Join us for the upcoming Dutch Microsoft Entra Community Meetup

Reading Time: 2 minutes

Dutch Microsoft Entra Community

The Dutch Microsoft Entra Community, run by fellow MVPs Pim Jacobs, Jan Bakker and Michel van Vliet and Microsoft senior product manager Stefan van der Wiele has been gaining significant traction since its inaugural meetup on February 1st, 2024. For its upcoming meetup, Raymond and I were asked to co-present one of our favorite sessions.

 

About the Dutch Microsoft Entra Community

The Dutch Microsoft Entra Community (DMECnl) focuses on organizing meetups around Microsoft Entra technologies throughout the Netherlands. The purpose of these meetups is to share knowledge and experiences on Microsoft Entra, including Entra ID, Entra ID Governance, Entra Permission Management, Entra Verified ID, Entra External ID, Entra Internet Access, and Entra Private Access.

Sessions during the meetup will primarily be hosted in Dutch, with the exception of foreign guest speakers.

 

About the March 19th, 2026, meetup

The Dutch Microsoft Entra Community organizes their upcoming meetup on March 19th, 2026. This meetup is sponsored by Interstellar and hosted by them in their Delft office. Starting at 5 PM dinner will be served. Jan, Pim and Stefan kick off their community at 6 PM with a welcome and a quick overview on what's new in Entra in the past three months.

At 6:20 PM, Tim Wolf of Semperis fame takes the stage to talk for 60 minutes about securing Active Directory. After a short break, Raymond and I take the stage for another 60-minute session.

At 8:40 PM, drinks are served.

 

About our session

We’ll present a 60-minute session on:

Entra ID Applications and Agents: Five Do’s and Don’ts

Thursday March 19th 2026, 7:40 PM – 8:40 PM

Microsoft offers application and agent integration features in Entra. Just like every other feature in Entra, management, governance, and security for applications and agents require a certain level of attention.

Unfortunately, application governance and agents are not part of the official Microsoft curriculum. For most Entra admins this is a huge and potentially dangerous blind spot. In this session, we provide better optics around the situation and our real-world insights, as experienced with Entra ID application and agents.

We sprinkle valuable tips and tricks throughout this session, specifically designed to keep Microsoft Entra applications and agents in check, making this is a MUST attend session for all Entra admins!

 

Join us!

The March 19th, 2026, Dutch Microsoft Entra Community Meetup is a free event.
Register today to secure your seat.

Posted on March 5, 2026 by Sander Berkouwer in Community, Entra ID, Microsoft MVP, Personal

0  

Join us at the Hybrid Identity Protection Conference Europe 2026

Reading Time: 2 minutes

Hybrid Identity Protection Conference Frankfurt 2026

Following the Hybrid Identity Protection Conference in Charleston, South Carolina in November last year, I will be presenting an updated session on Enterprise Applications and Application Registrations in Microsoft Entra on the very first European Hybrid Identity Protection Conference… and that's not all: This time, Raymond Comvalius is joining me on stage to deliver our 5 do's and don'ts!

 

About the Hybrid Identity Protection Conference

The Hybrid Identity Protection Conference (HIPConf) is Semperis Inc.’s event in the spirit of The Expert Conference (TEC) to bring together the leading experts in the field of Identity and Access Management. Attendees are able to meet face-to-face with the leading experts of their field, acquire in-depth technical knowledge, and be exposed to the latest innovation.

The 2026 Hybrid Identity Protection Conference season kicks off with HIPConf Europe at the Westin Grand in Frankfurt, Germany, on Tuesday February 10th, 2026.

 

About our session

Raymond and I present a 45-minute session on:

Entra ID Applications: 5 Dos & Don’ts to Protect Your Blind Spot

Tuesday February 10th, 2026, 2:50 PM – 3:30 PM CET

Microsoft offers application-integration features in Entra for single-tenant applications, multi-tenant applications, and workload identities.

As with every other Entra feature, application management, governance, and security require a certain level of attention. Unfortunately, application governance is not part of the official Microsoft curriculum, Entra SKUs, or IAM solutions. Entra admins: Don’t be blindsided!

Get real-world insights into the inevitable parallels in application integration between Active Directory and Entra and learn valuable tips and tricks for keeping Microsoft Entra enterprise applications and application registrations in check.

 

Join us!

Register for Hybrid Identity Protection Conference Europe 2026.

The 2026 European Hybrid Identity Protection Conference uses AccelEvents as the delivery platform. By registering you confirm you intend to interact with and disclose personal information to Semperis and AccelEvents.

Posted on January 30, 2026 by Sander Berkouwer in Community, Entra ID, Microsoft MVP

0  

Join the IT Bro's for Workplace Ninja Connect 2026

Reading Time: 2 minutes

Workplace Ninja's NL Connect 2026

Raymond and I have been invited as speakers for the upcoming Connect event, organized by the Workplace Ninja's User Group the Netherlands, on February 4th, 2026, at the Van der Valk Hotel in Gorinchem, the Netherlands.

 

About Workplace Ninja's Connect

Workplace Ninja's Connect brings IT professionals, decision-makers, and community experts together to learn, share, and connect around the latest developments in Workplace Technologies. Whether you are looking for deep technical insights, strategic guidance, or inspiration from peers, this event is designed to help you take the next step in modern workplace and security.

