Entra ID, previously known as Azure Active Directory, is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Entra ID and in the Message Center, Microsoft communicated the following planned, new and changed functionality for Entra ID for October 2025:

What's Planned

Update to Revoke Multifactor Authentication Sessions

Service category: MFA
Product capability: Identity Security & Protection

Starting February 2026, Microsoft is replacing the current Revoke multifactor authentication sessions button with the Revoke sessions button in the Microsoft Entra portal.

The legacy Revoke MFA sessions action only applies to per-user MFA enforcement, which has led to confusion. To simplify and ensure consistent behavior, the new Revoke MFA sessions button invalidates all user sessions, including MFA, regardless of whether MFA is enforced via Conditional Access or per-user policies.

Jailbreak Detection in Authenticator App

Service category: Microsoft Authenticator App
Product capability: Identity Security & Protection

Starting February 2026, Microsoft will introduce Jailbreak/Root detection for Microsoft Entra credentials in the Authenticator app. This update strengthens security by preventing Microsoft Entra credentials from functioning on jail-broken or rooted devices. All existing credentials on such devices will be wiped to protect the organization.

This capability is secure by default and requires no admin configuration or control. The change applies to both iOS and Android. This change won't apply to personal or third party accounts.

What's New

Ability to convert Source of Authority of synced on-premises AD groups to cloud groups is now available Generally Available

Service category: Group Management
Product capability: Microsoft Entra Cloud Sync

The Group SOA feature lets organizations move application access governance from on-premises to the cloud by transferring Active Directory group authority to Microsoft Entra ID using Connect Sync or Cloud Sync. With phased migration, admins can reduce Active Directory dependencies gradually and minimize disruption. Microsoft Entra ID Governance manages access for both cloud and on-premises apps linked to security groups, and organizations with either sync client can now use this feature.

Conversion of external users to internal members Generally Available

Service category: User Management
Product capability: User Management

External user conversion enables organizations to convert external users to internal members without needing to delete and create new user objects. Maintaining the same underlying object ensures the user’s account and access to resources isn’t disrupted and that their history of activities remains intact as their relationship with the host organization changes.

The external to internal user conversion feature includes the ability to convert on-premises synchronized users as well.

Granular, Least-Privileged Permissions for UserAuthenticationMethod APIs Generally Available

Service category: MS Graph
Product capability: Developer Experience

Microsoft is introducing new, granular permissions for the UserAuthenticationMethod APIs in Microsoft Entra ID. This update enables organizations to apply the principle of least privilege when managing authentication methods, supporting both security and operational efficiency.

Suggested Access Packages can be shown to users in My Access Generally Available

Service category: Entitlement Management
Product capability: Entitlement Management

In My Access, Microsoft Entra ID Governance users can see a curated list of suggested access packages in My Access. This capability allows users to quickly view the most relevant access packages for them based off their peers' access packages and previous assignments without scrolling through all their available access packages.

The suggested access packages list is created by finding people related to the user (manager, direct reports, organization, team members) and recommending access packages based on what the users’ peers have. The user is also suggested access packages that were previously assigned to them.

Soft Delete and Restore for Conditional Access Policies and Named Locations Pubic Preview

Service category: Conditional Access
Product capability: Identity Security & Protection

Microsoft is thrilled to announce the Public Preview of soft delete and restore for Conditional Access (CA) policies and Named Locations in Microsoft Entra. This new capability extends its proven soft delete model to critical security configurations across Microsoft Graph APIs (in beta) and the Microsoft Entra Admin Center, helping admins recover from accidental or malicious deletions quickly and strengthen overall security posture.

Cloud Managed Remote Mailboxes Public Preview

Service category: User Management
Product capability: Microsoft Entra Cloud Sync

The Source of Authority (SOA) at the object level allows admins to convert specific users synced from Active Directory to Microsoft Entra ID into cloud-editable objects, which are no longer synced and act as if originally created in the cloud. This feature supports a gradual migration process, decreasing dependencies on Active Directory while aiming to minimize user and operational impact. Both Microsoft Entra Connect Sync and Cloud Sync recognize the SOA switch for these objects.

