Entra ID, previously known as Azure Active Directory, is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Entra ID and in the Message Center, Microsoft communicated the following planned, new and changed functionality for Entra ID for November 2025:
What's New
External ID regional expansion to Australia and Japan Generally Available
Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C
Microsoft is expanding Microsoft Entra External ID to Australia and Japan with Go‑Local add‑on that keeps External ID data stored and processed in location. This premium add‑on is selectable when admins create a new External ID tenant and is designed for organizations with strict data residency requirements. A small set of centralized platform services remains global, with no change to security or compliance posture.
New SCIM 2.0 SAP CIS connector Generally Available
Service category: Enterprise Apps
Product capability: Outbound to SaaS Applications
An updated SCIM 2.0 SAP Cloud Identity Services (CIS) connector was released to the Microsoft Entra app gallery on September 30, 2025. It replaces Microsoft's previous SAP CIS provisioning integration and now provides support for provisioning and deprovisioning groups to SAP CIS, custom extension attributes, and the OAuth 2.0 Client Credentials grant.
Reprocess failed users and workflows in Lifecycle Workflows Generally Available
Service category: Lifecycle Workflows
Product capability: Identity Governance
Lifecycle Workflows now supports reprocessing of workflows to help organizations streamline the reprocessing of workflows when errors or failures are discovered. This feature includes the ability to reprocess previous runs of workflows including failed runs or just runs that admins may want to process again. Organizations can choose from the following options to fit their needs:
- Select specific workflow run to be reprocessed
- Select which users from the workflow run to be reprocessed e.g. failed users or all users from the run
Groups Purview sensitivity label support in Lifecycle Workflows Generally Available
Service category: Lifecycle Workflows
Product capability: Identity Governance
Organizations can now view Purview sensitivity labels assigned to groups and Teams in Lifecycle Workflows. When configuring workflow tasks for managing group or Teams assignments, admins can now see actively assigned sensitivity labels to support informed group selection decisions. This helps customer achieve stronger organizational compliance.
Trigger workflows for inactive employees and guests in Lifecycle Workflows Generally Available
Service category: Lifecycle Workflows
Product capability: Identity Governance
Lifecycle Workflows now enables organizations to configure custom workflows to proactively manage dormant user accounts by automating identity lifecycle actions based on sign‑in inactivity. By detecting inactivity, the workflow automatically executes predefined tasks — such as sending notifications, disabling accounts, or initiating offboarding — when users exceed the inactivity threshold. Admins can configure the inactivity threshold and scope, ensuring dormant accounts are handled efficiently and consistently, reducing security exposure, reducing license waste, and enforcing governance policies at scale.
GSA + Netskope ATP & DLP integration Generally Available
Service category: Internet Access
Product capability: Network Access
In today's evolving threat landscape, organizations face challenges protecting sensitive data and systems from cyber attacks. Global Secure Access combines Entra Internet Access protections with Netskope's Advanced Threat Protection (ATP) and Data Loss Prevention (DLP) capabilities to deliver real-time protection against malware, zero-day vulnerabilities, and data leaks, and simplifies management through a unified platform. Microsoft’s SSE solution adopts an open platform approach, enabling integration with third-party companies, with Netskope being the first.
Synced passkeys in Microsoft Entra ID Public Preview
Service category: Authentications (Logins)
Product capability: User Authentication
Microsoft Entra ID now supports synced passkeys stored in native and third‑party passkey providers. With this change, the passkey (FIDO2) authentication methods policy has been expanded to support group‑based configurations enabling separate rollouts of different types of passkeys.
Soft Deletion for Cloud Security Groups Public Preview
ervice category: Group Management
Product capability: Identity Security & Protection
Soft deletion for cloud security groups introduces a safety mechanism that allows administrators to recover deleted groups within a 30‑day retention period. When a cloud security group is deleted, it is not immediately removed from the directory; instead, it enters a soft‑deleted state, preserving its membership and configuration. This feature helps prevent accidental data loss and supports business continuity by enabling quick restoration of groups without requiring manual recreation. Admins can restore soft‑deleted groups through the Microsoft Entra admin center or Microsoft Graph API during the retention window.
End user experience for managing agent identities Public Preview
Service category: Other
Product capability: End User Experiences
The Manage agents end user experiences lets people in the organization view, and control, agent identities they own or sponsor. With the manage agents feature, they can easily see which agents they’re responsible for, review their agent identities' details, and take action to enable, disable, or request access for their agents.
