M365 Change Tracker

← Home

Microsoft Entra ID — changes & security (83)

Roadmap, security and documentation changes captured for Microsoft Entra ID.

PreviewMicrosoft Entra IDDevice Access Management

Enable soft-delete for Microsoft Entra Device objects

Device Soft Delete, now available in preview, enables administrators to safely remove device objects by moving them to a recoverable state instead of permanently deleting them. This feature allows organizations to restore devices within a defined retention period while preserving critical data such as device identity and associated security artifacts. The feature supports Microsoft Entra joined, registered, and hybrid joined devices and helps reduce risk from accidental deletions while improving

GAMicrosoft Entra IDEntra Connect

NetBiosName resolution test now informational

The “NetBIOS Name Sysvol Connectivity resolution” test in the AD DS health monitoring agent has been reclassified from an alerting test to an informational test. Going forward, if this test fails, it will no longer generate an alert or require remediation action on your part. Instead, the test runs in the background and logs results for your information only.

UpcomingMicrosoft Entra IDEntra Connect

Enhanced admin authorization for Microsoft Entra Connect Sync configuration changes

We're enhancing the security posture of Microsoft Entra Connect Sync by introducing interactive admin authorization for configuration changes. With this update, an authorized administrator will need to sign in and explicitly approve changes to sync settings, ensuring that configuration updates are intentional and made by the right person.

PreviewMicrosoft Entra IDProvisioning

Workload identity-based authentication for SAP SuccessFactors provisioning integrations

Microsoft Entra is introducing workload identity–based authentication for SAP SuccessFactors provisioning. This new capability allows the Microsoft Entra provisioning service to authenticate to SAP SuccessFactors using Entra workload identity and short‑lived tokens instead of static credentials (username and password).

GAMicrosoft Entra IDProvisioning

Account Discovery

Account discovery for connected applications is now generally available in Microsoft Entra ID Governance. This capability provides administrators with visibility into all accounts that exist within connected applications, including orphan accounts.

GAMicrosoft Entra IDProvisioning

Cross tenant group synchronization

Cross tenant group synchronization allows organizations to synchronize security groups across Microsoft Entra tenants. This feature enables centralized management of group membership in a source tenant while making those groups available in one or more target tenants, simplifying cross-tenant collaboration and reducing administrative overhead associated with managing duplicate groups.

GAMicrosoft Entra IDModernized My Account pages

Modernized My Account pages

We're excited to announce the upcoming general availability of three redesigned pages in the My Account portal (myaccount.microsoft.com), bringing a modernized experience to help end users manage their account with greater ease and clarity.

GAMicrosoft Entra IDMFA

Support for passkeys in Microsoft Entra ID registration campaign

Microsoft Registration Campaigns now supports Passkeys (FIDO2) as an authentication method. Administrators can configure registration campaigns to nudge users to register passkeys during sign-in, helping organizations drive passkey adoption at scale. This first rollout experience is optimized for users who are in a passkey profile that doesn't have any restrictions.

PreviewMicrosoft Entra IDLifecycle Workflows

Automate setting or clearing user attributes values in Lifecycle workflows

We're excited to introduce the User Attribute Updates task in Lifecycle Workflows, extending existing attribute change trigger capabilities with a built-in, customer-ready way to automate attribute updates (set or clear values) directly within a workflow. With a secure, consistent, and auditable experience, organizations can reduce manual effort, improve governance, and scale identity automation with greater confidence.

GAMicrosoft Entra IDMFA

System-preferred authentication expanded to first-factor in Microsoft Entra ID

We're extending system-preferred authentication to apply to the first factor in Microsoft-managed configurations (in addition to second factor). With this change, the system evaluates the credentials registered for a user and selects the highest-ranked authentication method for each step of the sign-in flow.

