Microsoft Entra releases and announcements

Note

The following released version, date, and content only correspond to the actual deployment of the Microsoft Azure Clouds.

It provides the evolution history of Azure Entra on Azure Public Cloud in most cases. Please note that in some cases, it may not be consistent with the actual deployment of Microsoft Azure operated by 21Vianet.

This article provides information about the latest releases and change announcements across the Microsoft Entra family of products over the last six months (updated monthly). If you're looking for information that's older than six months, see: Archive for What's new in Microsoft Entra.

Get notified about when to revisit this page for updates by copying and pasting this URL: https://learn.microsoft.com/api/search/rss?search=%22Release+notes+-+Azure+Active+Directory%22&locale=en-us into your RSS feed reader icon feed reader.

May 2026

Public Preview - Enable soft-delete for Microsoft Entra Device objects

Type: New feature
Service category: Device Access Management
Product capability: Entra Backup and Recovery

Device Soft Delete, now available in preview, enables administrators to safely remove device objects by moving them to a recoverable state instead of permanently deleting them. This feature allows organizations to restore devices within a defined retention period while preserving critical data such as device identity and associated security artifacts. The feature supports Microsoft Entra joined, registered, and hybrid joined devices and helps reduce risk from accidental deletions while improving device lifecycle management.

General Availability - NetBiosName resolution test now informational

Type: Changed feature
Service category: Entra Connect
Product capability: Entra Connect

The “NetBIOS Name Sysvol Connectivity resolution” test in the AD DS health monitoring agent has been reclassified from an alerting test to an informational test. Going forward, if this test fails, it will no longer generate an alert or require remediation action on your part. Instead, the test runs in the background and logs results for your information only.

What Changed

The NetBIOS Name Sysvol Connectivity test is now informational-only.

Why We Made This Change

NetBIOS is a legacy networking protocol that is not critical in modern Active Directory environments. Many organizations no longer rely on NetBIOS name resolution in day-to-day operations. Reclassifying this test as informational reduces noise in your alert feed and allows you to focus on issues that are genuinely critical to your identity infrastructure. In short, we want to ensure that Connect Health alerts highlight meaningful issues and help you prioritize real problems, rather than flagging non-essential conditions.

Upcoming change - Enhanced admin authorization for Microsoft Entra Connect Sync configuration changes

Type: Changed feature
Service category: Entra Connect
Product capability: Entra Connect

We're enhancing the security posture of Microsoft Entra Connect Sync by introducing interactive admin authorization for configuration changes. With this update, an authorized administrator will need to sign in and explicitly approve changes to sync settings, ensuring that configuration updates are intentional and made by the right person.

What’s changing

  • Interactive admin authorization for sync configuration changes: Going forward, changes to sync configuration settings - such as enabling or disabling features - will require interactive authentication from an authorized cloud administrator. Whether you're using the Entra Connect wizard or PowerShell, a verified admin sign-in will be required to complete the action. This strengthens the authorization model for all sync-related configuration changes.

  • Greater consistency in admin-driven configuration: We are aligning sync behavior so that configuration decisions made by cloud administrators are consistently respected. The cloud will serve as the source of truth for sync feature state, giving administrators greater confidence that their intended configuration is maintained.

  • Updated management paths: All management interfaces for Entra Connect will incorporate delegated admin authentication where needed. Specifically:

  • Entra Connect wizard flows: The installation and configuration wizard will use delegated admin tokens for sync configuration changes, providing a more secure authorization flow.

  • PowerShell cmdlets: PowerShell-based management of sync settings will now prompt for an interactive admin sign-in to complete configuration changes. Ensure you run these commands in a session where you can provide admin credentials.

  • Uninstall behavior: If you uninstall Entra Connect Sync and choose to make cloud-side changes such as converting the tenant to cloud-only synchronization, the uninstall process will require admin authentication before modifying settings in the cloud tenant.

What’s not changing

  • Sync functionality and the end-user experience remain unchanged. Everything continues to work as expected when features are enabled or disabled.
  • There is no change to how administrators choose to enable or disable sync features; only that these actions now require interactive authentication.

The Microsoft Entra Connect Sync .msi installation file for this change is exclusively available on Microsoft Entra admin center under Microsoft Entra Connect.

Check our version history page for more details on available versions.

General Availability - Account Discovery

Type: General Availability
Service category: Provisioning
Product capability: 3rd Party Integration

Account discovery for connected applications is now generally available in Microsoft Entra ID Governance. This capability provides administrators with visibility into all accounts that exist within connected applications, including orphan accounts.

By generating discovery reports directly from the provisioning experience, organizations can identify accounts in connected applications that aren't assigned to the enterprise application in Microsoft Entra and simplify onboarding the application.

This capability requires a Microsoft Entra ID Governance or Microsoft Entra Suite license. Learn more: https://aka.ms/accountDiscoveryDocumentation.