 

About our session

Raymond and I present a 60-minute session on:

Entra ID Applications: Five Do’s and Don’ts for this potential blind spot

Wednesday February 4th, 2026, Room Vue 6, 4 PM – 5 PM CET

Microsoft offers application integration features in Entra for single-tenant applications, multi-tenant applications and workload identities. Just like every other feature in Entra, management, governance, and security for applications require a certain level of attention.

Unfortunately, application governance is not part of the official Microsoft curriculum, nor any of the Microsoft Entra SKUs or IAM solutions. For most Entra admins this is a huge and potentially dangerous blind spot. In this session, we provide better optics around the situation and our real-world insights, as experienced with Entra ID application governance.

we'll sprinkle valuable tips and tricks throughout the session, specifically designed to keep Microsoft Entra Enterprise Applications and Application Registrations in check, making this is a MUST attend session for all Entra admins!

 

Join us!

Although the event is sponsored, due to the high costs involved, the Workplace Ninja's are unable to offer this event free of charge. A small participation fee helps cover part of the catering (coffee, lunch, and refreshments) throughout the day.

Get one of the last available tickets here.

Posted on January 21, 2026 by Sander Berkouwer in Community, Entra ID, Microsoft MVP

0  

Watch our discussion on the 'Sentinels Talk Show' and learn essential Entra ID security

Reading Time: < 1 minute

Sentinels Talk Show

A few weeks ago, Raymond Comvalius and I joined Erdal Ozkaya on the Sentinels Talk Show to talk about the Entra ID Security. This 45-minute discussion is now available on-demand:

 

With 50 years of combined Microsoft MVP experience, Raymond and I pull no punches in this unfiltered conversation essential for every CISO, CIO, and IT Pro managing Microsoft cloud environments. We discuss:

  • The Passwordless Paradox: Why the move to FIDO2 fails and how to fix it.
  • Entra ID Mistakes: The most dangerous configuration errors organizations are making right now.
  • AI in Identity: How Security Copilot and AI agents are changing the security game.
  • The CISO's Mandate: The one piece of advice every technology leader needs to hear.
  • Skills to Stay Relevant: What IT Pros should be learning today to thrive tomorrow.

This is a strategic injection of expertise you can’t afford to miss.. and it's available for free.

Posted on January 19, 2026 by Sander Berkouwer in Community, Entra ID, Uncategorized

0  

The video of managing Active Directory like it's 2003 is now vailable on demand

Reading Time: 2 minutes

IT GRC Forum - Empowering the GRC community

On October 15th, 2025, Darryl Baker, senior solutions architect at Netwrix, and I presented a webinar titled 'Managing Active Directory Like It’s 2003 Leaves You Exposed in 2025' with the IT GRC Forum.

Active Directory and Windows Server have evolved significantly, but many organizations still rely on outdated management practices. Since Microsoft enhanced replication and security features in Windows Server 2003, Active Directory has gained powerful capabilities that are often underutilized. With Windows Server 2025 now rolling out, maintaining legacy practices increases risk, leaving organizations vulnerable to ransomware and other cyberattacks that target directory services.

 

Watch it now

It is now available on demand after a free registration.

The recording of this webinar provides actionable strategies to modernize Active Directory management and strengthen your security posture. You will learn how to streamline directory management, reduce complexity, detect and remediate common misconfigurations, and implement robust monitoring for suspicious activity. We also cover compliance alignment and governance best practices to ensure your Active Directory environment meets modern security standards.

If you manage Active Directory, this session is essential. Gain practical insights to harden your directory infrastructure, protect against threats, and maintain regulatory compliance. Don’t risk falling behind—modernize your Active Directory management today.

Enjoy!  Thumbs up

 

About IT GRC Forum

The goal of IT GRC Forum is to help industry stakeholders, government regulators, and end-users better understand and manage the increasingly complex Governance, Risk Management and Compliance (GRC) landscape across the organization. IT GRC Forum aims to empower the GRC community by providing the most current educational resources and a user friendly forum for collaboration with peers.

 

About Netwrix

Netwrix empowers information security and governance professionals to reclaim control over sensitive, regulated and business-critical data, regardless of where it resides.

Over 10,000 organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of enterprise content, pass compliance audits with less effort and expense, and increase the productivity of IT teams and knowledge workers. Founded in 2006, Netwrix has earned more than 150 industry awards and been named to both the Inc. 5000 and Deloitte Technology Fast 500 lists of the fastest growing companies in the U.S.

Posted on January 12, 2026 by Sander Berkouwer in Active Directory, Community, Microsoft MVP, Systems Administration

0  

What's New in Entra ID for December 2025

Reading Time: 3 minutes

Microsoft Entra

Entra ID, previously known as Azure Active Directory, is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Entra ID and in the Message Center, Microsoft communicated the following planned, new and changed functionality for Entra ID for December 2025:

 

What's New

Modernizing Microsoft Entra ID auth flows with WebView2 in Windows 11 Generally Available

Service category: Authentications (Logins)
Product capability: SSO

Windows has many user experiences that uses WebView to gather web information to present web information to users that looks like native content. One of the common scenarios for this is for authentication flows, where a user is prompted for credentials.