GAMicrosoft Entra IDB2C - Consumer Identity Management

High Scale Compatibility (HSC) mode for Microsoft Entra External ID

High Scale Compatibility (HSC) mode enables organizations to migrate to Microsoft Entra External ID while preserving their existing user directory. It's designed for large, established customer identity platforms transitioning from Azure AD B2C.

PreviewMicrosoft Entra IDEntitlement Management

Azure Role assignments can now be governed via Entitlement Management

You can now govern eligible and active assignments to Azure roles at the Management Group, Subscription, and Resource Group levels directly through access packages. This brings role assignment into the same request, approval, and lifecycle governance model as apps, groups, and more - making it easier to manage access to Azure resources at scale while aligning to least privilege and just-in-time access.

GAMicrosoft Entra IDLifecycle Workflows

Manage Agent ID sponsorship lifecycle with Lifecycle Workflows

One of the most important parts of governing agent identities is making sure that a delegated human user is always assigned to make sure the agent identity's access to resources are current. If the sponsor is leaving the organization, sponsorship of the agent identities is automatically transferred to their manager. With sponsorship transferred, there's always a human user accountable for managing the access and lifecycle of the agent identities. Microsoft Entra ID Governance features can help s

GAMicrosoft Entra IDOther

Microsoft Entra Agent ID platform

The Microsoft Entra Agent ID platform is now generally available. The Agent ID platform provides an identity and authorization framework built specifically for AI agents operating in enterprise environments. It enables developers to create and manage agent identities with enterprise-grade authentication, authorization, and governance, using standard protocols such as OAuth 2.0, MCP, and A2A.

PreviewMicrosoft Entra IDProvisioning

Account Discovery

Microsoft Entra ID Governance now supports account discovery for connected applications in public preview. This capability provides administrators with visibility into all accounts that exist within connected applications, including orphan accounts.

PreviewMicrosoft Entra IDB2C - Consumer Identity Management

Microsoft Entra ID federation with External ID (EEID)

Microsoft Entra ID federation with External ID (EEID) enables organizations to let users sign in to customer‑facing applications using their existing workforce Entra ID identities. By leveraging standards‑based federation, users authenticate with their home tenant while applications hosted in an External ID tenant rely on trusted identity assertions from Entra ID. This approach reduces the need for duplicate accounts, streamlines sign‑in experiences, and allows organizations to extend consistent

PreviewMicrosoft Entra IDUser Experience and Management

App-based branding via Branding themes in Microsoft Entra tenants

In Microsoft Entra tenants, customers can create a single, tenant-wide, customized branding experience that applies to all apps. We are introducing a concept of Branding "themes" to allow customers to create different branding experiences for specific applications.

UpcomingMicrosoft Entra IDEntra Connect

Migrate from Microsoft Entra Connect Sync to Microsoft Entra Cloud Sync

As organizations look to strengthen identity security and advance their Zero Trust strategies, many are looking for simpler, more reliable ways to manage hybrid identity. To support these needs, we’re beginning the transition from Microsoft Entra Connect Sync to the cloud‑native Microsoft Entra Cloud Sync - helping reduce on‑premises complexity while improving security, reliability, and day‑to‑day manageability.

PreviewMicrosoft Entra IDMS Graph

$count filtering in sign-ins API

The ability to use $count in sign-ins API requests is now here, allowing customers to perform count computations directly in API requests. For more information, see: Customize Microsoft Graph responses with query parameters.