Delegated Workflow Management in Lifecycle Workflows Public Preview

Service category: Lifecycle Workflows
Product capability: Identity Governance

Lifecycle workflows can now be managed with Administrative Units (AUs), enabling organizations to segment workflows and delegate administration to specific admins. This enhancement ensures that only authorized admins can view, configure, and execute workflows relevant to their scope. Organizations are able to associate workflows with AUs, assign scoped permissions to delegated admins, and ensure that workflows only impact users within their defined scope.

App-based branding via Branding themes in Microsoft Entra External ID Public Preview

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

In Microsoft Entra External ID, organizations can create a single, tenant-wide, customized branding experience that applies to all apps. Microsoft is introducing a concept of Branding themes to allow organizations to create different branding experiences for specific applications.

Sign-in with username/alias Public Preview

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

In Microsoft Entra External ID, users with a local email+password credential can sign in with email address as identifier.  Microsoft is adding the ability for these users to sign in with an alternative identifier such as customer/member id, for example insurance number, frequent flier number assigned via Graph API or in the Microsoft Entra admin center.

Global Secure Access B2B support with AVD and Windows 365 Public Preview

Service category: B2B
Product capability: Network Access

Guest access support for Global Secure Access (GSA) using Windows 365 and Azure Virtual Desktop (AVD) addresses secure access using GSA to external identities such as Guests, Partners, Contractors using Windows Cloud. This feature empowers 3rd party users from a foreign tenant to securely access resources within an organization’s tenant also known as the resource tenant. Resource tenant admins can enable Private Access, Internet Access, and Microsoft 365 traffic to these 3rd party users.

Global Secure Access Internet profile support for iOS client Public Preview

Service category: Internet Access
Product capability: Network Access

Kerberos SSO experience for users on mobile devices with Global Secure Access is now supported. On iOS, create and deploy profile for Single sign-on app extension. On Android. You need to install and configure a 3rd party SSO client.

What's Fixed

Prefetch Workday termination data to customize account disable logic Public Preview

Service category: Provisioning
Product capability: Inbound to Microsoft Entra ID

This month's Workday connector update resolves termination processing delays observed for workers in the Asia Pacific (APAC) and Australia New Zealand (ANZ) regions. Admins can now enable termination lookahead setting to prefetch data and tailor deprovisioning logic for accounts in Microsoft Entra ID and on-premises Active Directory.

What's Changed

Expanded attribute support in Lifecycle Workflows attribute changes trigger Public Preview

Service category: Lifecycle Workflows
Product capability: Identity Governance

The Attribute Changes trigger in Lifecycle Workflows now supports additional attribute types, enabling broader detection of organizational changes. Previously, this trigger was limited to a set of core attributes. With this update, admins can configure workflows to respond when any of the following attributes change:

• Custom security attributes
• Directory extension attributes
• EmployeeOrgData attributes
• On-premises attributes 1–15

This enhancement gives admins greater flexibility to automate lifecycle processes for mover events based on custom or extended attributes, improving governance for complex organizational structures and hybrid environments.

What's Deprecated

Iteration 2 beta APIs for Microsoft Entra PIM will be retired. Migrate to Iteration 3 APIs.

Service category: Privileged Identity Management
Product capability: Identity Governance

Starting Oct 28, 2026, all applications and scripts making calls to Microsoft Entra Privileged Identity Management (PIM) Iteration 2 (beta) APIs for Azure resources, Microsoft Entra roles and Groups will fail. These calls will no longer return data, which might disrupt workflows or integrations relying on these endpoints. These APIs were released in beta and are being retired. Iteration 3 generally available (GA) APIs offer improved reliability and broader scenario support.