Microsoft Entra ID app sign-in through Web Account Manager (WAM) now has the option to be powered by WebView2, the Chromium-based web control, starting with the December 9, 2025, updates for Windows 11 (KB5072033 (OS Builds 26200.7462 and 26100.7462)). This release marks a significant step forward in delivering a secure, modern, and consistent sign-in experience across apps and services.

WebView2 will become the default framework for WAM authentication in an expected future Windows release, with the EdgeHTML WebView being deprecated. Moving to WebView2 is more than a technical upgrade, it’s a strategic investment in secure, user-friendly identity experiences. Microsoft is committed to evolving Microsoft Entra ID to meet the needs of modern organizations and developers.

 

Just-in-time password migration to Microsoft Entra External ID Public Preview

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

The Just-in-Time (JIT) Password Migration feature is designed to provide a seamless and secure experience for customers transitioning to Microsoft Entra External ID. This capability enables external identity providers to migrate user credentials during sign-in, eliminating the need for bulk password resets and minimizing disruption for end users. When a user meets the migration conditions at sign-in, their credentials are securely transferred as part of the process, ensuring continuity and reducing friction.

By integrating migration into the authentication flow, organizations can simplify administrative tasks while maintaining security standards. This approach not only enhances user experience but also accelerates adoption of Microsoft Entra External ID without compromising operational efficiency.

 

Protect enterprise generative AI applications with Prompt Shield Public Preview

Service category: Internet Access
Product capability: Network Access

Admins can now block prompt injection attacks to enterprise Generative AI apps in real-time with universal policy controls, extending Azure AI Prompt Shield to all network traffic.

 

B2B guest access support in Global Secure Access Public Preview

Service category: B2B
Product capability: Network Access

Admins can now enable the B2B guest access feature for guest users with the Global Secure Access client, signed in to their home organization's Microsoft Entra ID account. The Global Secure Access client automatically discovers partner tenants where the user is a guest and offers the option to switch into the customer's tenant context. The client routes only private traffic through the customer's Global Secure Access service.

 

Data exploration using Microsoft Security Copilot in Entra Public Preview

Service category: N/A
Product capability: Identity Security & Protection

Microsoft Security Copilot in Microsoft Entra now supports data exploration when prompts return datasets with more than 10 items. This feature is available for select Microsoft Entra scenarios. From the Copilot chat response, select Open list to access a comprehensive data grid. This allows admins to explore large datasets with complete and accurate results, enabling more efficient decision-making. Each data grid displays the underlying Microsoft Graph URL, helping admins verify query accuracy and build confidence in the results.

 

What's Fixed

Microsoft Entra Connect security hardening to prevent user account takeover Generally Available

Service category: Entra Connect
Product capability: Access Control

As part of ongoing security hardening, Microsoft has implemented new safeguards to block account takeover attempts via hard match abuse in Microsoft Entra Connect. These tactics are known as SyncJacking. Enforcement of this change begins in March 2026.

What’s Changing:

  • Enforcement logic now checks OnPremisesObjectIdentifier to detect and block remapping attempts.
  • Audit logs have been enhanced to capture changes to OnPremisesObjectIdentifier and DirSyncEnabled.
  • Admin capability added to clear OnPremisesObjectIdentifier for legitimate recovery scenarios.

To prevent SyncJacking before March 2026, upgrade to the latest Microsoft Entra Connect version, and disable hard match takeover.

Posted on January 5, 2026 by Sander Berkouwer in Entra ID, What's New

0  

Enterprise Certificate Pinning might hurt your Hybrid Identity security efforts this January (MC1193408)

Reading Time: 3 minutes

Enterprise Certificate Pinning

While being touted as one of the more robust ways to prevent Adversary in the Middle (AitM) attacks against TLS-protected resources, for some admins, the Enterprise Certificate Pinning feature in Windows may lock out their entire organization.

However, Enterprise Certificate Pinning is not advised for domain names outside of your organization, when their certificates are issued by a public Certification Authority (CA).

For some admins, this will become painfully clear this week. Not because they underestimated the validity period for a pinned certificate, but because a major change in the certificate chain for important resources in their Hybrid Identity setup is occurring.

 

How Enterprise Certificate Pinning works

Although risky, the Enterprise Certificate Pinning Windows feature can be hugely advantageous to admins preventing resources being spoofed.

Enterprise certificate pinning offers remembering (pinning) a root issuing Certification Authority (CA), or end-entity certificate, to a domain name for an end-user Windows device. Any resource that triggers a mismatch from the remembered (pinned) certificate, than the Windows device treats its certificate as invalid or revoked (depending on the settings set by an admin).

To take advantage of this feature, an admin can create a a pin rules certificate trust list with pinned certificates per domain name. From that moment on, only that certificate and/or the certificate for that Root CA is trusted for usage.

Enterprise Certificate Pinning leverages the Windows Registry to offer a pin rules certificate trust list in the PinRules binary value underneath HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config

 

How Hybrid Identity admins may have used Enterprise Certificate Pinning

Because some TLS-protected resources are considered high-risk, even though they are managed outside of your organization, Enterprise Certificate Pinning might sound like a great security idea to ensure that only a specific certificate is considered valid for that particular resource.