GAMicrosoft Entra IDProvisioning

Prefetch Workday termination data to customize account disable logic

This Workday connector update resolves termination processing delays observed for workers in APAC and ANZ regions. Admins can now enable termination lookahead setting to prefetch data and tailor deprovisioning logic for accounts in Microsoft Entra ID and on-premises Active Directory. For more details, refer to: https://aka.ms/WorkdayTerminationLookaheadDoc

GAMicrosoft Entra IDAuthentications (Logins)

Microsoft Entra Certificate-based authentication (CBA) support on iOS and CBA as second factor

Microsoft Entra Certificate-Based Authentication (CBA) is now generally available on iOS. Native iOS sign-ins now avoid unnecessary password and MFA prompts, enabling CBA as a supported second factor and allowing it to be prioritized as a system‑preferred MFA method. Users can choose another allowed MFA method if needed, based on tenant policy. More information at Microsoft Entra certificate-based authentication on Apple devices

GAMicrosoft Entra IDMicrosoft Identity Manager

Microsoft Identity Manager (MIM) 2016 Service Pack 3 (SP3)

Microsoft Identity Manager (MIM) 2016 Service Pack 3 (SP3) is now available. SP3 focuses on stability and supportability, modernizes compatibility with current platform components (SQL Server, SharePoint, and Exchange), and adds an additional deployment option for the Synchronization Service by enabling Azure SQL Database with managed identity authentication—helping reduce operational risk for hybrid identity environments.

GAMicrosoft Entra IDEntitlement Management

As an AP requestor, I can see in My Access who my approver(s) are if the access package owner allows me to

In May, requestors will be able to see the name and email address of approvers for their pending access package requests directly in the My Access portal will be in General Availability. This feature improves transparency and helps streamline communication between requestors and approvers. At the tenant level, approver visibility is enabled by default for all members (non-guests) and can be controlled through the Entitlement Management settings in the Microsoft Entra Admin Center. At the access

GAMicrosoft Entra IDAuthentications (Logins)

Entra CBA as third option in system-preferred MFA methods

General Availability - Due to known issues on iOS platform, the Entra certificate-based authentication (CBA) method was not allowed as a second factor on iOS and CBA was moved to the last place in the system-preferred MFA list as documented at FAQ.

GAMicrosoft Entra IDiOS client

GSA iOS client support

We are excited to announce the general availability of the iOS Global Secure Access (GSA) client. The Global Secure Access client on iOS and iPadOS requires no new agent installation. It leverages the existing Microsoft Defender for Endpoint (MDE) to route traffic through Microsoft SSE for Microsoft 365, internet access, and private access.

GAMicrosoft Entra IDAuthentications (Logins)

Entra CBA Certificate Authority (CA) scoping

Entra CBA Certificate Authority (CA) scoping in Microsoft Entra allows tenant administrators to restrict the use of specific certificate authorities (CAs) to defined user groups. This feature enhances the security and manageability of certificate-based authentication (CBA) by ensuring that only authorized users can authenticate using certificates issued by specific CAs. More information at Certificate Authority (CA) scoping

GAMicrosoft Entra IDInternet Access

Network Content Filtering based on File Types

Global Secure Access supports network-based content filtering based on file types. This allows you to monitor and control file transfers across the network to GenAI and SaaS apps to prevent unauthorized exfiltration of content. For more information, see: Create a content policy to filter network file content.

GAMicrosoft Entra IDInternet Access

GSA Cloud Firewall for Remote Networks

Customer can use GSA cloud firewall to apply admin configurable, 5-tuple (source IP, destination IP, protocol, source port, destination port) based filtering for all internet traffic acquired from branch offices through GSA remote networks capability. For more information, see: Configure Global Secure Access cloud firewall.

UpdateMicrosoft Entra IDB2C - Consumer Identity Management

General Availability – Enabling Social Identity Providers in Entra External ID Native Authentication via browser‑delegated (web‑view) flows using SDKs for applications

Build secure sign‑in and sign‑up experiences for applications in Entra External ID using Native Authentication, with Social Identity Provider support such as Google, Facebook, and Apple available through browser‑delegated (web‑view) authentication using developer‑friendly SDKs. For more information, see: Native authentication in Microsoft Entra External ID.