Public Preview - Automate setting or clearing user attributes values in Lifecycle workflows

Type: New feature
Service category: Lifecycle Workflows
Product capability: Identity Governance

We're excited to introduce the User Attribute Updates task in Lifecycle Workflows, extending existing attribute change trigger capabilities with a built-in, customer-ready way to automate attribute updates (set or clear values) directly within a workflow. With a secure, consistent, and auditable experience, organizations can reduce manual effort, improve governance, and scale identity automation with greater confidence.

General Availability - System-preferred authentication expanded to first-factor in Microsoft Entra ID

Type: General Availability
Service category: MFA
Product capability: Identity Security & Protection

We're extending system-preferred authentication to apply to the first factor in Microsoft-managed configurations (in addition to second factor). With this change, the system evaluates the credentials registered for a user and selects the highest-ranked authentication method for each step of the sign-in flow.

As a result, users with strong, phishing-resistant credentials (such as passkeys) might be signed in without needing to use a password, improving both security and user experience.

This behavior applies only to the Microsoft-managed state, where system-preferred authentication now covers both first- and second-factor authentication. The rollout is currently in progress and will be fully deployed to all Microsoft-managed tenants by the end of June.

Public Preview - Azure Role assignments can now be governed via Entitlement Management

Type: New feature
Service category: Entitlement Management
Product capability: Identity Governance

You can now govern eligible and active assignments to Azure roles at the Management Group, Subscription, and Resource Group levels directly through access packages. This brings role assignment into the same request, approval, and lifecycle governance model as apps, groups, and more - making it easier to manage access to Azure resources at scale while aligning to least privilege and just-in-time access.

April 2026

Public Preview - Account Discovery

Type: Public Preview
Service category: Provisioning
Product capability: 3rd Party Integration

Microsoft Entra ID Governance now supports account discovery for connected applications in public preview. This capability provides administrators with visibility into all accounts that exist within connected applications, including orphan accounts.

By generating discovery reports directly from the provisioning experience, organizations can identify accounts in connected applications that aren't assigned to the enterprise application in Microsoft Entra and simplify onboarding the application.

This capability requires a Microsoft Entra ID Governance or Microsoft Entra Suite license. Learn more: https://aka.ms/accountDiscoveryDocumentation

Public Preview - App-based branding via Branding themes in Microsoft Entra tenants

Type: Public Preview
Service category: User Experience and Management
Product capability: User Authentication

In Microsoft Entra tenants, customers can create a single, tenant-wide, customized branding experience that applies to all apps. We are introducing a concept of Branding "themes" to allow customers to create different branding experiences for specific applications.

Upcoming Change - Migrate from Microsoft Entra Connect Sync to Microsoft Entra Cloud Sync

Type: Plan for change
Service category: Entra Connect
Product capability: Entra Connect

As organizations look to strengthen identity security and advance their Zero Trust strategies, many are looking for simpler, more reliable ways to manage hybrid identity. To support these needs, we’re beginning the transition from Microsoft Entra Connect Sync to the cloud‑native Microsoft Entra Cloud Sync - helping reduce on‑premises complexity while improving security, reliability, and day‑to‑day manageability.

This shift is a key step toward a cloud-managed identity future that will provide a more secure, resilient, and easier-to-operate synchronization experience. As part of ongoing modernization efforts, Microsoft’s strategy remains to deliver stronger security, improved reliability, and simpler identity operations.

What's next

Beginning in July 2026, we will begin notifying customers through the M365 Message Center and targeted emails about their individual transition timelines. The transition will be rolled out in phases, and we will reach out directly to each organization when their assigned transition window begins. This phased approach ensures that we can provide tailored guidance and support to all our customers.

  • Initial phases: In the first waves, we will focus on tenants for whom Entra Cloud Sync already meets all their identity synchronization needs. If your organization relies on advanced features or has a large directory, you will not be among the initial targeted groups. We will prioritize early transitions for customers with straightforward configurations that are fully supported by Entra Cloud Sync’s current capabilities.

  • Subsequent phases: As Entra Cloud Sync’s capabilities expand, we will progressively notify the later groups and ensure they can transition successfully once equivalent support is available in Entra Cloud Sync

We are committed to supporting you by providing tooling and documentation for the transition to Entra Cloud Sync.

What's changing

Once your organization is notified of its assigned transition window, you will receive detailed guidance and resources to help you begin the move to Entra Cloud Sync. During this period:

  • You will have review your current configuration, assess readiness, and familiarize yourself with Cloud Sync’s capabilities.

  • You will gain access to the transition tool and step-by-step documentation to support a smooth transition.

  • You will move and test your synchronization environment in Entra Cloud Sync before any permanent changes are made.

Once your transition to Entra Cloud Sync is successfully completed:

  • Entra Cloud Sync will be the primary mechanism for identity synchronization capabilities between Active Directory and Entra ID, replacing the identity sync functionality in Entra Connect tool.

What's not changing

Once you migrate to Cloud Sync, your hybrid authentication features that enable on‑premises credentials to be used for accessing cloud resources will continue to be available after migration on the Connect Sync config wizard.

