Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article provides information about the latest releases and change announcements across the Microsoft Entra family of products over the last six months (updated monthly). If you're looking for information that's older than six months, see: Archive for What's new in Microsoft Entra.
Get notified about when to revisit this page for updates by copying and pasting this URL:
https://learn.microsoft.com/api/search/rss?search=%22Release+notes+-+Azure+Active+Directory%22&locale=en-usinto yourfeed reader.
August 2025
Plan for change - New end user homepage in My Account
Type: New feature
Service category: My Profile/Account
Product capability: End User Experiences
By the end of September 2025, the homepage at https://myaccount.windowsazure.cn will be updated to provide a more task-focused experience. Users will see pending actions like renewing expiring groups, approving access package requests, and setting up MFA directly on the homepage. Quick links to apps, groups, access packages, and sign-in details will be easier to find and use. This change is designed to streamline account management and help users stay on top of access and security tasks.
Plan for change - Requestors can view who their access package approvers are in My Access
Type: New feature
Service category: Entitlement Management
Product capability: Entitlement Management
By the end of September 2025, requestors will be able to see the name and email address of approvers for their pending access package requests directly in the My Access portal. This feature improves transparency and helps streamline communication between requestors and approvers. At the tenant level, approver visibility is enabled by default for all members (non-guests) and can be controlled through the Entitlement Management settings in the Microsoft Entra Admin Center. At the access package level, admins and access package owners can configure the approver visibility and choose to override the tenant level setting under the advanced request settings in the access package policy.
Public Preview - Externally determine the approval requirements for an access package using custom extensions
Type: New feature
Service category: Entitlement Management
Product capability: Entitlement Management
In Entitlement Management, approvers for access package assignment requests can either be directly assigned, or determined dynamically. Entitlement management natively supports dynamically determining approvers such as the requestors manager, their second-level manager, or a sponsor from a connected organization. With the introduction of this feature you can now use custom extensions for callouts to Azure Logic Apps and dynamically determine approval requirements for each access package assignment request based on your organizations specific business logic. The access package assignment request process will pause until your business logic hosted in Azure Logic Apps returns an approval stage which will then be leveraged in the subsequent approval process via the My Access portal.
For more information, see: Externally determine the approval requirements for an access package using custom extensions (Preview).
Public Preview - Support for eligible group memberships and ownerships in Entitlement Management access packages
Type: New feature
Service category: Entitlement Management
Product capability: Entitlement Management
This integration between Entitlement Management and Privileged Identity Management (PIM) for Groups adds support for assigning eligible group memberships and ownerships via access packages. You will now be able to govern these just-in-time protected access assignments at scale by offering a self-service access request & extension process and can integrate them into your organization's role model. For more information, see: Assign eligible group membership and ownership in access packages via Privileged Identity Management for Groups (Preview)
General Availability - Platform SSO for macOS with Microsoft Entra ID
Type: New feature
Service category: Authentications (Logins)
Product capability: SSO
Today we’re announcing that Platform SSO for macOS is Generally Available with Microsoft Entra ID. Platform SSO is an enhancement to the Microsoft Enterprise SSO plug-in for Apple Devices that makes usage and management of Mac devices more seamless and secure than ever. At the start of public preview, Platform SSO will work with Microsoft Intune. Other Mobile Device Management (MDM) providers will be coming soon. Please contact your MDM provider for more information on support and availability. For more information, see:
- macOS Platform Single Sign-on overview
- Platform SSO configuration guide for macOS devices using Microsoft Intune
- Configuring macOS Platform SSO (PSSO) to meet NIST SP 800-63 and EO 14028 Requirements
- Understanding Primary Refresh Token (PRT)
July 2025
General Availability - Application Based Authentication on Microsoft Entra Connect Sync
Type: New feature
Service category: Microsoft Entra Connect
Product capability: Microsoft Entra Connect
The Application-Based Authentication (ABA) feature is now the default authentication method for Microsoft Entra Connect. It enables Microsoft Entra Connect to securely authenticate with Microsoft Entra ID without relying on a locally stored password. This feature uses a Microsoft Entra ID application identity and Oauth 2.0 client credential flow to authenticate with Microsoft Entra ID. Microsoft Entra Connect automatically creates a single-tenant third-party application in the customer’s Entra ID tenant, registers a certificate as the application’s credential, and grants the required permissions for directory synchronization.
The Microsoft Entra Connect Sync .msi installation file for this change is exclusively available on Microsoft Entra Admin Center under Microsoft Entra Connect.
Check our version history page for more details of the change.