GAMicrosoft Entra IDPrivileged Identity Management

Enforce Conditional Access policies like MFA on every PIM activation

Generally available feature for configuring reauthentication with Conditional Access for Microsoft Entra Privileged Identity Management role activation. For more information see: On activation, require Microsoft Entra Conditional Access authentication context

GAMicrosoft Entra IDReporting

License Usage

The License Usage page in the Microsoft Entra admin center helps customers optimize their Entra licenses by providing visibility into feature usage across their tenant. It shows how many Entra ID P1, P2, and Suite licenses you own, along with usage of key features such as Conditional Access and risk‑based Conditional Access mapped to each license type. You can also review usage trends over the past six months. This view gives you a clearer understanding of your license footprint, the value you’r

GAMicrosoft Entra IDAuthentications (Logins)

Issuer Hints for Microsoft Entra CBA

Issuer Hints is generally available now and helps improve the sign‑in experience for Entra Certificate‑Based Authentication (CBA) by ensuring users are prompted to select only certificates that are trusted and valid for their organization. This reduces confusion, minimizes sign‑in errors, and streamlines certificate selection especially on devices with multiple certificates installed. Issuers hints are designed to enhance both security and usability without changing how certificates are issued o

GAMicrosoft Entra IDAuthentications (Logins)

Configurable Token Lifetime Policies

Configurable token lifetime policies are now generally available in Microsoft Entra ID. This feature allows administrators to customize the lifetimes of access tokens, ID tokens, and SAML tokens issued by the Microsoft identity platform by creating and assigning token lifetime policies to applications and service principals.

PreviewMicrosoft Entra IDEntra Backup and Recovery

Microsoft Entra Backup and Recovery is now available

Microsoft Entra Backup and Recovery is a built-in solution to help restore your tenant after accidental changes or malicious updates. Always on by default, it automatically backs up critical directory objects — including users, groups, applications, service principals, managed identities, conditional Access policies, named locations, agent IDs, and authentication and authorization policy, so admins can quickly restore them to a previously known good state.

PreviewMicrosoft Entra IDDevice Registration and Management

Entra Hybrid Join using Entra Kerberos

This new capability enables a Windows device to become Hybrid Entra joined immediately at provisioning time, without waiting for Entra Connect sync or requiring AD FS. By leveraging Entra Kerberos, customers can modernize their hybrid identity architecture while reducing infrastructure complexity and dependency on legacy federation components. For more information, see: Microsoft Entra hybrid join using Microsoft Entra Kerberos (preview).

GAMicrosoft Entra IDAuthentications (Logins)

Synced passkeys in Microsoft Entra ID

Microsoft Entra ID now supports synced passkeys as a generally available authentication method. Synced passkeys are FIDO2-based credentials that can be stored in built-in or third-party passkey providers and made available across a user’s devices. Administrators can manage the use of synced passkeys alongside device-bound passkeys through passkey profiles in the authentication methods policy. Existing passkey configurations can be managed using the same Entra ID authentication policies and repor

GAMicrosoft Entra IDProvisioning

SCIM 2.0 APIs for Microsoft Entra ID

SCIM 2.0 APIs give customers, developers, and partners a standards-based option for managing users and groups in Microsoft Entra using the System for Cross-domain Identity Management (SCIM) 2.0 specification. For more information, see: Enable Microsoft Entra SCIM 2.0 APIs.

PreviewMicrosoft Entra IDProvisioning

Cross-tenant security group synchronization

We’re introducing cross-tenant group synchronization, a new capability that allows organizations to synchronize security groups across Microsoft Entra tenants. This feature enables centralized management of group membership in a source tenant while making those groups available in one or more target tenants, simplifying cross-tenant collaboration and reducing administrative overhead associated with managing duplicate groups.

PreviewMicrosoft Entra IDAuthentications (Logins)

Microsoft Entra passkeys on Windows

Microsoft Entra passkeys on Windows are now available in public preview. This feature allows users to register device‑bound passkeys directly in the local Windows Hello container and use them to sign in to Microsoft Entra ID with Windows Hello biometrics or PIN.