Start preparing today

We recommend that you take steps to begin your migration. You can begin familiarizing yourself with Entra Cloud Sync and review our dedicated resources to ensure a smooth transition:

This is not a prerequisite to move to Cloud Sync, but provides an opportunity to prepare at your own pace.

Stay tuned to this page for further updates.

Plan for change - Update SCIM provisioning applications to use modern authentication

Type: Plan for change
Service category: Provisioning
Product capability: Outbound to SaaS Applications

What is changing

  • SCIM provisioning applications that use the OAuth 2.0 Authorization Code grant will be updated to support modern authentication methods, such as OAuth 2.0 Client Credentials and workload identity federation.
  • Existing provisioning jobs will not switch automatically. Customers will need to update job configuration after the new method is available.
  • A small number of applications that cannot support a modern method may be retired from the Microsoft Entra app gallery.

When this is changing

This change will roll out over the coming months, and timing will vary by application. We will share impacted applications, customer deadlines, and supporting documentation through monthly What’s new articles and the Microsoft 365 Message Center.

Why this is changing

This update strengthens the security of Microsoft Entra provisioning integrations by moving away from older authentication patterns. Modern methods are better suited for service-to-service scenarios and can reduce credential management overhead, including the need to rotate shared secrets.

Action required from customers

  • Identify existing provisioning jobs that use the OAuth 2.0 Authorization Code grant.
  • Watch for announcements about affected applications and availability of updated authentication methods.
  • Update and test provisioning job configuration when your application supports a modern authentication method.
  • If an application is retired, plan to migrate to a supported alternative.

Stay informed

Please monitor monthly What’s new articles and the Microsoft 365 Message Center for future announcements, migration guidance, deadlines, and documentation.

Public Preview - $count filtering in sign-ins API

Type: Public Preview
Service category: MS Graph
Product capability: Monitoring & Reporting

The ability to use $count in sign-ins API requests is now here, allowing customers to perform count computations directly in API requests. For more information, see: Customize Microsoft Graph responses with query parameters.

General Availability - Microsoft Identity Manager (MIM) 2016 Service Pack 3 (SP3)

Type: General Availability
Service category: Microsoft Identity Manager
Product capability: Identity Governance

Microsoft Identity Manager (MIM) 2016 Service Pack 3 (SP3) is now available. SP3 focuses on stability and supportability, modernizes compatibility with current platform components (SQL Server, SharePoint, and Exchange), and adds an additional deployment option for the Synchronization Service by enabling Azure SQL Database with managed identity authentication—helping reduce operational risk for hybrid identity environments.

Issues fixed and improvements added in this update include

MIM Synchronization Service

  • SQL Server 2022 Support: Full support for installation with and connection to SQL Server 2022.

  • Azure SQL Support: MIM Sync can now use Azure SQL Database, with authentication supported via both System Assigned and User Assigned Managed Identities.

MIM Service and Portal

  • SQL Server 2022 and Exchange Server Subscription Edition (SE) Support: Updated integration and database compatibility with the latest SQL and Exchange releases.

  • SharePoint Subscription Edition (SE) Support: The MIM Portal can now be deployed on SharePoint SE.

  • System Center Service Manager Data Warehouse (DW) 2022 Support: Enables reporting and audit integration with the latest SCSM DW.

  • Active Directory Federation Services (AD FS) Single Sign-On (SSO): Introduces support for claims-based authentication, allowing end-users to sign in via AD FS instead of Windows Integrated Authentication

Download and upgrade information

General Availability - As an AP requestor, I can see in My Access who my approver(s) are if the access package owner allows me to

Type: General Availability
Service category: Entitlement Management
Product capability: Entitlement Management

In May, requestors will be able to see the name and email address of approvers for their pending access package requests directly in the My Access portal will be in General Availability. This feature improves transparency and helps streamline communication between requestors and approvers. At the tenant level, approver visibility is enabled by default for all members (non-guests) and can be controlled through the Entitlement Management settings in the Microsoft Entra Admin Center. At the access package level, admins and access package owners can configure the approver visibility and choose to override the tenant level setting under the advanced request settings in the access package policy. For more information, see: View approver information for pending requests (preview).

General Availability - Enforce Conditional Access policies like MFA on every PIM activation

Type: General Availability
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Generally available feature for configuring reauthentication with Conditional Access for Microsoft Entra Privileged Identity Management role activation. For more information see: On activation, require Microsoft Entra Conditional Access authentication context

General Availability - License Usage

Type: General Availability
Service category: Reporting
Product capability: Monitoring & Reporting

The License Usage page in the Microsoft Entra admin center helps customers optimize their Entra licenses by providing visibility into feature usage across their tenant. It shows how many Entra ID P1, P2, and Suite licenses you own, along with usage of key features such as Conditional Access and risk‑based Conditional Access mapped to each license type. You can also review usage trends over the past six months. This view gives you a clearer understanding of your license footprint, the value you’re deriving from Entra, and potential over‑usage risks within your tenant. For more information, see: Microsoft Entra license usage insights.

