Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article provides information about the latest releases and change announcements across the Microsoft Entra family of products over the last six months (updated monthly). If you're looking for information that's older than six months, see: Archive for What's new in Microsoft Entra.
Get notified about when to revisit this page for updates by copying and pasting this URL:
https://learn.microsoft.com/api/search/rss?search=%22Release+notes+-+Azure+Active+Directory%22&locale=en-usinto yourfeed reader.
September 2025
General Availability - Dedicated new 1st party resource application to enable AD to Microsoft Entra ID sync using Microsoft Entra Connect Sync
Type: Plan for change
Service category: Microsoft Entra Connect
Product capability: Microsoft Entra Connect
As part of ongoing security hardening, Microsoft has deployed a dedicated first-party application to enable the synchronization between Active Directory and Microsoft Entra ID. This new application will manifest as a first party service principal called the "Microsoft Entra AD Synchronization Service" (Application ID: 6bf85cfa-ac8a-4be5-b5de-425a0d0dc016) and will be visible in the Enterprise Applications experience within the Microsoft Entra admin center. This application is critical for the continued operation of on-premises to Microsoft Entra ID synchronization functionality through Microsoft Entra Connect.
Microsoft Entra Connect now uses this first party application to synchronize between Active Directory and Microsoft Entra ID. Customers are required to upgrade to version 2.5.79.0 or later by September 2026.
We'll auto-upgrade customers where supported. For customers who wish to be auto-upgraded, ensure that you have auto-upgrade configured.
The Microsoft Entra Connect Sync .msi installation file for this change is exclusively available on Microsoft Entra admin center under Microsoft Entra Connect.
Check our version history page for more details on available versions.
Public Preview - App management policies portal experience
Type: New feature
Service category: Enterprise Apps
Product capability: Directory
App management policies allow administrators to improve the security of their organization by setting rules on how applications in their organization can be configured. They can use them to block insecure configurations like password credentials. These policies have been available through the Microsoft Graph API, but can now also be configured using the Microsoft Entra admin center, under the Enterprise applications experience.
Learn more about how to configure app management policies.
Retirement - Microsoft Authentication Library to MSAL Recommendations API
Type: Deprecated
Service category: Other
Product capability: Developer Experience
We’re retiring the ADAL to MSAL Recommendations API on December 15, 2025.
To continue monitoring authentication library usage, customers can query sign-in logs manually via Microsoft Graph API. The relevant data is available in the authenticationProcessingDetails field under the key "Azure AD App Authentication Library".
For guidance, see:
- Recommendation: Migrate from Microsoft Authentication Library to MSAL
- Analyze a sign-in with Microsoft Graph API
No action is required to disable the API.
August 2025
Plan for change - New end user homepage in My Account
Type: New feature
Service category: My Profile/Account
Product capability: End User Experiences
By the end of September 2025, the homepage at https://myaccount.windowsazure.cn will be updated to provide a more task-focused experience. Users will see pending actions like renewing expiring groups, approving access package requests, and setting up MFA directly on the homepage. Quick links to apps, groups, access packages, and sign-in details will be easier to find and use. This change is designed to streamline account management and help users stay on top of access and security tasks.
Plan for change - Requestors can view who their access package approvers are in My Access
Type: New feature
Service category: Entitlement Management
Product capability: Entitlement Management
By the end of September 2025, requestors will be able to see the name and email address of approvers for their pending access package requests directly in the My Access portal. This feature improves transparency and helps streamline communication between requestors and approvers. At the tenant level, approver visibility is enabled by default for all members (non-guests) and can be controlled through the Entitlement Management settings in the Microsoft Entra Admin Center. At the access package level, admins and access package owners can configure the approver visibility and choose to override the tenant level setting under the advanced request settings in the access package policy.
Public Preview - Externally determine the approval requirements for an access package using custom extensions
Type: New feature
Service category: Entitlement Management
Product capability: Entitlement Management
In Entitlement Management, approvers for access package assignment requests can either be directly assigned, or determined dynamically. Entitlement management natively supports dynamically determining approvers such as the requestors manager, their second-level manager, or a sponsor from a connected organization. With the introduction of this feature you can now use custom extensions for callouts to Azure Logic Apps and dynamically determine approval requirements for each access package assignment request based on your organizations specific business logic. The access package assignment request process will pause until your business logic hosted in Azure Logic Apps returns an approval stage which will then be leveraged in the subsequent approval process via the My Access portal.