GAMicrosoft Entra IDAuthentications (Logins)

Passkey profiles in Microsoft Entra ID

Passkey profiles in Microsoft Entra ID are now generally available. Passkey profiles provide a structured way to manage passkey (FIDO2) authentication by allowing administrators to define multiple profiles with different requirements and target them to specific user groups.

PreviewMicrosoft Entra IDTenant Governance

Tenant governance relationships

This feature allows admins to request and accept tenant governance relationships, which grant admins of the governing tenant access and administrative control over the governed tenant. For more information, see: Microsoft Entra tenant governance documentation (preview).

PreviewMicrosoft Entra IDTenant Governance

Related Tenants

This feature allows admins to discover related tenants connected to their own by B2B activity or shared billing information. Admins can use this information to request and establish tenant governance relationships, or to quarantine potential risks. For more information, see: Microsoft Entra tenant governance documentation (preview).

PreviewMicrosoft Entra IDTenant Governance

Secure add-on tenant creation

Permissioned users can now create add-on tenants that are owned and governed by their home tenant. Governance is established through tenant governing relationships, granting admins access and control via GDAP. For more information, see: Microsoft Entra tenant governance documentation (preview).

PreviewMicrosoft Entra IDConditional Access

Phased Rollout with the Conditional Access Agent

You can now use the Conditional Access Optimization Agent to safely roll out any report‑only Conditional Access policy in phases. When you initiate the process, the agent analyzes sign‑in data to recommend a low‑risk, staged deployment plan, starting with smaller user groups and gradually expanding, so you can turn policies on with confidence and minimize user impact. For more information, see: Conditional Access Optimization Agent phased rollout.

GAMicrosoft Entra IDGroup Management

New M365 group creation experience in My Groups

We’re improving the Microsoft 365 group creation experience in My Groups to give group owners more control and clarity from the start. The updated experience lets you configure key group, email, and security settings during creation—so your group works the way you expect without extra admin help later.

GAMicrosoft Entra IDEntra Connect

Microsoft Entra Connect Health now enforces TLS 1.2

We’ve completed a full migration to TLS 1.2 for Entra Connect Health and removed legacy TLS 1.1 references as part of security hardening. Ensure your Health agents are up to date and your servers are configured to use TLS 1.2 for outbound connections.

GAMicrosoft Entra IDTenant Governance

Tenant configuration management APIs

Tenant Configuration Management APIs allow organizations to take snapshots of their tenants' current configuration settings in a JSON format and to enforce configuration settings by offering continuous monitoring of drifts.

UpdateMicrosoft Entra IDAuthentications (Logins)

General Availability – Improved readability for Authentication Methods Policy Update audit logs

Starting in April 2026, the Authentication Methods Policy Update and Authentication Methods Policy Reset audit log activities has been updated to improve readability and clarity. Previously, audit logs included the full authentication methods policy payload in both the old and new values, even when only a small number of settings were changed. With this update, audit log entries now surface only the specific properties that were modified, along with their corresponding old and new values.

GAMicrosoft Entra IDLifecycle Workflows

Expanded attribute support in Lifecycle Workflows attribute changes trigger

The Attribute Changes trigger in Lifecycle Workflows now supports additional attribute types, enabling broader detection of organizational changes. Previously, this trigger was limited to a set of core attributes. With this update, you can configure workflows to respond when any of the following attributes change:

GAMicrosoft Entra IDLifecycle Workflows

Delegated Workflow Management in Lifecycle Workflows

Lifecycle workflows can now be managed with Administrative Units (AUs), enabling organizations to segment workflows and delegate administration to specific admins. This enhancement ensures that only authorized admins can view, configure, and execute workflows relevant to their scope. Customers are able to associate workflows with AUs, assign scoped permissions to delegated admins, and ensure that workflows only impact users within their defined scope. For more information, see: Delegated workflo

GAMicrosoft Entra IDB2C - Consumer Identity Management

Device authorization grant flow in Microsoft Entra External ID

Similar to Microsoft Entra ID (workforce tenants), Microsoft Entra External ID (external tenants) now supports device authorization grant flow, which allows users to sign in to input-constrained devices such as a smart TV, IoT device, or a printer. For more information, see OAuth 2.0 device authorization grant.

