Library".

For guidance, see:

• Recommendation: Migrate from Microsoft Authentication Library to MSAL
• Analyze a sign-in with Microsoft Graph API

No action is required to disable the API.

August 2025

Plan for change - New end user homepage in My Account

Type: New feature
Service category: My Profile/Account
Product capability: End User Experiences

By the end of September 2025, the homepage at https://myaccount.windowsazure.cn will be updated to provide a more task-focused experience. Users will see pending actions like renewing expiring groups, approving access package requests, and setting up MFA directly on the homepage. Quick links to apps, groups, access packages, and sign-in details will be easier to find and use. This change is designed to streamline account management and help users stay on top of access and security tasks.

Plan for change - Requestors can view who their access package approvers are in My Access

Type: New feature
Service category: Entitlement Management
Product capability: Entitlement Management

By the end of September 2025, requestors will be able to see the name and email address of approvers for their pending access package requests directly in the My Access portal. This feature improves transparency and helps streamline communication between requestors and approvers. At the tenant level, approver visibility is enabled by default for all members (non-guests) and can be controlled through the Entitlement Management settings in the Microsoft Entra Admin Center. At the access package level, admins and access package owners can configure the approver visibility and choose to override the tenant level setting under the advanced request settings in the access package policy.

Public Preview - Externally determine the approval requirements for an access package using custom extensions

Type: New feature
Service category: Entitlement Management
Product capability: Entitlement Management

In Entitlement Management, approvers for access package assignment requests can either be directly assigned, or determined dynamically. Entitlement management natively supports dynamically determining approvers such as the requestors manager, their second-level manager, or a sponsor from a connected organization. With the introduction of this feature you can now use custom extensions for callouts to Azure Logic Apps and dynamically determine approval requirements for each access package assignment request based on your organizations specific business logic. The access package assignment request process will pause until your business logic hosted in Azure Logic Apps returns an approval stage which will then be leveraged in the subsequent approval process via the My Access portal.

For more information, see: Externally determine the approval requirements for an access package using custom extensions (Preview).

Public Preview - Support for eligible group memberships and ownerships in Entitlement Management access packages

Type: New feature
Service category: Entitlement Management
Product capability: Entitlement Management

This integration between Entitlement Management and Privileged Identity Management (PIM) for Groups adds support for assigning eligible group memberships and ownerships via access packages. You will now be able to govern these just-in-time protected access assignments at scale by offering a self-service access request & extension process and can integrate them into your organization's role model. For more information, see: Assign eligible group membership and ownership in access packages via Privileged Identity Management for Groups (Preview)

General Availability - Platform SSO for macOS with Microsoft Entra ID

Type: New feature
Service category: Authentications (Logins)
Product capability: SSO

Today we’re announcing that Platform SSO for macOS is Generally Available with Microsoft Entra ID. Platform SSO is an enhancement to the Microsoft Enterprise SSO plug-in for Apple Devices that makes usage and management of Mac devices more seamless and secure than ever. At the start of public preview, Platform SSO will work with Microsoft Intune. Other Mobile Device Management (MDM) providers will be coming soon. Please contact your MDM provider for more information on support and availability. For more information, see:

• macOS Platform Single Sign-on overview
• Platform SSO configuration guide for macOS devices using Microsoft Intune
• Configuring macOS Platform SSO (PSSO) to meet NIST SP 800-63 and EO 14028 Requirements
• Understanding Primary Refresh Token (PRT)

July 2025

General Availability - Application Based Authentication on Microsoft Entra Connect Sync

Type: New feature
Service category: Microsoft Entra Connect
Product capability: Microsoft Entra Connect

The Application-Based Authentication (ABA) feature is now the default authentication method for Microsoft Entra Connect. It enables Microsoft Entra Connect to securely authenticate with Microsoft Entra ID without relying on a locally stored password. This feature uses a Microsoft Entra ID application identity and Oauth 2.0 client credential flow to authenticate with Microsoft Entra ID. Microsoft Entra Connect automatically creates a single-tenant third-party application in the customer’s Entra ID tenant, registers a certificate as the application’s credential, and grants the required permissions for directory synchronization.