General Availability - Configurable Token Lifetime Policies

Type: General Availability
Service category: Authentications (Logins)
Product capability: Platform

Configurable token lifetime policies are now generally available in Microsoft Entra ID. This feature allows administrators to customize the lifetimes of access tokens, ID tokens, and SAML tokens issued by the Microsoft identity platform by creating and assigning token lifetime policies to applications and service principals.

With configurable token lifetime policies, organizations can adjust token durations to meet their security and usability requirements -- for example, shortening access token lifetimes for sensitive applications or extending them for long-running automation scenarios. For more information, see: Configurable token lifetimes in the Microsoft identity platform.

March 2026

Public Preview - Entra Hybrid Join using Entra Kerberos

Type: Public Preview
Service category: Device Registration and Management
Product capability: Device Lifecycle Management

This new capability enables a Windows device to become Hybrid Entra joined immediately at provisioning time, without waiting for Entra Connect sync or requiring AD FS. By leveraging Entra Kerberos, customers can modernize their hybrid identity architecture while reducing infrastructure complexity and dependency on legacy federation components. For more information, see: Microsoft Entra hybrid join using Microsoft Entra Kerberos (preview).

General Availability - SCIM 2.0 APIs for Microsoft Entra ID

Type: General Availability
Service category: Provisioning
Product capability: Identity Lifecycle Management

SCIM 2.0 APIs give customers, developers, and partners a standards-based option for managing users and groups in Microsoft Entra using the System for Cross-domain Identity Management (SCIM) 2.0 specification. For more information, see: Enable Microsoft Entra SCIM 2.0 APIs.

General Availability - Microsoft Single Sign-On for Linux support for authenticating with Phish-Resistant MFA credentials

Type: General Availability
Service category: Authentications (Logins)
Product capability: SSO

The major improvements that this release provides includes:

  • Enables authentication using CBA/YubiKey with certificate (PRMFA)
  • Removes dependency on Java runtime as part of the Intune install
  • Improved performance and reliability when authenticating to EntraId
  • Provides device trust using Entra Join instead of Entra Registration
  • Increased stability and performance for authentication requests

For more information, see: What is Microsoft single sign-on for Linux?.

General Availability - New M365 group creation experience in My Groups

Type: General Availability
Service category: Group Management
Product capability: End User Experiences

We’re improving the Microsoft 365 group creation experience in My Groups to give group owners more control and clarity from the start. The updated experience lets you configure key group, email, and security settings during creation—so your group works the way you expect without extra admin help later.

With this update, you can:

  • Set group usage guidelines, email alias, and sensitivity labels
  • Configure Exchange settings such as sending welcome emails, subscribing members to conversations, and showing the group mailbox and calendar in Outlook
  • Control who can send email to the group, hide the group from the global address list, and allow or block external senders
  • Enable security group functionality when needed

This streamlined, self‑service experience helps ensure your group is created with the right defaults and policies from day one. We are rolling out to all tenants by end of March.

General Availability - Just‑in‑Time Password Migration in Microsoft Entra External ID

Type: General Availability
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

Just‑in‑Time Password Migration is now generally available in Microsoft Entra External ID.

Customers can migrate user passwords securely at first sign‑in, allowing users to continue using their existing credentials without forced password resets. This enables a smoother transition from Azure AD B2C or other identity providers while reducing migration risk and operational overhead.

General Availability - Improved readability for Authentication Methods Policy Update audit logs

Type: General Availability
Service category: Authentications (Logins)
Product capability: User Authentication

Starting in April 2026, the Authentication Methods Policy Update and Authentication Methods Policy Reset audit log activities has been updated to improve readability and clarity. Previously, audit logs included the full authentication methods policy payload in both the old and new values, even when only a small number of settings were changed. With this update, audit log entries now surface only the specific properties that were modified, along with their corresponding old and new values.

Policy-wide updates—such as Registration Campaigns and System‑preferred authentication—may continue to include the full policy payload. The activity name and triggering events remain unchanged. This update affects formatting only and does not change policy behavior. For more information, see: Core Directory.

February 2026

General Availability - Expanded attribute support in Lifecycle Workflows attribute changes trigger

Type: New feature
Service category: Lifecycle Workflows
Product capability: Identity Governance

The Attribute Changes trigger in Lifecycle Workflows now supports additional attribute types, enabling broader detection of organizational changes. Previously, this trigger was limited to a set of core attributes. With this update, you can configure workflows to respond when any of the following attributes change:

  • Custom security attributes
  • Directory extension attributes
  • EmployeeOrgData attributes
  • On-premises attributes 1-15

This enhancement gives administrators greater flexibility to automate lifecycle processes for mover events based on custom or extended attributes, improving governance for complex organizational structures and hybrid environments. For more information, see: Use Custom attribute triggers in lifecycle workflows.