A few high-risk external resources that might that bill:

  • microsoftonline.com
  • live.com
  • windows.net
  • microsoftazuread-sso.com
  • windows.net

All of these domains have in common that the DigiCert Root Certification Authority (CA) is the top-level certificate in their certificate chain. For the four latter domains however, Microsoft set January 7th, 2026 as the date that they switch their certificate chain from DigiCert’s G1 infrastructure to its G2 infrastructure.

This is communicated as part of Microsoft Message Center item MC1193408.

Microsoft switches to DigiCert’s newer infrastructure for improved security and compliance. Note, that DigiCert’s G1 Root CA has a certificate that is still valid until November 10th, 2030.

If the DigiCert Root CA is pinned for these domain names – from the moment of the switch – the certificates for these domains will be treated as invalid or revoked. After all, the certificate chain for the certificate changes and no longer features the pinned certificate at the top-level certificate in the certificate chain. This applies to:

  • login.live.com (used for Personal Accounts)
  • login.windows.net (Primarily used by the decommissioned ADAL and for v1 application integration with Entra)
  • autologon.microsoftazuread-sso.com (used for Seamless Single Sign-on)
  • graph.windows.net (endpoint for the decommissioned Azure AD Graph)

 

Remove Enterprise Certificate Pinning rules

Enterprise Certificate Pinning is not advised for domain names outside of your organization, when their certificates are issued by a public Certification Authority (CA).

Admins hoping to find the contents of the pin rules certificate trust list in either of these locations are sadly mistaken:

  • The Registry of the Windows devices these rules were deployed to
  • The Group Policy object and/or the MDM policy that deploys the certificate trust list

The above locations merely contain the binary encoded representation of the *.stl file, that was created from the *.xml file containing the pin rules.

To remove the pin rules, locate the *.xml file with the pin rules and remove the pins for the above domain names. If not present anymore, create a new *.xml file containing merely internal domains that use certificates issued by internally managed Certification Authorities (CAs). The, roll out the new pin rules using Group Policy or your MDM solution.

If Enterprise Certificate Pinning is no longer needed in the organization, change the policy rules to delete the PinRules registry value.

 

How things may go sideways fast for Hybrid Identity admins

As login.windows.net is still leveraged intensively throughout Entra, with the certificate pin rules list in place, your MDM solution may not even be able to overwrite previously configured Pin Rules on your managed end-user devices as the MDM infrastructure is no longer trusted…

 

Act now!

If you have previously managed the Enterprise Certificate Pinning feature, or if you find PinRules registry value on a typical end-user Windows device in your organization, act now to make sure you’ve only applied it to internal resources using certificates that are issued by internal certification authorities (CAs).

Posted on January 1, 2026 by Sander Berkouwer in Entra ID, Systems Administration, What's New

0  

What's New in Entra ID for November 2025

Reading Time: 8 minutes

Microsoft Entra

Entra ID, previously known as Azure Active Directory, is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Entra ID and in the Message Center, Microsoft communicated the following planned, new and changed functionality for Entra ID for November 2025:

 

What's New

External ID regional expansion to Australia and Japan Generally Available

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

Microsoft is expanding Microsoft Entra External ID to Australia and Japan with Go‑Local add‑on that keeps External ID data stored and processed in location. This premium add‑on is selectable when admins create a new External ID tenant and is designed for organizations with strict data residency requirements. A small set of centralized platform services remains global, with no change to security or compliance posture.

 

New SCIM 2.0 SAP CIS connector Generally Available

Service category: Enterprise Apps
Product capability: Outbound to SaaS Applications

An updated SCIM 2.0 SAP Cloud Identity Services (CIS) connector was released to the Microsoft Entra app gallery on September 30, 2025. It replaces Microsoft's previous SAP CIS provisioning integration and now provides support for provisioning and deprovisioning groups to SAP CIS, custom extension attributes, and the OAuth 2.0 Client Credentials grant.

 

Reprocess failed users and workflows in Lifecycle Workflows Generally Available

Service category: Lifecycle Workflows
Product capability: Identity Governance

Lifecycle Workflows now supports reprocessing of workflows to help organizations streamline the reprocessing of workflows when errors or failures are discovered. This feature includes the ability to reprocess previous runs of workflows including failed runs or just runs that admins may want to process again. Organizations can choose from the following options to fit their needs:

  • Select specific workflow run to be reprocessed
  • Select which users from the workflow run to be reprocessed e.g. failed users or all users from the run

 

Groups Purview sensitivity label support in Lifecycle Workflows Generally Available

Service category: Lifecycle Workflows
Product capability: Identity Governance

Organizations can now view Purview sensitivity labels assigned to groups and Teams in Lifecycle Workflows. When configuring workflow tasks for managing group or Teams assignments, admins can now see actively assigned sensitivity labels to support informed group selection decisions. This helps customer achieve stronger organizational compliance.