The Microsoft Entra Connect Sync .msi installation file for this change is exclusively available on Microsoft Entra Admin Center under Microsoft Entra Connect.

Check our version history page for more details of the change.

General Availability - Audit administrator events in Microsoft Entra Connect Sync

Type: New feature
Service category: Provisioning
Product capability: Microsoft Entra Connect

The Admin Audit Logging feature enables organizations to monitor changes made to Microsoft Entra Connect Sync configurations by Global Administrators or Hybrid Administrators. It captures actions performed through the Microsoft Entra Connect Sync Wizard, PowerShell, or Synchronization Rules Editor—including changes to synchronization rules, authentication settings (such as enabling or disabling features), and Federation settings. These events are logged in a dedicated Microsoft Entra Connect Sync audit log channel within the Windows Event Viewer, providing greater visibility into identity infrastructure changes. This feature supports troubleshooting, operational accountability, and regulatory compliance.

The Microsoft Entra Connect Sync .msi installation file for this change is exclusively available on the Microsoft Entra Admin Center within the Microsoft Entra Connect pane.

Check our version history page for more details of the change.

General Availability - Bicep templates for Microsoft Graph resources

Type: New feature
Service category: MS Graph
Product capability: Developer Experience

Bicep templates for Microsoft Graph resources allows you to author, deploy and manage a limited set of Microsoft Graph resources (mostly Microsoft Entra ID resources) using Bicep template files, alongside Azure resources.

• Azure customers can use familiar tools to deploy Azure resources and the Microsoft Entra resources they depend on, such as applications and service principals, using Infrastructure-as-Code (IaC) and DevOps practices.
• It also opens the door for existing Microsoft Entra customers to use Bicep templates and IaC practices to deploy and manage their tenant's Microsoft Entra resources.

For more information, see: Bicep templates for Microsoft Graph.

General Availability - Conditional Access What If API

Type: New feature
Service category: Conditional Access
Product capability: Access Control

The Conditional access What If API can be used to programmatically test the impact of policies on user and workload identity sign-ins.

General Availability - Restricted Management Administrative Units

Type: New feature
Service category: RBAC
Product capability: AuthZ/Access Delegation

Restricted management administrative units enable you to easily restrict access to users, groups, or devices to the specific users or applications you specify. Tenant-level administrators (including Global Administrators) can't modify members of restricted management administrative units unless they're explicitly assigned a role scoped to the administrative unit. This makes it easy to lock down a set of sensitive groups or user accounts in your tenant without having to remove tenant-level role assignments. For more information, see: Restricted management administrative units in Microsoft Entra ID.

June 2025

General Availability - Update to Microsoft Entra Work or School Default Background Image

Type: Changed feature
Service category: Authentications (Login)
Product capability: User Authentication

Starting September 29, 2025, we'll be making a change to the default background image of our Microsoft Entra work or school authentication screens. This new background was designed to help users focus on signing into their accounts, enhancing productivity, and minimizing distractions. With this, we aim to ensure visual consistency and a clean, simplified user experience throughout Microsoft’s authentication flows - aligning with Microsoft’s modernized Fluent design language. When our experiences look and feel consistent, it gives our users a familiar experience that they know and trust.

What’s changing?

This update is solely a visual user interface refresh with no changes to functionality. This change will only affect screens where Company Branding doesn't apply or where users see the default background image. We recommend updating any documentation that contains screenshots and notifying your help desk. If you have configured a custom background image in Company Branding for your tenant, there will be no change for your users.

Additional Details:

1. Tenants without a custom background configured:
   a. Tenants without a custom background will see the change on every authentication screen.
   b. To change this background and use a custom background, configure Company Branding.