GAMicrosoft Entra IDB2C - Consumer Identity Management

Sign-in with username/alias

In Microsoft Entra External ID (EEID), users who authenticate with a local email and password now can also sign in using a username (alias) as an alternate sign-in identifier. This alias can represent a customer or member ID, insurance number, frequent flyer number, or a self-chosen username. The alias can be collected from user or assigned during self-service sign-up, or assigned during user creation or user update via the Microsoft Graph API or Microsoft Entra admin center. For details, see Si

GAMicrosoft Entra IDMFA

External MFA is Generally Available

We're excited to announce that external authentication methods in Microsoft Entra ID is now generally available under a new name: External Multifactor Authentication (External MFA). This capability enables organizations to meet multifactor authentication requirements while continuing to use their preferred MFA provider. Microsoft Entra ID remains the identity control plane, performing full policy evaluation and access decisions on every sign in, including real time Conditional Access enforcement

GAMicrosoft Entra IDB2C - Consumer Identity Management

Custom banned password lists supported in Microsoft Entra External ID

In addition to the global banned password lists already supported, EEID admins can now add specific strings to block during password creation and reset. For more information, see Password Protection - Custom banned password lists.

UpdateMicrosoft Entra IDMicrosoft Authenticator App

Upcoming Changes – Jailbreak/root Detection in Authenticator App

Starting February 2026, Microsoft Authenticator will introduce jailbreak/root detection for Microsoft Entra credentials in the Authenticator app. The rollout progresses from warning mode → blocking mode. Users must move to compliant devices to continue using Microsoft Entra accounts in Authenticator.

PreviewMicrosoft Entra IDBYOD support

BYOD support for Windows client using Microsoft Entra registration

Bring Your Own Device (BYOD) support for Windows using Microsoft Entra‑registered devices is now available in public preview. Users and partners can access corporate resources from their own devices. Admins can assign the Private Application traffic profile to internal accounts, including internal guest users. For more information, see: Bring Your Own Device (Preview).

GAMicrosoft Entra IDInternet Access

Custom Block pages

When you configure policies blocking your users from accessing a risky, NSFW, or unsanctioned sites or apps in GSA, they receive a clear HTML error message with Microsoft Entra Internet Access branding. We’ve heard from many admins that they’d like to start customizing that experience with text aligned to a company style guide, callouts to company Terms of Use documentation, hyperlinks to IT workflows, and more.

GAMicrosoft Entra IDEntra Connect

Microsoft Entra Connect Sync now supports Windows Server 2025

Microsoft Entra Connect Sync now officially supports Windows Server 2025. This means you can confidently install and run Microsoft Entra Connect Sync on servers running Windows Server 2025, enabling your hybrid identity environment to take full advantage of the latest Windows Server enhancements.

PreviewMicrosoft Entra IDMy Profile/Account

New end user homepage in My Account

The homepage at https://myaccount.microsoft.com has been updated to provide a more task-focused experience. Users will see pending actions like renewing expiring groups, approving access package requests, and setting up MFA directly on the homepage. Quick links to apps, groups, access packages, and sign-in details will be easier to find and use. This change is designed to streamline account management and help users stay on top of access and security tasks.