General Availability - Audit administrator events in Microsoft Entra Connect Sync
Type: New feature
Service category: Provisioning
Product capability: Microsoft Entra Connect
The Admin Audit Logging feature enables organizations to monitor changes made to Microsoft Entra Connect Sync configurations by Global Administrators or Hybrid Administrators. It captures actions performed through the Microsoft Entra Connect Sync Wizard, PowerShell, or Synchronization Rules Editor—including changes to synchronization rules, authentication settings (such as enabling or disabling features), and Federation settings. These events are logged in a dedicated Microsoft Entra Connect Sync audit log channel within the Windows Event Viewer, providing greater visibility into identity infrastructure changes. This feature supports troubleshooting, operational accountability, and regulatory compliance.
The Microsoft Entra Connect Sync .msi installation file for this change is exclusively available on the Microsoft Entra Admin Center within the Microsoft Entra Connect pane.
Check our version history page for more details of the change.
General Availability - Bicep templates for Microsoft Graph resources
Type: New feature
Service category: MS Graph
Product capability: Developer Experience
Bicep templates for Microsoft Graph resources allows you to author, deploy and manage a limited set of Microsoft Graph resources (mostly Microsoft Entra ID resources) using Bicep template files, alongside Azure resources.
- Azure customers can use familiar tools to deploy Azure resources and the Microsoft Entra resources they depend on, such as applications and service principals, using Infrastructure-as-Code (IaC) and DevOps practices.
- It also opens the door for existing Microsoft Entra customers to use Bicep templates and IaC practices to deploy and manage their tenant's Microsoft Entra resources.
For more information, see: Bicep templates for Microsoft Graph.
General Availability - Conditional Access What If API
Type: New feature
Service category: Conditional Access
Product capability: Access Control
The Conditional access What If API can be used to programmatically test the impact of policies on user and workload identity sign-ins.
General Availability - Restricted Management Administrative Units
Type: New feature
Service category: RBAC
Product capability: AuthZ/Access Delegation
Restricted management administrative units enable you to easily restrict access to users, groups, or devices to the specific users or applications you specify. Tenant-level administrators (including Global Administrators) can't modify members of restricted management administrative units unless they're explicitly assigned a role scoped to the administrative unit. This makes it easy to lock down a set of sensitive groups or user accounts in your tenant without having to remove tenant-level role assignments. For more information, see: Restricted management administrative units in Microsoft Entra ID.
June 2025
General Availability - Update to Microsoft Entra Work or School Default Background Image
Type: Changed feature
Service category: Authentications (Login)
Product capability: User Authentication
Starting September 29, 2025, we'll be making a change to the default background image of our Microsoft Entra work or school authentication screens. This new background was designed to help users focus on signing into their accounts, enhancing productivity, and minimizing distractions. With this, we aim to ensure visual consistency and a clean, simplified user experience throughout Microsoft’s authentication flows - aligning with Microsoft’s modernized Fluent design language. When our experiences look and feel consistent, it gives our users a familiar experience that they know and trust.
What’s changing?
This update is solely a visual user interface refresh with no changes to functionality. This change will only affect screens where Company Branding doesn't apply or where users see the default background image. We recommend updating any documentation that contains screenshots and notifying your help desk. If you have configured a custom background image in Company Branding for your tenant, there will be no change for your users.
Additional Details:
Tenants without a custom background configured:
a. Tenants without a custom background will see the change on every authentication screen.
b. To change this background and use a custom background, configure Company Branding.Tenants with a custom background configured:
a. Tenants with a custom background configured will only see the change wherever the URL doesn't have a specified tenant ID parameter (For example, login.partner.microsoftonline.cn directly without a domain hint or custom URL).
b. For all other screens, tenants with a custom background configured will see no change to their experience on all clients.Entra External ID Tenants will not see any change to their experience on all clients
What do you need to do?
No action is required. The update will be applied automatically starting September 29, 2025.
Deprecated - Conditional Access Overview Monitoring Tab to Retire
Type: Deprecated
Service category: Conditional Access
Product capability: Identity Security & Protection
We're retiring the Conditional Access Overview Monitoring Tab in the Microsoft Entra Admin Center starting July 18 and completing by August 1. After this date, admins will no longer have access to this tab. We encourage customers to transition to Conditional Access Per-Policy Reporting and the Insights and Reporting Dashboard, both of which are more reliable, offer greater accuracy, and have received significantly better feedback from customers.
General Availability - Conditional Access audience reporting
Type: New feature
Service category: Conditional Access
Product capability: Access Control
Conditional Access audience reporting in the sign-in logs lets admins view all the resources evaluated by Conditional Access as part of a sign-in event. For more information, see: Audience reporting.
Public Preview - Cross-tenant synchronization (cross-cloud)
Type: New feature
Service category: Provisioning
Product capability: Identity Governance
Automate creating, updating, and deleting users across tenants across Azure clouds. The following combinations are supported:
- Commercial -> US Gov
- US Gov -> Commercial
- Commercial -> China
General Availability - Conditional Access support for all Microsoft apps
Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection
Administrators can assign a Conditional Access policy to all cloud apps from Microsoft as long as the service principal appears in their tenant. For more information, see: Azure cloud applications.
