Microsoft Entra ID, previously known as Azure AD is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Entra ID and in the Message Center, Microsoft communicated the following planned, new and changed functionality for Entra ID for March 2025:

What’s Planned

Microsoft Entra Permissions Management end of sale and retirement

Service category: Other
Product capability: Permissions Management

Effective April 1, 2025, Microsoft Entra Permissions Management (MEPM) will no longer be available for sale to new Enterprise Agreement (EA) subscribers and direct Microsoft customers. Additionally, starting May 1, it will not be available for sale to new CSP organizations. Effective October 1, 2025, Microsoft will retire Microsoft Entra Permissions Management and discontinue support of this product.

Organizations that use MEPM will retain access to this product until September 30, 2025, with ongoing support for current functionalities. Microsoft has partnered with Delinea to provide an alternative solution, Privilege Control for Cloud Entitlements (PCCE), that offers similar capabilities to those provided by MEPM.

Download Microsoft Entra Connect Sync on the Microsoft Entra admin center

Service category: Microsoft Entra Connect
Product capability: Identity Governance

The Microsoft Entra Connect Sync .msi installation files will become available on the Microsoft Entra admin center within the Microsoft Entra Connect pane.

As part of this change, Microsoft stops uploading new installation files on the Microsoft Download Center.

What’s Deprecated

Upgrade Microsoft Entra Connect Sync version to avoid impact on the Sync Wizard

Service category: Microsoft Entra Connect
Product capability: Microsoft Entra Connect

As announced in the Microsoft Entra What's New Blog and in Microsoft 365 Center communications, customers should upgrade their connect sync versions to at least 2.4.18.0 for commercial clouds and 2.4.21.0 for non-commercial clouds before April 7, 2025. A breaking change on the Connect Sync Wizard will affect all requests that require authentication such as schema refresh, configuration of staging mode, and user sign in changes.

What’s New

Conditional Access reauthentication policy Generally Available

Service category: Conditional Access
Product capability: Identity Security & Protection

Require reauthentication every time can be used for scenarios where organizations want to require a fresh authentication, every time a person performs specific actions like accessing sensitive applications, securing resources behind VPN, or Securing privileged role elevation in Microsoft Entra Privileged Identity Management (PIM)​.

Custom Attributes support for Microsoft Entra Domain Services Generally Available

Service category: Microsoft Entra Domain Services
Product capability: Microsoft Entra Domain Services

Custom Attributes for Microsoft Entra Domain Services allows organizations to use Custom Attributes in their managed domains. Legacy applications often rely on custom attributes created in the past to store information, categorize objects, or enforce fine-grained access control over resources.

Microsoft Entra Domain Services now supports custom attributes, enabling organizations to migrate their legacy applications to the Azure cloud without modification. It also provides support to synchronize custom attributes from Microsoft Entra ID, allowing organizations to benefit from Microsoft Entra ID services in the cloud.

Track and investigate identity activities with linkable identifiers in Microsoft Entra Public Preview

Service category: Authentications (Logins)
Product capability: User Authentication

Microsoft will standardize the linkable token identifiers, and expose them in both Microsoft Entra and workflow audit logs. This allows organizations to join the logs to track, and investigate, any malicious activity. Currently linkable identifiers are available in the Microsoft Entra sign in logs, the Exchange Online audit logs, and the MSGraph Activity logs.

Limit creation or promotion of multitenant apps Public Preview

Service category: Directory Management
Product capability: Developer Experience

Microsoft added a new feature to the App Management Policy Framework that allows restriction on creation or promotion of multitenant applications, providing admins with greater control over their app environments.

Admins can now configure tenant default or custom app policy using the new audiences restriction to block new app creation if the signInAudience value provided in the app isn't permitted by the policy. In addition, existing apps can be restricted from changing their signInAudience if the target value isn't permitted by the policy.

These policy changes are applied during app creation or update operations, offering control over application deployment and usage.

Conditional Access Per-Policy Reporting Public Preview

Service category: Conditional Access
Product capability: Identity Security & Protection

Conditional Access Per-Policy Reporting enables admins to easily evaluate the impact of enabled and report-only Conditional Access policies on their organization, without using Log Analytics. This feature surfaces a graph for each policy in the Microsoft Entra Admin Center, visualizing the policy’s impact on the tenant’s past sign-ins.

What’s Changed

New Microsoft-managed Conditional Access policies designed to limit device code flow and legacy authentication flows Generally Available

Service category: Conditional Access
Product capability: Access Control

As part of our ongoing commitment to enhance security and protect organizations from evolving cyber threats, Microsoft is rolling out two new Microsoft-managed Conditional Access policies designed to limit device code flow and legacy authentication flows. These policies are aligned to the secure by default principle of Microsoft’s broader Secure Future Initiative, which aims to provide robust security measures to safeguard organizations by default.