For more information, see: Externally determine the approval requirements for an access package using custom extensions (Preview).
Public Preview - Support for eligible group memberships and ownerships in Entitlement Management access packages
Type: New feature
Service category: Entitlement Management
Product capability: Entitlement Management
This integration between Entitlement Management and Privileged Identity Management (PIM) for Groups adds support for assigning eligible group memberships and ownerships via access packages. You will now be able to govern these just-in-time protected access assignments at scale by offering a self-service access request & extension process and can integrate them into your organization's role model. For more information, see: Assign eligible group membership and ownership in access packages via Privileged Identity Management for Groups (Preview)
General Availability - Platform SSO for macOS with Microsoft Entra ID
Type: New feature
Service category: Authentications (Logins)
Product capability: SSO
Today we’re announcing that Platform SSO for macOS is Generally Available with Microsoft Entra ID. Platform SSO is an enhancement to the Microsoft Enterprise SSO plug-in for Apple Devices that makes usage and management of Mac devices more seamless and secure than ever. At the start of public preview, Platform SSO will work with Microsoft Intune. Other Mobile Device Management (MDM) providers will be coming soon. Please contact your MDM provider for more information on support and availability. For more information, see:
- macOS Platform Single Sign-on overview
- Platform SSO configuration guide for macOS devices using Microsoft Intune
- Configuring macOS Platform SSO (PSSO) to meet NIST SP 800-63 and EO 14028 Requirements
- Understanding Primary Refresh Token (PRT)
July 2025
General Availability - Application Based Authentication on Microsoft Entra Connect Sync
Type: New feature
Service category: Microsoft Entra Connect
Product capability: Microsoft Entra Connect
The Application-Based Authentication (ABA) feature is now the default authentication method for Microsoft Entra Connect. It enables Microsoft Entra Connect to securely authenticate with Microsoft Entra ID without relying on a locally stored password. This feature uses a Microsoft Entra ID application identity and Oauth 2.0 client credential flow to authenticate with Microsoft Entra ID. Microsoft Entra Connect automatically creates a single-tenant third-party application in the customer’s Entra ID tenant, registers a certificate as the application’s credential, and grants the required permissions for directory synchronization.
The Microsoft Entra Connect Sync .msi installation file for this change is exclusively available on Microsoft Entra Admin Center under Microsoft Entra Connect.
Check our version history page for more details of the change.
General Availability - Audit administrator events in Microsoft Entra Connect Sync
Type: New feature
Service category: Provisioning
Product capability: Microsoft Entra Connect
The Admin Audit Logging feature enables organizations to monitor changes made to Microsoft Entra Connect Sync configurations by Global Administrators or Hybrid Administrators. It captures actions performed through the Microsoft Entra Connect Sync Wizard, PowerShell, or Synchronization Rules Editor—including changes to synchronization rules, authentication settings (such as enabling or disabling features), and Federation settings. These events are logged in a dedicated Microsoft Entra Connect Sync audit log channel within the Windows Event Viewer, providing greater visibility into identity infrastructure changes. This feature supports troubleshooting, operational accountability, and regulatory compliance.
The Microsoft Entra Connect Sync .msi installation file for this change is exclusively available on the Microsoft Entra Admin Center within the Microsoft Entra Connect pane.
Check our version history page for more details of the change.
General Availability - Bicep templates for Microsoft Graph resources
Type: New feature
Service category: MS Graph
Product capability: Developer Experience
Bicep templates for Microsoft Graph resources allows you to author, deploy and manage a limited set of Microsoft Graph resources (mostly Microsoft Entra ID resources) using Bicep template files, alongside Azure resources.
- Azure customers can use familiar tools to deploy Azure resources and the Microsoft Entra resources they depend on, such as applications and service principals, using Infrastructure-as-Code (IaC) and DevOps practices.