General Availability - Two-Way Forest Trusts for Microsoft Entra Domain Services
Type: New feature
Service category: Microsoft Entra Domain Services
Product capability: Microsoft Entra Domain Services
Two-Way Forest Trusts for Microsoft Entra Domain Services are now generally available. This capability allows organizations to establish trust relationships between Microsoft Entra Domain Services domains and on-premises Active Directory (AD) domains. Forest trusts can now be configured in three directions: one-way outbound (as before), one-way inbound, and bi-directional, depending on organizational needs. Forest trusts can be used to enable resource access across trusted domains in hybrid environments. This capability offers more control and flexibility over how to manage your hybrid identity environment with Microsoft Entra Domain Services. Trusts require an Enterprise or Premium SKU license. For more information, see: How trust relationships work for forests in Active Directory.
May 2025
General Availability - Microsoft Entra External ID: User authentication with SAML/WS-Fed Identity Providers
Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C
Set up a SAML or WS-Fed identity provider to enable users to sign up and sign in to, your applications using their own account with the identity provider. Users will be redirected to the identity provider, and then redirected back to Microsoft Entra after successful sign in. For more information, see: SAML/WS-Fed identity providers.
Public Preview - Roll out of Application Based Authentication on Microsoft Entra Connect Sync
Type: New feature
Service category: Microsoft Entra Connect
Product capability: Microsoft Entra Connect
Microsoft Entra Connect creates and uses a Microsoft Entra Connector account to authenticate and sync identities from Active Directory to Microsoft Entra ID. The account uses a locally stored password to authenticate with Microsoft Entra ID. To enhance the security of the Microsoft Entra Connect sync process with the application, we've rolled out support for "Application based Authentication" (ABA), which uses a Microsoft Entra ID application identity and Oauth 2.0 client credential flow to authenticate with Microsoft Entra ID. To enable this, Microsoft Entra Connect creates a single tenant 3rd party application in the customer's Microsoft Entra ID tenant, registers a certificate as the credential for the application, and authorizes the application to perform on-premises directory synchronization.
The Microsoft Entra Connect Sync .msi installation file for this change is exclusively available on Microsoft Entra Admin Center within the Microsoft Entra Connect pane.
Check our version history page for more details of the change.
April 2025
Public Preview - Microsoft Entra ID Governance: Suggested access packages in My Access
Type: New feature
Service category: Entitlement Management
Product capability: Entitlement Management
In December 2024, we introduced a new feature in My Access: a curated list of suggested access packages. Users view the most relevant access packages, based on their peers' access packages and previous assignments, without scrolling through a long list. By May 2025, suggestions will be enabled by default and we'll introduce a new card in the Microsoft Entra Admin Center Entitlement Management control configurations for admins to see My Access settings. We recommend admins turn on the peer-based insights for suggested access packages via this setting. For more information, see: Suggested access packages in My Access (Preview).
General Availability - Use managed identities as credentials in Microsoft Entra apps
Type: New feature
Service category: Managed identities for Azure resources
Product capability: Identity Security & Protection
You can now use managed identities as federated credentials for Microsoft Entra apps, enabling secure, secret-less authentication in both single- and multi-tenant scenarios. This eliminates the need to store and manage client secrets or certificates when using Microsoft Entra app to access Azure resources across tenants. This capability aligns with Microsoft’s Secure Future Initiative pillar of protecting identities and secrets across systems. Learn how to configure this capability in the official documentation.
Plan for change - Roll out of Application Based Authentication on Microsoft Entra Connect Sync
Type: Plan for change
Service category: Microsoft Entra Connect
Product capability: Microsoft Entra Connect
What is changing
Microsoft Entra Connect creates and uses a Microsoft Entra Connector account to authenticate and sync identities from Active Directory to Microsoft Entra ID. The account uses a locally stored password to authenticate with Microsoft Entra ID. To enhance the security of the Microsoft Entra Connect application sync process, we will, in the coming week roll out support for "Application based Authentication" (ABA), which uses a Microsoft Entra ID application based identity and Oauth 2.0 client credential flow to authenticate with Microsoft Entra ID. To enable this, Microsoft Entra Connect will create a single tenant 3rd party application in customer's Microsoft Entra ID tenant, register a certificate as the credential for the application, and authorize the application to perform on-premises directory synchronization
The Microsoft Entra Connect Sync .msi installation file for this change will be exclusively available in the Microsoft Entra admin center within the Microsoft Entra Connect pane.
Check our version history page in the next week for more details of the change.