 

Trigger workflows for inactive employees and guests in Lifecycle Workflows Generally Available

Service category: Lifecycle Workflows
Product capability: Identity Governance

Lifecycle Workflows now enables organizations to configure custom workflows to proactively manage dormant user accounts by automating identity lifecycle actions based on sign‑in inactivity. By detecting inactivity, the workflow automatically executes predefined tasks — such as sending notifications, disabling accounts, or initiating offboarding — when users exceed the inactivity threshold. Admins can configure the inactivity threshold and scope, ensuring dormant accounts are handled efficiently and consistently, reducing security exposure, reducing license waste, and enforcing governance policies at scale.

 

GSA + Netskope ATP & DLP integration Generally Available

Service category: Internet Access
Product capability: Network Access

In today's evolving threat landscape, organizations face challenges protecting sensitive data and systems from cyber attacks. Global Secure Access combines Entra Internet Access protections with Netskope's Advanced Threat Protection (ATP) and Data Loss Prevention (DLP) capabilities to deliver real-time protection against malware, zero-day vulnerabilities, and data leaks, and simplifies management through a unified platform. Microsoft’s SSE solution adopts an open platform approach, enabling integration with third-party companies, with Netskope being the first.

 

Synced passkeys in Microsoft Entra ID Public Preview

Service category: Authentications (Logins)
Product capability: User Authentication

Microsoft Entra ID now supports synced passkeys stored in native and third‑party passkey providers. With this change, the passkey (FIDO2) authentication methods policy has been expanded to support group‑based configurations enabling separate rollouts of different types of passkeys.

 

Soft Deletion for Cloud Security Groups Public Preview

ervice category: Group Management
Product capability: Identity Security & Protection

Soft deletion for cloud security groups introduces a safety mechanism that allows administrators to recover deleted groups within a 30‑day retention period. When a cloud security group is deleted, it is not immediately removed from the directory; instead, it enters a soft‑deleted state, preserving its membership and configuration. This feature helps prevent accidental data loss and supports business continuity by enabling quick restoration of groups without requiring manual recreation. Admins can restore soft‑deleted groups through the Microsoft Entra admin center or Microsoft Graph API during the retention window.

 

End user experience for managing agent identities Public Preview

Service category: Other
Product capability: End User Experiences

The Manage agents end user experiences lets people in the organization view, and control, agent identities they own or sponsor. With the manage agents feature, they can easily see which agents they’re responsible for, review their agent identities' details, and take action to enable, disable, or request access for their agents.

 

Conditional Access for Agents Public Preview

Service category: Conditional Access
Product capability: Identity Security & Protection

Conditional Access for Agent ID is a new capability in Microsoft Entra that brings Conditional Access evaluation and enforcement to AI agents. This capability extends the same Zero Trust controls that already protect human users and apps to agents. Conditional Access treats agents as first‑class identities and evaluates their access requests the same way it evaluates requests for human users or workload identities, but with agent‑specific logic.

 

Agent identity sponsor lifecycle support in Lifecycle Workflows Public Preview

Service category: Lifecycle Workflows
Product capability: Identity Governance

Managing agent identity sponsors is key for lifecycle governance and access control of agent identities. Sponsors oversee agent identities' lifecycles and access. Lifecycle Workflows now automates and streamlines sponsor lifecycle management by notifying managers and co‑sponsors when a sponsor changes roles or leaves the organization. Keeping sponsor information accurate and current ensures effective governance and compliance.

 

Microsoft Entra agent registry Public Preview

Service category: Other
Product capability: Platform

Microsoft Entra agent registry is a centralized metadata store of all deployed agents in an organization. As AI agents increasingly handle data retrieval, orchestration, and autonomous decision‑making, enterprises face rising security, compliance, and governance risks without clear visibility or control. Microsoft Entra agent registry, part of Microsoft Entra Agent ID, solves this by providing an extensible repository that delivers a unified view of every agent across Microsoft and non‑Microsoft ecosystems, enabling consistent discovery, governance, and secure collaboration at scale.

 

User centric access reviews including disconnected applications Public Preview

Service category: Access Reviews
Product capability: Identity Governance

User centric access reviews (UAR) provide a user‑centric review model that lets reviewers view a user’s access across multiple resources in a catalog in one unified view, streamlining the process of ensuring the right access at the right time. Resources include Entra groups, and both connected and disconnected (BYOD) applications, providing customers with a consolidated, holistic review experience.

 

New experience for Entra account registration page on Windows Public Preview

Service category: Device Registration and Management
Product capability: User Authentication

Microsoft is introducing a new modernized user experience for the Entra account registration flow on Windows. The new user experience is updated to be consistent with Microsoft design patterns and splits the experience into two separate pages for registration and enrollment.

Microsoft is also introducing a new admin property in public preview to control the MDM enrollment option in the account registration flow. This is targeted at organizations who want to enable Windows MAM for work or school accounts. The new setting controls the user experience screen for end users to MDM enroll in this flow.

 

Microsoft Entra ID with Entra Kerberos has added support for cloud‑only identities Public Preview

Service category: Authentications (Logins)
Product capability: User Authentication

Microsoft Entra ID with Entra Kerberos has added support for cloud-only identities which allows Entra-joined session hosts to authenticate and access cloud resources like Azure file shares and Azure virtual desktop without relying on Active Directory infrastructure. This capability is essential for organizations adopting a cloud-only strategy, as it removes the need for domain controllers while preserving enterprise-grade security, access control, and encryption.