- It also opens the door for existing Microsoft Entra customers to use Bicep templates and IaC practices to deploy and manage their tenant's Microsoft Entra resources.
For more information, see: Bicep templates for Microsoft Graph.
General Availability - Conditional Access What If API
Type: New feature
Service category: Conditional Access
Product capability: Access Control
The Conditional access What If API can be used to programmatically test the impact of policies on user and workload identity sign-ins.
General Availability - Restricted Management Administrative Units
Type: New feature
Service category: RBAC
Product capability: AuthZ/Access Delegation
Restricted management administrative units enable you to easily restrict access to users, groups, or devices to the specific users or applications you specify. Tenant-level administrators (including Global Administrators) can't modify members of restricted management administrative units unless they're explicitly assigned a role scoped to the administrative unit. This makes it easy to lock down a set of sensitive groups or user accounts in your tenant without having to remove tenant-level role assignments. For more information, see: Restricted management administrative units in Microsoft Entra ID.
June 2025
General Availability - Update to Microsoft Entra Work or School Default Background Image
Type: Changed feature
Service category: Authentications (Login)
Product capability: User Authentication
Starting September 29, 2025, we'll be making a change to the default background image of our Microsoft Entra work or school authentication screens. This new background was designed to help users focus on signing into their accounts, enhancing productivity, and minimizing distractions. With this, we aim to ensure visual consistency and a clean, simplified user experience throughout Microsoft’s authentication flows - aligning with Microsoft’s modernized Fluent design language. When our experiences look and feel consistent, it gives our users a familiar experience that they know and trust.
What’s changing?
This update is solely a visual user interface refresh with no changes to functionality. This change will only affect screens where Company Branding doesn't apply or where users see the default background image. We recommend updating any documentation that contains screenshots and notifying your help desk. If you have configured a custom background image in Company Branding for your tenant, there will be no change for your users.
Additional Details:
Tenants without a custom background configured:
a. Tenants without a custom background will see the change on every authentication screen.
b. To change this background and use a custom background, configure Company Branding.Tenants with a custom background configured:
a. Tenants with a custom background configured will only see the change wherever the URL doesn't have a specified tenant ID parameter (For example, login.partner.microsoftonline.cn directly without a domain hint or custom URL).
b. For all other screens, tenants with a custom background configured will see no change to their experience on all clients.Entra External ID Tenants will not see any change to their experience on all clients
What do you need to do?
No action is required. The update will be applied automatically starting September 29, 2025.
Deprecated - Conditional Access Overview Monitoring Tab to Retire
Type: Deprecated
Service category: Conditional Access
Product capability: Identity Security & Protection
We're retiring the Conditional Access Overview Monitoring Tab in the Microsoft Entra Admin Center starting July 18 and completing by August 1. After this date, admins will no longer have access to this tab. We encourage customers to transition to Conditional Access Per-Policy Reporting and the Insights and Reporting Dashboard, both of which are more reliable, offer greater accuracy, and have received significantly better feedback from customers.
General Availability - Conditional Access audience reporting
Type: New feature
Service category: Conditional Access
Product capability: Access Control
Conditional Access audience reporting in the sign-in logs lets admins view all the resources evaluated by Conditional Access as part of a sign-in event. For more information, see: Audience reporting.
Public Preview - Cross-tenant synchronization (cross-cloud)
Type: New feature
Service category: Provisioning
Product capability: Identity Governance
Automate creating, updating, and deleting users across tenants across Azure clouds. The following combinations are supported:
- Commercial -> US Gov
- US Gov -> Commercial
- Commercial -> China
General Availability - Conditional Access support for all Microsoft apps
Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection
Administrators can assign a Conditional Access policy to all cloud apps from Microsoft as long as the service principal appears in their tenant. For more information, see: Azure cloud applications.