Conditional Access for Agents Public Preview
Service category: Conditional Access
Product capability: Identity Security & Protection
Conditional Access for Agent ID is a new capability in Microsoft Entra that brings Conditional Access evaluation and enforcement to AI agents. This capability extends the same Zero Trust controls that already protect human users and apps to agents. Conditional Access treats agents as first‑class identities and evaluates their access requests the same way it evaluates requests for human users or workload identities, but with agent‑specific logic.
Agent identity sponsor lifecycle support in Lifecycle Workflows Public Preview
Service category: Lifecycle Workflows
Product capability: Identity Governance
Managing agent identity sponsors is key for lifecycle governance and access control of agent identities. Sponsors oversee agent identities' lifecycles and access. Lifecycle Workflows now automates and streamlines sponsor lifecycle management by notifying managers and co‑sponsors when a sponsor changes roles or leaves the organization. Keeping sponsor information accurate and current ensures effective governance and compliance.
Microsoft Entra agent registry Public Preview
Service category: Other
Product capability: Platform
Microsoft Entra agent registry is a centralized metadata store of all deployed agents in an organization. As AI agents increasingly handle data retrieval, orchestration, and autonomous decision‑making, enterprises face rising security, compliance, and governance risks without clear visibility or control. Microsoft Entra agent registry, part of Microsoft Entra Agent ID, solves this by providing an extensible repository that delivers a unified view of every agent across Microsoft and non‑Microsoft ecosystems, enabling consistent discovery, governance, and secure collaboration at scale.
User centric access reviews including disconnected applications Public Preview
Service category: Access Reviews
Product capability: Identity Governance
User centric access reviews (UAR) provide a user‑centric review model that lets reviewers view a user’s access across multiple resources in a catalog in one unified view, streamlining the process of ensuring the right access at the right time. Resources include Entra groups, and both connected and disconnected (BYOD) applications, providing customers with a consolidated, holistic review experience.
New experience for Entra account registration page on Windows Public Preview
Service category: Device Registration and Management
Product capability: User Authentication
Microsoft is introducing a new modernized user experience for the Entra account registration flow on Windows. The new user experience is updated to be consistent with Microsoft design patterns and splits the experience into two separate pages for registration and enrollment.
Microsoft is also introducing a new admin property in public preview to control the MDM enrollment option in the account registration flow. This is targeted at organizations who want to enable Windows MAM for work or school accounts. The new setting controls the user experience screen for end users to MDM enroll in this flow.
Microsoft Entra ID with Entra Kerberos has added support for cloud‑only identities Public Preview
Service category: Authentications (Logins)
Product capability: User Authentication
Microsoft Entra ID with Entra Kerberos has added support for cloud-only identities which allows Entra-joined session hosts to authenticate and access cloud resources like Azure file shares and Azure virtual desktop without relying on Active Directory infrastructure. This capability is essential for organizations adopting a cloud-only strategy, as it removes the need for domain controllers while preserving enterprise-grade security, access control, and encryption.
Externally determine the approval requirements for an access package using custom extensions Public Preview
Service category: Entitlement Management
Product capability: Entitlement Management
In Entitlement Management, approvers for access package assignment requests can either be directly assigned, or determined dynamically. Entitlement management natively supports dynamically determining approvers such as the requestors manager, their second-level manager, or a sponsor from a connected organization.
With the introduction of this feature admins can now use custom extensions for callouts to Azure Logic Apps and dynamically determine approval requirements for each access package assignment request based on your organizations specific business logic. The access package assignment request process will pause until the business logic hosted in Azure Logic Apps returns an approval stage which will then be leveraged in the subsequent approval process via the My Access portal.
Support for eligible group memberships and ownerships in Entitlement Management access packages Public Preview
Service category: Entitlement Management
Product capability: Entitlement Management
This integration between Entitlement Management and Privileged Identity Management (PIM) for Groups adds support for assigning eligible group memberships and ownerships via access packages. Admins can now govern these just-in-time access assignments at scale by offering a self-service access request & extension process and integrate them into the organization's role model.
Microsoft Entra ID Account Recovery Public Preview
Service category: Verified ID
Product capability: Identity Security & Protection
Microsoft Entra ID Account Recovery is an advanced authentication recovery mechanism that enables users to regain access to their organizational accounts when they've lost access to all registered authentication methods. Unlike traditional password reset capabilities, account recovery focuses on identity verification and trust re‑establishment prior to replacement of authentication methods rather than simple credential recovery.