General Availability - Delegated Workflow Management in Lifecycle Workflows

Type: New feature
Service category: Lifecycle Workflows
Product capability: Identity Governance

Lifecycle workflows can now be managed with Administrative Units (AUs), enabling organizations to segment workflows and delegate administration to specific admins. This enhancement ensures that only authorized admins can view, configure, and execute workflows relevant to their scope. Customers are able to associate workflows with AUs, assign scoped permissions to delegated admins, and ensure that workflows only impact users within their defined scope. For more information, see: Delegated workflow management.

General Availability - Device authorization grant flow in Microsoft Entra External ID

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

Similar to Microsoft Entra ID (workforce tenants), Microsoft Entra External ID (external tenants) now supports device authorization grant flow, which allows users to sign in to input-constrained devices such as a smart TV, IoT device, or a printer. For more information, see OAuth 2.0 device authorization grant.

Upcoming change - Microsoft Entra Connect security update to block hard match for users with Microsoft Entra roles

Type: Plan for change
Service category: Entra Connect
Product capability: Entra Connect

What is Hard-matching in Microsoft Entra Connect Sync and Cloud Sync?

When Microsoft Entra Connect or Cloud Sync adds new objects from Active Directory, the Microsoft Entra ID service tries to match the incoming object with an Entra object by looking up the incoming object’s sourceAnchor value against the OnPremisesImmutableId attribute of existing cloud managed objects in Microsoft Entra ID. If there's a match, Microsoft Entra Connect or Cloud Sync takes over the source or authority (SoA) of that object and updates it with the properties of the incoming Active Directory object in what is known as "hard-match."

To strengthen the security posture of your Microsoft Entra ID environment, we are introducing a change that will restrict certain types of hard-match operations by default.
  

What’s changing

Beginning June 1, 2026, Microsoft Entra ID will block any attempt by Entra Connect Sync or Cloud Sync from hard-matching a new user object from Active Directory to an existing cloud-managed Entra ID user object that holds Microsoft Entra roles.

This means:

  • If a cloud managed user already has onPremisesImmutableId (sourceAnchor) set and is assigned a Microsoft Entra role, Microsoft Entra Connect Sync or Cloud Sync will no longer be able to take over the Source of Authority of that user by hard-matching with an incoming user object from Active Directory.
  • This safeguard prevents attackers from taking over privileged cloud managed users in Entra by manipulating attributes of user objects in Active Directory.

What’s not changing

  • Hard match operations for cloud users without Microsoft Entra roles are not affected.   
  • Soft match behavior isn't affected.
  • Ongoing sync from Active Directory to Entra ID for previously hard-matched objects will not be affected.   

Customer action required

If you encounter a hard match error after June 1, 2026, see our documentation for mitigation steps.

General Availability - External MFA is Generally Available

Type: New feature
Service category: MFA
Product capability: User Authentication

We're excited to announce that external authentication methods in Microsoft Entra ID is now generally available under a new name: External Multifactor Authentication (External MFA). This capability enables organizations to meet multifactor authentication requirements while continuing to use their preferred MFA provider. Microsoft Entra ID remains the identity control plane, performing full policy evaluation and access decisions on every sign in, including real time Conditional Access enforcement and sign in risk assessment. For more information, see How to enable external MFA.

General Availability - Custom banned password lists supported in Microsoft Entra External ID

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

In addition to the global banned password lists already supported, EEID admins can now add specific strings to block during password creation and reset. For more information, see Password Protection - Custom banned password lists.

Upcoming Changes - Jailbreak Detection in Authenticator App

Type: New feature
Service category: Microsoft Authenticator App
Product capability: Identity Security & Protection

Starting February 2026, Microsoft Authenticator will introduce jailbreak/root detection for Microsoft Entra credentials in the Android app. The rollout progresses from warning mode → blocking mode → wipe mode. Users must move to compliant devices to continue using Microsoft Entra accounts in Authenticator.

General Availability - Microsoft Entra Connect Sync now supports Windows Server 2025

Type: New feature
Service category: Entra Connect
Product capability: Entra Connect

Microsoft Entra Connect Sync now officially supports Windows Server 2025. This means you can confidently install and run Microsoft Entra Connect Sync on servers running Windows Server 2025, enabling your hybrid identity environment to take full advantage of the latest Windows Server enhancements.

What this means for you: With this update, organizations can upgrade their identity synchronization servers to Windows Server 2025 without hesitation. Windows Server 2025 brings advanced features that improve security, performance, and flexibility, and our engineering team has thoroughly validated Microsoft Entra Connect Sync on this platform. Many customers have been eager to adopt Windows Server 2025 to leverage its enhanced security, better performance, and improved management capabilities. Now, with official support in place, you can benefit from these improvements while maintaining a reliable, fully supported hybrid identity solution.

The Microsoft Entra Connect Sync .msi installation file is exclusively available on Microsoft Entra admin center under Microsoft Entra Connect. Check our version history page for more details on available versions.

Consider moving to Cloud Sync: Microsoft Entra Cloud Sync is a sync client that works from the cloud and allows customers to set up and manage their sync preferences online. We recommend that you use Cloud Sync because we're introducing new features that improve the sync experiences through Cloud Sync.