 

Externally determine the approval requirements for an access package using custom extensions Public Preview

Service category: Entitlement Management
Product capability: Entitlement Management

In Entitlement Management, approvers for access package assignment requests can either be directly assigned, or determined dynamically. Entitlement management natively supports dynamically determining approvers such as the requestors manager, their second-level manager, or a sponsor from a connected organization.

With the introduction of this feature admins can now use custom extensions for callouts to Azure Logic Apps and dynamically determine approval requirements for each access package assignment request based on your organizations specific business logic. The access package assignment request process will pause until the business logic hosted in Azure Logic Apps returns an approval stage which will then be leveraged in the subsequent approval process via the My Access portal.

 

Support for eligible group memberships and ownerships in Entitlement Management access packages Public Preview

Service category: Entitlement Management
Product capability: Entitlement Management

This integration between Entitlement Management and Privileged Identity Management (PIM) for Groups adds support for assigning eligible group memberships and ownerships via access packages. Admins can now govern these just-in-time access assignments at scale by offering a self-service access request & extension process and integrate them into the organization's role model.

 

Microsoft Entra ID Account Recovery Public Preview

Service category: Verified ID
Product capability: Identity Security & Protection

Microsoft Entra ID Account Recovery is an advanced authentication recovery mechanism that enables users to regain access to their organizational accounts when they've lost access to all registered authentication methods. Unlike traditional password reset capabilities, account recovery focuses on identity verification and trust re‑establishment prior to replacement of authentication methods rather than simple credential recovery.

 

Self-remediation for passwordless users Public Preview

Service category: Identity Protection
Product capability: Identity Security & Protection

Risk-based access policies in Microsoft Entra Conditional Access now support self-remediation of risks across all authentication methods, including passwordless ones. This new control revokes compromised sessions in real-time, enables frictionless self-service, and reduces help-desk load.

 

Microsoft Entra ID Protection for Agents Public Preview

Service category: Identity Protection
Product capability: Identity Security & Protection

As organizations adopt, build, and deploy autonomous AI agents, the need to monitor and protect those agents becomes critical. Microsoft Entra ID Protection helps protect the organization by automatically detecting and responding to identity‑based risks on agents that use the Microsoft Entra Agent ID platform.

 

Unified Entra App Gallery Public Preview

Service category: Enterprise Apps
Product capability: Access Control

Microsoft is enhancing Global Secure Access (GSA) with Integrated App Risk Insights, now in Preview.

This new capability unifies Global Secure Access and the Microsoft Entra App Gallery—which now includes applications and risk scores from Microsoft Defender for Cloud Apps—into one unified, risk-aware experience. It allows admins to discover, assess, and protect all their applications directly within the Microsoft Entra Admin Center.

With this integration, organizations can evaluate app risk in real time and enforce access policies based on that risk. Admins can view each app’s risk score, compliance data, and configuration (SSO and provisioning) in the Entra App Gallery, while GSA applies Conditional Access and session controls based on the app’s risk level.

 

Cloud Firewall for Remote Networks for Internet Traffic Public Preview

Service category: Internet Access
Product capability: Network Access

Cloud Firewall (CFW), also known as Next Gen Firewall as a Service (FWaaS), can protect organizations using Global Secure Access (GSA) from unauthorized egress access (like connections to the Internet networks) by monitoring and applying policies on the network traffic, providing centralized management, visibility, and consistent policies for branches.

 

Secure Web and AI Gateway for Microsoft Copilot Studio Agents Public Preview

Service category: Internet Access
Product capability: Network Access

As organizations adopt autonomous and interactive AI agents to perform tasks previously handled by humans, administrators need visibility and control over agent network activity. Global Secure Access for agents provides network security controls for Microsoft Copilot Studio agents, enabling admins to apply the same security policies to agents that the organization uses for users.

With Global Secure Access for agents, admins can regulate how agents use knowledge, tools, and actions to access external resources. Admins can apply network security policies including web content filtering, threat intelligence filtering, and network file filtering to agent traffic.

 

Internet traffic support over GSA remote network connectivity Public Preview

Service category: Internet Access
Product capability: Network Access

Remote Network Connectivity enables secure, clientless access to Microsoft 365 and internet resources from branch offices via IPsec tunnels. While Microsoft 365 traffic support is generally available, full internet access has now gone to public preview.

 

URL Filtering Public Preview

Service category: Internet Access
Product capability: Network Access

This public preview allows admins to configure URL filtering rules to granularly deny or allow access to full URLs (including hostname and full path). These rules are part of the existing web content filtering policy schema that allows security policies to become context-aware by linking a policy to a security profile to a conditional access policy.

 

What's Changed

Microsoft Entra Internet Access TLS Inspection Generally Available

Service category: Internet Access
Product capability: Network Access

Transport Layer Security (TLS) Inspection for Microsoft Entra Internet Access delivers deep visibility into encrypted traffic and advanced security controls. TLS Inspection provides the foundation for user-friendly block messages, full URL filtering, file policy enforcement, and prompt inspection with AI Gateway.