General Availability - Two-Way Forest Trusts for Microsoft Entra Domain Services
Type: New feature
Service category: Microsoft Entra Domain Services
Product capability: Microsoft Entra Domain Services
Two-Way Forest Trusts for Microsoft Entra Domain Services are now generally available. This capability allows organizations to establish trust relationships between Microsoft Entra Domain Services domains and on-premises Active Directory (AD) domains. Forest trusts can now be configured in three directions: one-way outbound (as before), one-way inbound, and bi-directional, depending on organizational needs. Forest trusts can be used to enable resource access across trusted domains in hybrid environments. This capability offers more control and flexibility over how to manage your hybrid identity environment with Microsoft Entra Domain Services. Trusts require an Enterprise or Premium SKU license. For more information, see: How trust relationships work for forests in Active Directory.
May 2025
General Availability - Microsoft Entra External ID: User authentication with SAML/WS-Fed Identity Providers
Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C
Set up a SAML or WS-Fed identity provider to enable users to sign up and sign in to, your applications using their own account with the identity provider. Users will be redirected to the identity provider, and then redirected back to Microsoft Entra after successful sign in. For more information, see: SAML/WS-Fed identity providers.
Public Preview - Roll out of Application Based Authentication on Microsoft Entra Connect Sync
Type: New feature
Service category: Microsoft Entra Connect
Product capability: Microsoft Entra Connect
Microsoft Entra Connect creates and uses a Microsoft Entra Connector account to authenticate and sync identities from Active Directory to Microsoft Entra ID. The account uses a locally stored password to authenticate with Microsoft Entra ID. To enhance the security of the Microsoft Entra Connect sync process with the application, we've rolled out support for "Application based Authentication" (ABA), which uses a Microsoft Entra ID application identity and Oauth 2.0 client credential flow to authenticate with Microsoft Entra ID. To enable this, Microsoft Entra Connect creates a single tenant 3rd party application in the customer's Microsoft Entra ID tenant, registers a certificate as the credential for the application, and authorizes the application to perform on-premises directory synchronization.
The Microsoft Entra Connect Sync .msi installation file for this change is exclusively available on Microsoft Entra Admin Center within the Microsoft Entra Connect pane.
Check our version history page for more details of the change.
April 2025
Public Preview - Microsoft Entra ID Governance: Suggested access packages in My Access
Type: New feature
Service category: Entitlement Management
Product capability: Entitlement Management
In December 2024, we introduced a new feature in My Access: a curated list of suggested access packages. Users view the most relevant access packages, based on their peers' access packages and previous assignments, without scrolling through a long list. By May 2025, suggestions will be enabled by default and we'll introduce a new card in the Microsoft Entra Admin Center Entitlement Management control configurations for admins to see My Access settings. We recommend admins turn on the peer-based insights for suggested access packages via this setting. For more information, see: Suggested access packages in My Access (Preview).
General Availability - Use managed identities as credentials in Microsoft Entra apps
Type: New feature
Service category: Managed identities for Azure resources
Product capability: Identity Security & Protection
You can now use managed identities as federated credentials for Microsoft Entra apps, enabling secure, secret-less authentication in both single- and multi-tenant scenarios. This eliminates the need to store and manage client secrets or certificates when using Microsoft Entra app to access Azure resources across tenants. This capability aligns with Microsoft’s Secure Future Initiative pillar of protecting identities and secrets across systems. Learn how to configure this capability in the official documentation.
Plan for change - Roll out of Application Based Authentication on Microsoft Entra Connect Sync
Type: Plan for change
Service category: Microsoft Entra Connect
Product capability: Microsoft Entra Connect
What is changing
Microsoft Entra Connect creates and uses a Microsoft Entra Connector account to authenticate and sync identities from Active Directory to Microsoft Entra ID. The account uses a locally stored password to authenticate with Microsoft Entra ID. To enhance the security of the Microsoft Entra Connect application sync process, we will, in the coming week roll out support for "Application based Authentication" (ABA), which uses a Microsoft Entra ID application based identity and Oauth 2.0 client credential flow to authenticate with Microsoft Entra ID. To enable this, Microsoft Entra Connect will create a single tenant 3rd party application in customer's Microsoft Entra ID tenant, register a certificate as the credential for the application, and authorize the application to perform on-premises directory synchronization
The Microsoft Entra Connect Sync .msi installation file for this change will be exclusively available in the Microsoft Entra admin center within the Microsoft Entra Connect pane.
Check our version history page in the next week for more details of the change.