Entra, previously known as Azure Active Directory, is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Entra ID and in the Message Center, Microsoft communicated the following planned, new and changed functionality for Entra for March 2026:
What's Planned
Agent Registry consolidation into Microsoft Agent 365
Service category: Other
Product capability: Directory
Microsoft is consolidating agent management experiences to make it easier to observe, govern, and secure all agents in your tenant. Agent 365 will be the single source of truth, offering a unified catalog, consistent visibility, and simplified management. The Agent registry and Agent collections blades in the Entra admin center will be retired on May 1, 2026.
What's New
Synced passkeys in Microsoft Entra ID General Availability
Service category: Authentications (Logins)
Product capability: User Authentication
Microsoft Entra ID now supports synced passkeys as a generally available authentication method. Synced passkeys are FIDO2-based credentials that can be stored in built-in or third-party passkey providers and made available across devices. Admins can manage the use of synced passkeys alongside device-bound passkeys through passkey profiles in the authentication methods policy. Existing passkey configurations can be managed using the same Entra ID authentication policies and reporting surfaces.
Passkey profiles in Microsoft Entra ID General Availability
Service category: Authentications (Logins)
Product capability: User Authentication
Passkey profiles in Microsoft Entra ID are now generally available. Passkey profiles provide a structured way to manage passkey (FIDO2) authentication by allowing admins to define multiple profiles with different requirements and target them to specific user groups.
Each profile can specify allowed passkey types, attestation requirements, and authenticator restrictions, enabling differentiated policies for scenarios such as admins versus standard users. For tenants that previously configured passkeys, existing settings are migrated into a default passkey profile.
New M365 group creation experience in My Groups General Availability
Service category: Group Management
Product capability: End User Experiences
Microsoft is improving the Microsoft 365 group creation experience in the My Groups portal to give group owners more control and clarity from the start. The updated experience lets you configure key group, email, and security settings during creation, so your group works the way you expect without extra admin help later.
Microsoft Entra Connect Health now enforces TLS 1.2 General Availability
Service category: Entra Connect
Product capability: Entra Connect
Microsoft completed a full migration to TLS 1.2 for Entra Connect Health and removed legacy TLS 1.1 references as part of security hardening.
Just‑in‑Time Password Migration in Microsoft Entra External ID General Availability
Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C
Just‑in‑Time Password Migration is now generally available in Microsoft Entra External ID.
Organizations can migrate user passwords securely at first sign‑in, allowing users to continue using their existing credentials without forced password resets. This enables a smoother transition from Azure AD B2C or other identity providers while reducing migration risk and operational overhead.
Enabling Email and SMS OTP MFA in Entra External ID Native Authentication General Availability
Service category: B2C – Consumer Identity Management
Product capability: Developer Experience
Build secure sign‑in and sign‑up experiences for applications in Entra External ID using Native Authentication, with Email and SMS OTP MFA available through developer‑friendly SDKs and APIs.
Microsoft Single Sign-On for Linux support for authenticating with Phish-Resistant MFA credentials General Availability
Service category: Authentications (Logins)
Product capability: SSO
The major improvements that this release provides includes:
- Enables authentication using CBA/YubiKey with certificate (PRMFA)
- Removes dependency on Java runtime as part of the Intune install
- Improved performance and reliability when authenticating to EntraId
- Provides device trust using Entra Join instead of Entra Registration
- Increased stability and performance for authentication requests
Improved readability for Authentication Methods Policy Update audit logs General Availability
Service category: Authentications (Logins)
Product capability: User Authentication
Starting in April 2026, the Authentication Methods Policy Update and Authentication Methods Policy Reset audit log activities has been updated to improve readability and clarity. Previously, audit logs included the full authentication methods policy payload in both the old and new values, even when only a small number of settings were changed. With this update, audit log entries now surface only the specific properties that were modified, along with their corresponding old and new values.
Policy-wide updates, such as Registration Campaigns and System‑preferred authentication, may continue to include the full policy payload. The activity name and triggering events remain unchanged. This update affects formatting only and does not change policy behavior.
SCIM 2.0 APIs for Microsoft Entra ID General Availability
Service category: Provisioning
Product capability: Identity Lifecycle Management
SCIM 2.0 APIs give organizations, developers, and partners a standards-based option for managing users and groups in Microsoft Entra using the System for Cross-domain Identity Management (SCIM) 2.0 specification.
Tenant configuration management APIs General Availability
Service category: Tenant Governance
Product capability: Tenant Governance
Tenant Configuration Management APIs allow organizations to take snapshots of their tenants' current configuration settings in a JSON format and to enforce configuration settings by offering continuous monitoring of drifts.