2. Tenants with a custom background configured:
   a. Tenants with a custom background configured will only see the change wherever the URL doesn't have a specified tenant ID parameter (For example, login.partner.microsoftonline.cn directly without a domain hint or custom URL).
   b. For all other screens, tenants with a custom background configured will see no change to their experience on all clients.

3. Entra External ID Tenants will not see any change to their experience on all clients

What do you need to do?

No action is required. The update will be applied automatically starting September 29, 2025.

Deprecated - Conditional Access Overview Monitoring Tab to Retire

Type: Deprecated
Service category: Conditional Access
Product capability: Identity Security & Protection

We're retiring the Conditional Access Overview Monitoring Tab in the Microsoft Entra Admin Center starting July 18 and completing by August 1. After this date, admins will no longer have access to this tab. We encourage customers to transition to Conditional Access Per-Policy Reporting and the Insights and Reporting Dashboard, both of which are more reliable, offer greater accuracy, and have received significantly better feedback from customers.

General Availability - Conditional Access audience reporting

Type: New feature
Service category: Conditional Access
Product capability: Access Control

Conditional Access audience reporting in the sign-in logs lets admins view all the resources evaluated by Conditional Access as part of a sign-in event. For more information, see: Audience reporting.

Public Preview - Cross-tenant synchronization (cross-cloud)

Type: New feature
Service category: Provisioning
Product capability: Identity Governance

Automate creating, updating, and deleting users across tenants across Azure clouds. The following combinations are supported:

• Commercial -> US Gov
• US Gov -> Commercial
• Commercial -> China

General Availability - Conditional Access support for all Microsoft apps

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

Administrators can assign a Conditional Access policy to all cloud apps from Microsoft as long as the service principal appears in their tenant. For more information, see: Azure cloud applications.

General Availability - Two-Way Forest Trusts for Microsoft Entra Domain Services

Type: New feature
Service category: Microsoft Entra Domain Services
Product capability: Microsoft Entra Domain Services

Two-Way Forest Trusts for Microsoft Entra Domain Services are now generally available. This capability allows organizations to establish trust relationships between Microsoft Entra Domain Services domains and on-premises Active Directory (AD) domains. Forest trusts can now be configured in three directions: one-way outbound (as before), one-way inbound, and bi-directional, depending on organizational needs. Forest trusts can be used to enable resource access across trusted domains in hybrid environments. This capability offers more control and flexibility over how to manage your hybrid identity environment with Microsoft Entra Domain Services. Trusts require an Enterprise or Premium SKU license. For more information, see: How trust relationships work for forests in Active Directory.

May 2025

General Availability - Microsoft Entra External ID: User authentication with SAML/WS-Fed Identity Providers

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

Set up a SAML or WS-Fed identity provider to enable users to sign up and sign in to, your applications using their own account with the identity provider. Users will be redirected to the identity provider, and then redirected back to Microsoft Entra after successful sign in. For more information, see: SAML/WS-Fed identity providers.

Public Preview - Roll out of Application Based Authentication on Microsoft Entra Connect Sync

Type: New feature
Service category: Microsoft Entra Connect
Product capability: Microsoft Entra Connect

Microsoft Entra Connect creates and uses a Microsoft Entra Connector account to authenticate and sync identities from Active Directory to Microsoft Entra ID. The account uses a locally stored password to authenticate with Microsoft Entra ID. To enhance the security of the Microsoft Entra Connect sync process with the application, we've rolled out support for "Application based Authentication" (ABA), which uses a Microsoft Entra ID application identity and Oauth 2.0 client credential flow to authenticate with Microsoft Entra ID. To enable this, Microsoft Entra Connect creates a single tenant 3rd party application in the customer's Microsoft Entra ID tenant, registers a certificate as the credential for the application, and authorizes the application to perform on-premises directory synchronization.

The Microsoft Entra Connect Sync .msi installation file for this change is exclusively available on Microsoft Entra Admin Center within the Microsoft Entra Connect pane.

Check our version history page for more details of the change.