Public Preview - New end user homepage in My Account

Type: New feature
Service category: My Profile/Account
Product capability: End User Experiences

The homepage at https://myaccount.windowsazure.cn has been updated to provide a more task-focused experience. Users will see pending actions like renewing expiring groups, approving access package requests, and setting up MFA directly on the homepage. Quick links to apps, groups, access packages, and sign-in details will be easier to find and use. This change is designed to streamline account management and help users stay on top of access and security tasks.

General Availability - Microsoft Entra Provisioning Service available in Microsoft Azure operated by 21Vianet

Type: New feature
Service category: Provisioning
Product capability: Outbound to SaaS Applications

The Microsoft Entra provisioning service can be used in the 21Vianet / China cloud for the following scenarios: API-driven provisioning, Cloud Sync, Cross-tenant sync between China tenants, SCIM provisioning for the non-gallery / custom application, and on-premises app provisioning (ECMA). Specific gallery connectors such as Workday, SuccessFactors, and AWS aren't onboarded to the environment. For more information, see: Gallery application doesn't support provisioning in 21Vianet (China) clouds.

General Availability - Revoke previously approved access package assignments in My Access

Type: New feature
Service category: Entitlement Management
Product capability: Identity Governance

By end of March Microsoft Entra ID Governance approvers can now revoke access to an access package after an approval has already been granted. This gives approvers greater control to respond to changes, mistakes, or updated business needs. With this update, an approver can undo a prior approval decision, immediately removing the requestor’s access to the access package. Only the approver who originally approved the request can revoke it, even if multiple approvers belong to the same approver group. For more information, see: Revoke a request.

January 2026

General Availability - Microsoft Entra ID Governance guest billing meter enforcement

Type: New feature
Service category: Entitlement Management, Lifecycle Workflows
Product capability: Entitlement Management, Lifecycle Workflows

Enforcement for the Microsoft Entra ID Governance guest billing meter is now in effect for Entitlement Management and Lifecycle Workflows (Access Reviews will be enforced later in CY26 Q1). To keep using Entra ID Governance premium features for guest users in workforce tenants, you must link a valid Azure subscription to activate the Microsoft Entra ID Governance for guests add-on. If a subscription isn’t linked, creation or updates of new guest-scoped governance configurations will be restricted (for example, certain access package policies, access reviews, and lifecycle workflows), and guest-specific governance actions may fail until billing is configured.

For more information, see: Microsoft Entra ID Governance licensing for guest users.

General Availability - Service Principal creation audit logs for alerting & monitoring

Type: New feature
Service category: Audit
Product capability: Monitoring & Reporting

New audit log properties now make it easy for admins to understand why a service principal was created and who or what triggered it. The logs now surface the provisioning mechanism, the specific SKUs or service plans that enabled just‑in‑time creation, and the home tenant of the app registration. This helps admins quickly distinguish Microsoft‑driven provisioning from tenant‑driven activity, streamlining alerting and investigations into newly created service principals. For more information, see:

General Availability - Session Control Conditional Access Policies in Entra External ID

Type: New feature
Service category: Conditional Access
Product capability: B2B/B2C

EEID admins can configure persistent browser session and sign‑in frequency in Conditional Access. For more information, see Conditional Access: Manage Session Controls Effectively.

General Availability - Improved enforcement for All resources policies with resource exclusions

Type: Changed feature
Service category: Conditional Access
Product capability: Access Control

Microsoft Entra Conditional Access is strengthening how policies that target All resources with resource exclusions are enforced in a narrow set of authentication flows. After this change, in user sign‑ins where a client application requests only OIDC or specific directory scopes, Conditional Access policies that target All resources with one or more resource exclusions, or policies that explicitly target Azure AD Graph, will be enforced. This ensures that policies are consistently applied regardless of the scope set requested by the client application. For more information, see: New Conditional Access behavior when an ALL resources policy has a resource exclusion.

December 2025

General Availability - Modernizing Microsoft Entra ID auth flows with WebView2 in Windows 11

Type: New feature
Service category: Authentications (Logins)
Product capability: SSO

Windows has many user experiences that use webview’s to gather web information to present web information to users that looks like native content. One of the common scenarios for this is for authentication flows, where a user is prompted for their username and provides credentials. 

Microsoft Entra ID app sign-in through Web Account Manager (WAM) now has the option to be powered by WebView2, the Chromium-based web control, starting with KB5072033 (OS Builds 26200.7462 and 26100.7462) or later. This release marks a significant step forward in delivering a secure, modern, and consistent sign-in experience across apps and services.

WebView2 will become the default framework for WAM authentication in an expected future Windows release, with the EdgeHTML WebView being deprecated. Therefore, we encourage users to deploy now and participate in the opt-in process, enable this experience in their environments, and make any necessary adjustments — such as updating proxy rules or modifying code in services involved in the sign in process. Contact Customer Support Services if you'd like to provide feedback.