Microsoft Entra Backup and Recovery Public Preview
Service category: Entra Backup and Recovery
Product capability: Entra Backup and Recovery
Microsoft Entra Backup and Recovery is a built-in solution to help restore your tenant after accidental changes or malicious updates. Always on by default, it automatically backs up critical directory objects — including users, groups, applications, service principals, managed identities, conditional Access policies, named locations, agent IDs, and authentication and authorization policy, so admins can quickly restore them to a previously known good state.
Microsoft Entra passkeys on Windows Public Preview
Service category: Authentications (Logins)
Product capability: User Authentication
Microsoft Entra passkeys on Windows are now available in public preview. This feature allows people to register device‑bound passkeys directly in the local Windows Hello container and use them to sign in to Microsoft Entra ID with Windows Hello biometrics or PIN.
Entra passkeys on Windows behave as standard FIDO2 credentials and can be used for Entra authentication flows without requiring the device to be Microsoft Entra-joined or -registered. During public preview, the feature is opt‑in and requires explicit configuration through passkey profiles to allow Windows Hello as a passkey provider.
Cross-tenant security group synchronization Public Preview
Service category: Provisioning
Product capability: Collaboration
Cross-tenant group synchronization is a new capability that allows organizations to synchronize security groups across Microsoft Entra tenants. This feature enables centralized management of group membership in a source tenant while making those groups available in one or more target tenants, simplifying cross-tenant collaboration and reducing administrative overhead associated with managing duplicate groups.
With cross-tenant group synchronization, organizations can extend their existing cross-tenant synchronization configurations to include groups, supporting scenarios such as shared application access, resource authorization, and consistent group-based access control across tenants. Admins can opt in to this functionality and configure attribute mappings and cross-tenant access policies to enable group synchronization into target tenants. Use of cross-tenant group synchronization requires Microsoft Entra ID Governance licenses. Existing licensing requirements for cross-tenant user synchronization features remains unchanged.
Tenant governance relationships Public Preview
Service category: Tenant Governance
Product capability: Tenant Governance
This feature allows admins to request and accept tenant governance relationships, which grant admins of the governing tenant access and administrative control over the governed tenant.
Related Tenants Public Preview
Service category: Tenant Governance
Product capability: Tenant Governance
This feature allows admins to discover related tenants connected to their own by B2B activity or shared billing information. Admins can use this information to request and establish tenant governance relationships, or to quarantine potential risks.
Tenant configuration management administration portal experience Public Preview
Service category: Tenant Governance
Product capability: Tenant Governance
Admins can use the Entra admin center to manage tenant configuration management capabilities of Entra tenant governance. Admins can use this experience to:
- Create and update monitors to define the desired state of resources in your tenant across a range of Microsoft services, and monitor the actual state of those resources relative to the desired state on an ongoing basis
- See reports of monitor results, and details of any configuration drifts identified by the configuration management service when it runs a monitor that you defined.
- Manage permission for the configuration management service to monitor resources in your tenant, by assigning app permissions or Entra roles.
Secure add-on tenant creation Public Preview
Permissioned users can now create add-on tenants that are owned and governed by their home tenant. Governance is established through tenant governing relationships, granting admins access and control via GDAP.
Entra Hybrid Join using Entra Kerberos Public Preview
Service category: Device Registration and Management
Product capability: Device Lifecycle Management
This new capability enables a Windows device to become hybrid Entra-joined immediately at provisioning time, without waiting for Entra Connect Sync or requiring AD FS. By leveraging Entra Kerberos, organizations can modernize their hybrid identity architecture while reducing infrastructure complexity and dependency on legacy federation components.
Passkey Adoption Campaigns with the Conditional Access Optimization Agent Public Preview
Service category: Conditional Access
Product capability: Identity Security & Protection
The Conditional Access Optimization Agent now supports passkey adoption campaigns in public preview, helping organizations roll out phishing‑resistant authentication in a structured and automated way.
With this capability, the agent can assess user and device readiness, generate a recommended deployment plan, guide users through required steps, and automatically enforce Conditional Access policies once users are ready. Campaigns progress continuously as prerequisites are met, reducing manual effort for large‑scale passkey rollouts.
Phased Rollout with the Conditional Access Agent Public Preview
Service category: Conditional Access
Product capability: Identity Security & Protection
Admins can now use the Conditional Access Optimization Agent to safely roll out any report‑only Conditional Access policy in phases. When you initiate the process, the agent analyzes sign‑in data to recommend a low‑risk, staged deployment plan, starting with smaller user groups and gradually expanding, so you can turn policies on with confidence and minimize user impact.
Login