Organizations can define flexible TLS inspection policies to specify which traffic to inspect, and which users or devices policies apply to. Custom rules offer granular control to intercept or bypass traffic based on destination FQDNs or web categories, while traffic logs provide detailed insights into matched policies and rules.

 

Passkey profiles Public Preview

Service category: Authentications (Logins)
Product capability: User Authentication

Microsoft Entra ID now supports group‑based passkey (FIDO2) configurations, enabling separate rollouts of different types of passkeys to different sets of users.

 

Entitlement Management Introduces Additional Approval Flows for Risky Users’ Access Package Requests Based on IRM and IDP Risk Signals Public Preview

Service category: Entitlement Management
Product capability: Entitlement Management

Entitlement Management now supports risk-based approval escalation. When a user requesting an access package is flagged by Insider Risk Management or Identity Protection as requiring additional scrutiny, the request is automatically routed to designated security approvers for an extra approval step before access is granted.

Posted on December 9, 2025 by Sander Berkouwer in Entra ID, What's New

0  

What's New in Entra ID for October 2025

Reading Time: 5 minutes

Microsoft Entra

Entra ID, previously known as Azure Active Directory, is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Entra ID and in the Message Center, Microsoft communicated the following planned, new and changed functionality for Entra ID for October 2025:

 

What's Planned

Update to Revoke Multifactor Authentication Sessions

Service category: MFA
Product capability: Identity Security & Protection

Starting February 2026, Microsoft is replacing the current Revoke multifactor authentication sessions button with the Revoke sessions button in the Microsoft Entra portal.

The legacy Revoke MFA sessions action only applies to per-user MFA enforcement, which has led to confusion. To simplify and ensure consistent behavior, the new Revoke MFA sessions button invalidates all user sessions, including MFA, regardless of whether MFA is enforced via Conditional Access or per-user policies.

 

Jailbreak Detection in Authenticator App

Service category: Microsoft Authenticator App
Product capability: Identity Security & Protection

Starting February 2026, Microsoft will introduce Jailbreak/Root detection for Microsoft Entra credentials in the Authenticator app. This update strengthens security by preventing Microsoft Entra credentials from functioning on jail-broken or rooted devices. All existing credentials on such devices will be wiped to protect the organization.

This capability is secure by default and requires no admin configuration or control. The change applies to both iOS and Android. This change won't apply to personal or third party accounts.

 

What's New

Ability to convert Source of Authority of synced on-premises AD groups to cloud groups is now available Generally Available

Service category: Group Management
Product capability: Microsoft Entra Cloud Sync

The Group SOA feature lets organizations move application access governance from on-premises to the cloud by transferring Active Directory group authority to Microsoft Entra ID using Connect Sync or Cloud Sync. With phased migration, admins can reduce Active Directory dependencies gradually and minimize disruption. Microsoft Entra ID Governance manages access for both cloud and on-premises apps linked to security groups, and organizations with either sync client can now use this feature.

 

Conversion of external users to internal members Generally Available

Service category: User Management
Product capability: User Management

External user conversion enables organizations to convert external users to internal members without needing to delete and create new user objects. Maintaining the same underlying object ensures the user’s account and access to resources isn’t disrupted and that their history of activities remains intact as their relationship with the host organization changes.

The external to internal user conversion feature includes the ability to convert on-premises synchronized users as well.

 

Granular, Least-Privileged Permissions for UserAuthenticationMethod APIs Generally Available

Service category: MS Graph
Product capability: Developer Experience

Microsoft is introducing new, granular permissions for the UserAuthenticationMethod APIs in Microsoft Entra ID. This update enables organizations to apply the principle of least privilege when managing authentication methods, supporting both security and operational efficiency.

 

Suggested Access Packages can be shown to users in My Access Generally Available

Service category: Entitlement Management
Product capability: Entitlement Management

In My Access, Microsoft Entra ID Governance users can see a curated list of suggested access packages in My Access. This capability allows users to quickly view the most relevant access packages for them based off their peers' access packages and previous assignments without scrolling through all their available access packages.

The suggested access packages list is created by finding people related to the user (manager, direct reports, organization, team members) and recommending access packages based on what the users’ peers have. The user is also suggested access packages that were previously assigned to them.

 

Soft Delete and Restore for Conditional Access Policies and Named Locations Pubic Preview

Service category: Conditional Access
Product capability: Identity Security & Protection

Microsoft is thrilled to announce the Public Preview of soft delete and restore for Conditional Access (CA) policies and Named Locations in Microsoft Entra. This new capability extends its proven soft delete model to critical security configurations across Microsoft Graph APIs (in beta) and the Microsoft Entra Admin Center, helping admins recover from accidental or malicious deletions quickly and strengthen overall security posture.

 

Cloud Managed Remote Mailboxes Public Preview

Service category: User Management
Product capability: Microsoft Entra Cloud Sync

The Source of Authority (SOA) at the object level allows admins to convert specific users synced from Active Directory to Microsoft Entra ID into cloud-editable objects, which are no longer synced and act as if originally created in the cloud. This feature supports a gradual migration process, decreasing dependencies on Active Directory while aiming to minimize user and operational impact. Both Microsoft Entra Connect Sync and Cloud Sync recognize the SOA switch for these objects.