Self-remediation for passwordless users Public Preview
Service category: Identity Protection
Product capability: Identity Security & Protection
Risk-based access policies in Microsoft Entra Conditional Access now support self-remediation of risks across all authentication methods, including passwordless ones. This new control revokes compromised sessions in real-time, enables frictionless self-service, and reduces help-desk load.
Microsoft Entra ID Protection for Agents Public Preview
Service category: Identity Protection
Product capability: Identity Security & Protection
As organizations adopt, build, and deploy autonomous AI agents, the need to monitor and protect those agents becomes critical. Microsoft Entra ID Protection helps protect the organization by automatically detecting and responding to identity‑based risks on agents that use the Microsoft Entra Agent ID platform.
Unified Entra App Gallery Public Preview
Service category: Enterprise Apps
Product capability: Access Control
Microsoft is enhancing Global Secure Access (GSA) with Integrated App Risk Insights, now in Preview.
This new capability unifies Global Secure Access and the Microsoft Entra App Gallery—which now includes applications and risk scores from Microsoft Defender for Cloud Apps—into one unified, risk-aware experience. It allows admins to discover, assess, and protect all their applications directly within the Microsoft Entra Admin Center.
With this integration, organizations can evaluate app risk in real time and enforce access policies based on that risk. Admins can view each app’s risk score, compliance data, and configuration (SSO and provisioning) in the Entra App Gallery, while GSA applies Conditional Access and session controls based on the app’s risk level.
Cloud Firewall for Remote Networks for Internet Traffic Public Preview
Service category: Internet Access
Product capability: Network Access
Cloud Firewall (CFW), also known as Next Gen Firewall as a Service (FWaaS), can protect organizations using Global Secure Access (GSA) from unauthorized egress access (like connections to the Internet networks) by monitoring and applying policies on the network traffic, providing centralized management, visibility, and consistent policies for branches.
Secure Web and AI Gateway for Microsoft Copilot Studio Agents Public Preview
Service category: Internet Access
Product capability: Network Access
As organizations adopt autonomous and interactive AI agents to perform tasks previously handled by humans, administrators need visibility and control over agent network activity. Global Secure Access for agents provides network security controls for Microsoft Copilot Studio agents, enabling admins to apply the same security policies to agents that the organization uses for users.
With Global Secure Access for agents, admins can regulate how agents use knowledge, tools, and actions to access external resources. Admins can apply network security policies including web content filtering, threat intelligence filtering, and network file filtering to agent traffic.
Internet traffic support over GSA remote network connectivity Public Preview
Service category: Internet Access
Product capability: Network Access
Remote Network Connectivity enables secure, clientless access to Microsoft 365 and internet resources from branch offices via IPsec tunnels. While Microsoft 365 traffic support is generally available, full internet access has now gone to public preview.
URL Filtering Public Preview
Service category: Internet Access
Product capability: Network Access
This public preview allows admins to configure URL filtering rules to granularly deny or allow access to full URLs (including hostname and full path). These rules are part of the existing web content filtering policy schema that allows security policies to become context-aware by linking a policy to a security profile to a conditional access policy.
What's Changed
Microsoft Entra Internet Access TLS Inspection Generally Available
Service category: Internet Access
Product capability: Network Access
Transport Layer Security (TLS) Inspection for Microsoft Entra Internet Access delivers deep visibility into encrypted traffic and advanced security controls. TLS Inspection provides the foundation for user-friendly block messages, full URL filtering, file policy enforcement, and prompt inspection with AI Gateway.
Organizations can define flexible TLS inspection policies to specify which traffic to inspect, and which users or devices policies apply to. Custom rules offer granular control to intercept or bypass traffic based on destination FQDNs or web categories, while traffic logs provide detailed insights into matched policies and rules.
Passkey profiles Public Preview
Service category: Authentications (Logins)
Product capability: User Authentication
Microsoft Entra ID now supports group‑based passkey (FIDO2) configurations, enabling separate rollouts of different types of passkeys to different sets of users.
Entitlement Management Introduces Additional Approval Flows for Risky Users’ Access Package Requests Based on IRM and IDP Risk Signals Public Preview
Service category: Entitlement Management
Product capability: Entitlement Management
Entitlement Management now supports risk-based approval escalation. When a user requesting an access package is flagged by Insider Risk Management or Identity Protection as requiring additional scrutiny, the request is automatically routed to designated security approvers for an extra approval step before access is granted.
Login