Moving to WebView2 is more than a technical upgrade, it’s a strategic investment in secure, user-friendly identity experiences. We’re committed to evolving Microsoft Entra ID to meet the needs of modern organizations and developers.

For more information, see:  

Now generally available: Modernizing Microsoft Entra ID auth flows with WebView2 in Windows 11 - Windows IT Pro Blog

General Availability - Microsoft Entra Connect security hardening to prevent user account takeover

Type: Fixed
Service category: Entra Connect
Product capability: Access Control

When Microsoft Entra Connect adds new objects from Active Directory, the Microsoft Entra ID service tries to match the incoming object with an Entra object by looking up the incoming object’s sourceAnchor value against the OnPremisesImmutableId attribute of existing cloud managed objects in Microsoft Entra ID. If there's a match, Microsoft Entra Connect Sync takes over the source or authority (SoA) of that object and updates it with the properties of the incoming Active Directory object in what is known as "hard-match."

As part of ongoing security hardening, Microsoft is going to introduce enforcement changes in Microsoft Entra Connect to mitigate the risk of account takeover via hard match abuse. Enforcement of this change will begin on July 1, 2026.

What’s Changing:

  • Microsoft Entra will block attempts by Entra Connect to modify the OnPremisesObjectIdentifier attribute after it has already been mapped to a synced user object. This prevents re‑mapping an existing Entra ID user to a different on‑premises identity.
  • Audit logs have been enhanced to capture changes to OnPremisesObjectIdentifier and DirSyncEnabled, enabling better visibility into synchronization behavior.
  • To support legitimate scenarios where an existing synced Entra object must be remapped to another on-premises object, Microsoft has introduced a Microsoft Graph API that allows controlled recovery actions, without re‑enabling hard‑match abuse or unauthorized re‑mapping.
  • Resetting a user’s OnPremisesObjectIdentifier field will not impact subsequent sync jobs. This means that both the cloud sync and connect sync clients can continue syncing the user object that was reset without issue. Each time a user object is synced after that field has been set to null, it gets assigned a new GUID.

What's Not Changing:

  • This enforcement applies only to scenarios where OnPremisesObjectIdentifier is being modified for synced object since it was remapped to different on-premises object (through hard-match). Hard match and take over of cloud objects using onPremisesImmutableId remains supported and unchanged.

Customer Action Required: 

  • Review and implement updated hardening guidance, including recommended flags to disable hard match takeover where appropriate.
  • Identify potentially impacted users by reviewing audit logs for recent changes to OnPremisesObjectIdentifier. Refer to the Microsoft Entra Connect Sync error code for impacted users
  • Test the new Graph API-based recovery flow to ensure readiness before enforcement begins on July 1, 2026.

Microsoft Graph API for Recovery

Starting July 1st, 2026, the sync operations that attempt to remap existing synced objects in Entra to a different on-premises object will fail with the following error:

Hard match operation blocked due to security hardening. Review OnPremisesObjectIdentifier mapping.

Customers can recover by first clearing the OnPremisesObjectIdentifier property on the Entra object and then re-attempting the hard-match and takeover operation.

To clear the OnPremisesObjectIdentifier for a user, use the following Microsoft Graph API call:

PATCH https://microsoftgraph.chinacloudapi.cn/beta/users/{userId}

Body:

{
onPremisesObjectIdentifier: null
}

Required permissions:

  • Delegated or application permission: “User-OnPremisesSyncBehavior.ReadWrite.All
  • The caller must also have one of the following roles: Global Administrator or Hybrid Identity Administrator
  • Any user, including global or hybrid admins, cannot reset the field via MS graph if the app isn’t granted User-OnPremisesSyncBehavior.ReadWrite.All

Note

The API only allows clearing OnPremisesObjectIdentifier (setting it to null). Attempts to set it to any other value are blocked.

Additional Guidance:

  • If enforcement blocks an operation, the following error message will be returned: “Hard match operation blocked due to security hardening. Review OnPremisesObjectIdentifier mapping.
  • Use audit logs to identify affected objects. Look for “Update user” events where OnPremisesObjectIdentifier was modified. These users may require remediation before enforcement begins.

The Microsoft Entra Connect Sync .msi installation file is exclusively available on Microsoft Entra admin center underMicrosoft Entra Connect.  Check our version history page for more details on available versions.

Public Preview - Just-in-time password migration to Microsoft Entra External ID

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

The Just-in-Time (JIT) Password Migration feature is designed to provide a seamless and secure experience for customers transitioning to Microsoft Entra External ID. This capability enables external identity providers to migrate user credentials during sign-in, eliminating the need for bulk password resets and minimizing disruption for end users. When a user meets the migration conditions at sign-in, their credentials are securely transferred as part of the process, ensuring continuity and reducing friction.

By integrating migration into the authentication flow, organizations can simplify administrative tasks while maintaining security standards. This approach not only enhances user experience but also accelerates adoption of Microsoft Entra External ID without compromising operational efficiency.