 

Delegated Workflow Management in Lifecycle Workflows Public Preview

Service category: Lifecycle Workflows
Product capability: Identity Governance

Lifecycle workflows can now be managed with Administrative Units (AUs), enabling organizations to segment workflows and delegate administration to specific admins. This enhancement ensures that only authorized admins can view, configure, and execute workflows relevant to their scope. Organizations are able to associate workflows with AUs, assign scoped permissions to delegated admins, and ensure that workflows only impact users within their defined scope.

 

App-based branding via Branding themes in Microsoft Entra External ID Public Preview

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

In Microsoft Entra External ID, organizations can create a single, tenant-wide, customized branding experience that applies to all apps. Microsoft is introducing a concept of Branding themes to allow organizations to create different branding experiences for specific applications.

 

Sign-in with username/alias Public Preview

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

In Microsoft Entra External ID, users with a local email+password credential can sign in with email address as identifier.  Microsoft is adding the ability for these users to sign in with an alternative identifier such as customer/member id, for example insurance number, frequent flier number assigned via Graph API or in the Microsoft Entra admin center.

 

Global Secure Access B2B support with AVD and Windows 365 Public Preview

Service category: B2B
Product capability: Network Access

Guest access support for Global Secure Access (GSA) using Windows 365 and Azure Virtual Desktop (AVD) addresses secure access using GSA to external identities such as Guests, Partners, Contractors using Windows Cloud. This feature empowers 3rd party users from a foreign tenant to securely access resources within an organization’s tenant also known as the resource tenant. Resource tenant admins can enable Private Access, Internet Access, and Microsoft 365 traffic to these 3rd party users.

 

Global Secure Access Internet profile support for iOS client Public Preview

Service category: Internet Access
Product capability: Network Access

Kerberos SSO experience for users on mobile devices with Global Secure Access is now supported. On iOS, create and deploy profile for Single sign-on app extension. On Android. You need to install and configure a 3rd party SSO client.

 

What's Fixed

Prefetch Workday termination data to customize account disable logic Public Preview

Service category: Provisioning
Product capability: Inbound to Microsoft Entra ID

This month's Workday connector update resolves termination processing delays observed for workers in the Asia Pacific (APAC) and Australia New Zealand (ANZ) regions. Admins can now enable termination lookahead setting to prefetch data and tailor deprovisioning logic for accounts in Microsoft Entra ID and on-premises Active Directory.

 

What's Changed

Expanded attribute support in Lifecycle Workflows attribute changes trigger Public Preview

Service category: Lifecycle Workflows
Product capability: Identity Governance

The Attribute Changes trigger in Lifecycle Workflows now supports additional attribute types, enabling broader detection of organizational changes. Previously, this trigger was limited to a set of core attributes. With this update, admins can configure workflows to respond when any of the following attributes change:

  • Custom security attributes
  • Directory extension attributes
  • EmployeeOrgData attributes
  • On-premises attributes 1–15

This enhancement gives admins greater flexibility to automate lifecycle processes for mover events based on custom or extended attributes, improving governance for complex organizational structures and hybrid environments.

 

What's Deprecated

Iteration 2 beta APIs for Microsoft Entra PIM will be retired. Migrate to Iteration 3 APIs.

Service category: Privileged Identity Management
Product capability: Identity Governance

Starting Oct 28, 2026, all applications and scripts making calls to Microsoft Entra Privileged Identity Management (PIM) Iteration 2 (beta) APIs for Azure resources, Microsoft Entra roles and Groups will fail. These calls will no longer return data, which might disrupt workflows or integrations relying on these endpoints. These APIs were released in beta and are being retired. Iteration 3 generally available (GA) APIs offer improved reliability and broader scenario support.

Posted on November 6, 2025 by Sander Berkouwer in Uncategorized

0  

The video of my presentation at the 2025 Hybrid Identity Protection Conference is now available on demand

Reading Time: 2 minutes

Hybrid Identity Protection Conference 2025 Charleston

The Hybrid Identity Protection Conference is Semperis Inc.’s event in the spirit of The Expert Conference (TEC) to bring together the leading experts in the field of Identity and Access Management. The event offers a unique opportunity to spend time with peers, whose day-to-day job is to architect, manage, and protect identity management in the hybrid enterprise.

During the 2025 Hybrid Identity Protection Conference conference in Charleston, I presented the below 45-minute presentation:

Entra ID Applications: 5 Dos &Don’ts to Protect Your Blind Spot

Watch Now

Microsoft offers application-integration features in Entra for single-tenant applications, multi-tenant applications, and workload identities. As with every other Entra feature, application management, governance, and security require a certain level of attention. Unfortunately, application governance is not part of the official Microsoft curriculum, Entra SKUs, or IAM solutions. Entra admins: Don’t be blindsided! Get real-world insights into the inevitable parallels in application integration between Active Directory and Entra and learn valuable tips and tricks for keeping Microsoft Entra enterprise applications and application registrations in check.

Enjoy!  Thumbs up

Posted on November 4, 2025 by Sander Berkouwer in Community, Entra ID, Microsoft MVP, Personal

0