GAMicrosoft Entra IDProvisioning

Microsoft Entra Provisioning Service available in Microsoft Azure operated by 21Vianet

The Microsoft Entra provisioning service can be used in the 21Vianet / China cloud for the following scenarios: API-driven provisioning, Cloud Sync, Cross-tenant sync between China tenants, SCIM provisioning for the non-gallery / custom application, and on-premises app provisioning (ECMA). Specific gallery connectors such as Workday, SuccessFactors, and AWS aren't onboarded to the environment. For more information, see: Gallery application doesn't support provisioning in US Government or 21Viane

GAMicrosoft Entra IDEntitlement Management

Revoke previously approved access package assignments in My Access

By end of March Microsoft Entra ID Governance approvers can now revoke access to an access package after an approval has already been granted. This gives approvers greater control to respond to changes, mistakes, or updated business needs. With this update, an approver can undo a prior approval decision, immediately removing the requestor’s access to the access package. Only the approver who originally approved the request can revoke it, even if multiple approvers belong to the same approver gro

GAMicrosoft Entra IDUser Management

Ability to convert Source of Authority of synced on-premises AD users to cloud users is now available

We’re pleased to announce the general availability of object-level Source of Authority (SOA) switching for Microsoft Entra ID. With this feature, administrators can transition individual users from being synced with Active Directory (AD) to becoming cloud-managed accounts within Microsoft Entra ID. These users are no longer tied to AD sync and behave like native cloud users, giving you greater flexibility and control. This capability enables organizations to gradually reduce dependence on AD and

GAMicrosoft Entra IDEntitlement Management, Lifecycle Workflows

Microsoft Entra ID Governance guest billing meter enforcement

Enforcement for the Microsoft Entra ID Governance guest billing meter is now in effect for Entitlement Management and Lifecycle Workflows (Access Reviews will be enforced later in CY26 Q1). To keep using Entra ID Governance premium features for guest users in workforce tenants, you must link a valid Azure subscription to activate the Microsoft Entra ID Governance for guests add-on. If a subscription isn’t linked, creation or updates of new guest-scoped governance configurations will be restricte

GAMicrosoft Entra IDB2C - Consumer Identity Management

Client Credentials in Microsoft Entra External ID

We are pleased to announce the general availability of client credentials in Entra External ID. The OAuth 2.0 client credentials grant flow permits a web service (confidential client) to use its own credentials, instead of impersonating a user, to authenticate when calling another web service. Permissions are granted directly to the application itself by an administrator.

GAMicrosoft Entra IDB2C - Consumer Identity Management

App-based branding via Branding themes in Entra External ID

In Entra External ID (EEID), customers can create a single, tenant-wide, customized branding experience that applies to all apps. We're introducing a concept of Branding "themes" to allow customers to create different branding experiences for specific applications. A new Live Preview feature also helps quickly visualize the changes before saving. For more information, see: Customize the sign‑in experience for your application with branding themes.

GAMicrosoft Entra IDAudit

Service Principal creation audit logs for alerting & monitoring

New audit log properties now make it easy for admins to understand why a service principal was created and who or what triggered it. The logs now surface the provisioning mechanism, the specific SKUs or service plans that enabled just‑in‑time creation, and the home tenant of the app registration. This helps admins quickly distinguish Microsoft‑driven provisioning from tenant‑driven activity, streamlining alerting and investigations into newly created service principals. For more information, see

GAMicrosoft Entra IDPrivate Access

Entra Private Access for Domain Controllers

Bring MFA to on‑premises applications when accessed from on‑premises, i.e., local‑to‑local access, while safeguarding domain controllers against identity threats. Enable secure access to private apps that use domain controllers for Kerberos authentication. For more information, see: Configure Microsoft Entra Private Access for Active Directory domain controllers.

GAMicrosoft Entra IDConditional Access

Improved enforcement for *All resources* policies with resource exclusions

Microsoft Entra Conditional Access is strengthening how policies that target All resources with resource exclusions are enforced in a narrow set of authentication flows. After this change, in user sign‑ins where a client application requests only OIDC or specific directory scopes, Conditional Access policies that target All resources with one or more resource exclusions, or policies that explicitly target Azure AD Graph, will be enforced. This ensures that policies are consistently applied regar