November 2025

Public Preview - Externally determine the approval requirements for an access package using custom extensions

Type: New feature
Service category: Entitlement Management
Product capability: Entitlement Management

In Entitlement Management, approvers for access package assignment requests can either be directly assigned, or determined dynamically. Entitlement management natively supports dynamically determining approvers such as the requestors manager, their second-level manager, or a sponsor from a connected organization. With the introduction of this feature you can now use custom extensions for callouts to Azure Logic Apps and dynamically determine approval requirements for each access package assignment request based on your organizations specific business logic. The access package assignment request process will pause until your business logic hosted in Azure Logic Apps returns an approval stage which will then be leveraged in the subsequent approval process via the My Access portal. For more information, see: Externally determine the approval requirements for an access package using custom extensions.

General Availability - Support for eligible group memberships and ownerships in Entitlement Management access packages

Type: New feature
Service category: Entitlement Management
Product capability: Entitlement Management

This integration between Entitlement Management and Privileged Identity Management (PIM) for Groups adds support for assigning eligible group memberships and ownerships via access packages. You are now able to govern these just-in-time access assignments at scale by offering a self-service access request & extension process and integrate them into your organization's role model. For more information, see: Assign eligible group membership and ownership in access packages via Privileged Identity Management for Groups.

General Availability - Reprocess failed users and workflows in Lifecycle Workflows

Type: New feature
Service category: Lifecycle Workflows
Product capability: Identity Governance

Lifecycle Workflows now supports reprocessing of your workflows to help organizations streamline the reprocessing of workflows when errors or failures are discovered. This feature includes the ability to reprocess previous runs of workflows including failed runs or just runs that you may want to process again. Customers can choose from the following options to fit their needs:

  • Select specific workflow run to be reprocessed
  • Select which users from the workflow run to be reprocessed e.g. failed users or all users from the run

For more information, see Reprocess workflows.

General Availability - Trigger workflows for inactive employees and guests in Lifecycle Workflows

Type: New feature
Service category: Lifecycle Workflows
Product capability: Identity Governance

Lifecycle Workflows now enables customers to configure custom workflows to proactively manage dormant user accounts by automating identity lifecycle actions based on sign‑in inactivity. By detecting inactivity, the workflow automatically executes predefined tasks—such as sending notifications, disabling accounts, or initiating offboarding—when users exceed the inactivity threshold. Admins can configure the inactivity threshold and scope, ensuring dormant accounts are handled efficiently and consistently — reducing security exposure, reducing license waste, and enforcing governance policies at scale. For more information, see: Manage inactive users using Lifecycle Workflows.

Public Preview - Soft Deletion for Cloud Security Groups

Type: New feature
Service category: Group Management
Product capability: Identity Security & Protection

Soft deletion for cloud security groups introduces a safety mechanism that allows administrators to recover deleted groups within a 30‑day retention period. When a cloud security group is deleted, it is not immediately removed from the directory; instead, it enters a soft‑deleted state, preserving its membership and configuration. This feature helps prevent accidental data loss and supports business continuity by enabling quick restoration of groups without requiring manual recreation. Administrators can restore soft‑deleted groups through the Microsoft Entra admin center or Microsoft Graph API during the retention window.

Public Preview - User centric access reviews including disconnected applications

Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

This capability enables organizations to manage access reviews for applications that are not yet integrated with Microsoft Entra ID. For more information, see: Include custom data provided resource in the catalog for catalog user Access Reviews (Preview).

Public Preview - User centric access reviews

Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

User centric access reviews (UAR) provide a user‑centric review model that lets reviewers view a user’s access across multiple resources in a catalog in one unified view, streamlining the process of ensuring the right access at the right time. Resources include Entra groups, and both connected and disconnected (BYOD) applications, providing customers with a consolidated, holistic review experience. For more information, see: Catalog Access Reviews (Preview).

Public Preview - New experience for Entra account registration page on Windows

Type: New feature
Service category: Device Registration and Management
Product capability: User Authentication

We are introducing a new modernized user experience for the Entra account registration flow on Windows. The new user experience is updated to be consistent with Microsoft design patterns and splits the experience into two separate pages for registration and enrollment.

We are also introducing a new admin property in public preview to control the MDM enrollment option in the account registration flow. This is targeted at customers who want to enable Windows MAM for their work or school accounts. The new setting controls the user experience screen for end users to MDM enroll in this flow. For more information, see: Set up automatic enrollment for Windows devices.

Public preview - Microsoft Entra ID with Entra Kerberos has added support for cloud‑only identities

Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

Microsoft Entra ID with Entra Kerberos has added support for cloud-only identities which allows Entra-joined session hosts to authenticate and access cloud resources like Azure file shares and Azure virtual desktop without relying on traditional Active Directory infrastructure. This capability is essential for organizations adopting a cloud-only strategy, as it removes the need for domain controllers while preserving enterprise-grade security, access control, and encryption. For more information, see: Cloud only identity (Preview).

  • Last updated on