March 2025
Microsoft Entra Permissions Management end of sale and retirement
Type: Plan for change
Service category: Other
Product capability: Permissions Management
Effective April 1, 2025, Microsoft Entra Permissions Management (MEPM) will no longer be available for sale to new Enterprise Agreement or direct customers. Additionally, starting May 1, it will not be available for sale to new CSP customers. Effective October 1, 2025, we will retire Microsoft Entra Permissions Management and discontinue support of this product.
Existing customers will retain access to this product until September 30, 2025, with ongoing support for current functionalities. We have partnered with Delinea to provide an alternative solution, Privilege Control for Cloud Entitlements (PCCE), that offers similar capabilities to those provided by Microsoft Entra Permissions Management. The decision to phase out Microsoft Entra Permissions Management was done after deep consideration of our innovation portfolio and how we can focus on delivering the best innovations aligned to our differentiating areas and partner with the ecosystem on adjacencies. We remain committed to delivering top-tier solutions across the Microsoft Entra portfolio. For more information, see: Important change announcement: Microsoft Entra Permissions Management end of sale and retirement.
Public Preview - Track and investigate identity activities with linkable identifiers in Microsoft Entra
Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication
Microsoft will standardize the linkable token identifiers, and expose them in both Microsoft Entra and workflow audit logs. This allows customers to join the logs to track, and investigate, any malicious activity. Currently linkable identifiers are available in Microsoft Entra sign in logs, Exchange Online audit logs, and MSGraph Activity logs.
For more information, see: Track and investigate identity activities with linkable identifiers in Microsoft Entra (preview).
General Availability- Conditional Access reauthentication policy
Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection
Require reauthentication every time can be used for scenarios where you want to require a fresh authentication, every time a user performs specific actions like accessing sensitive applications, securing resources behind VPN, or Securing privileged role elevation in PIM. For more information, see: Require reauthentication every time.
General Availability- Custom Attributes support for Microsoft Entra Domain Services
Type: New feature
Service category: Microsoft Entra Domain Services
Product capability: Microsoft Entra Domain Services
Custom Attributes for Microsoft Entra Domain Services is now Generally Available. This capability allows customers to use Custom Attributes in their managed domains. Legacy applications often rely on custom attributes created in the past to store information, categorize objects, or enforce fine-grained access control over resources. For example, these applications might use custom attributes to store an employee ID in their directory and rely on these attributes in their application LDAP calls. Modifying legacy applications can be costly and risky, and customers might lack the necessary skills or knowledge to make these changes. Microsoft Entra Domain Services now supports custom attributes, enabling customers to migrate their legacy applications to the Azure cloud without modification. It also provides support to synchronize custom attributes from Microsoft Entra ID, allowing customers to benefit from Microsoft Entra ID services in the cloud. For more information, see: Custom attributes for Microsoft Entra Domain Services.
Public Preview - Limit creation or promotion of multitenant apps
Type: New feature
Service category: Directory Management
Product capability: Developer Experience
A new feature has been added to the App Management Policy Framework that allows restriction on creation or promotion of multitenant applications, providing administrators with greater control over their app environments.
Administrators can now configure tenant default or custom app policy using the new audiences restriction to block new app creation if the signInAudience value provided in the app isn't permitted by the policy. In addition, existing apps can be restricted from changing their signInAudience if the target value isn't permitted by the policy. These policy changes are applied during app creation or update operations, offering control over application deployment and usage. For more information, see: audiencesConfiguration resource type.
General Availability - Download Microsoft Entra Connect Sync on the Microsoft Entra admin center
Type: Plan for change
Service category: Microsoft Entra Connect
Product capability: Identity Governance
The Microsoft Entra Connect Sync .msi installation files are also available on Microsoft Entra admin center within the Microsoft Entra Connect pane. As part of this change, we'll stop uploading new installation files on the Microsoft Download Center.
General Availability - New Microsoft-managed Conditional Access policies designed to limit device code flow and legacy authentication flows
Type: Changed feature
Service category: Conditional Access
Product capability: Access Control
As part of our ongoing commitment to enhance security and protect our customers from evolving cyber threats, we're rolling out two new Microsoft-managed Conditional Access policies designed to limit device code flow and legacy authentication flows. These policies are aligned to the secure by default principle of our broader Secure Future Initiative, which aims to provide robust security measures to safeguard your organization by default.
Deprecated - Upgrade your Microsoft Entra Connect Sync version to avoid impact on the Sync Wizard
Type: Deprecated
Service category: Microsoft Entra Connect
Product capability: Microsoft Entra Connect
As announced in the Microsoft Entra What's New Blog and in Microsoft 365 Center communications, customers should upgrade their connect sync versions to at least 2.4.18.0 for commercial clouds and 2.4.21.0 for non-commercial clouds before April 7, 2025. A breaking change on the Connect Sync Wizard will affect all requests that require authentication such as schema refresh, configuration of staging mode, and user sign in changes. For more information, see: Minimum versions.