Entra, previously known as Azure Active Directory, is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Entra ID and in the Message Center, Microsoft communicated the following planned, new and changed functionality for Entra for April 2026:
What's Planned
Migrate from Microsoft Entra Connect Sync to Microsoft Entra Cloud Sync
Service category: Entra Connect
Product capability: Entra Connect
As organizations look to strengthen identity security and advance their Zero Trust strategies, many are looking for simpler, more reliable ways to manage hybrid identity. To support these needs, Microsoft is beginning the transition from Microsoft Entra Connect Sync to the cloud‑native Microsoft Entra Cloud Sync, helping reduce on‑premises complexity while improving security, reliability, and day‑to‑day manageability.
This shift is a key step toward a cloud-managed identity future that will provide a more secure, resilient, and easier-to-operate synchronization experience. As part of ongoing modernization efforts, Microsoft’s strategy remains to deliver stronger security, improved reliability, and simpler identity operations.
Beginning in July 2026, Microsoft will begin notifying organizations through the M365 Message Center, Entra Connect Health, and targeted emails about their individual transition timelines. The transition will be rolled out in phases,
Update SCIM provisioning applications to use modern authentication
Service category: Provisioning
Product capability: Outbound to SaaS Applications
SCIM provisioning applications that use the OAuth 2.0 Authorization Code grant will be updated to support modern authentication methods, such as OAuth 2.0 Client Credentials and workload identity federation. Existing provisioning jobs will not switch automatically. Organizations will need to update job configuration after the new method is available. A small number of applications that cannot support a modern method may be retired from the Microsoft Entra app gallery.
This update strengthens the security of Microsoft Entra provisioning integrations by moving away from older authentication patterns. Modern methods are better suited for service-to-service scenarios and can reduce credential management overhead, including the need to rotate shared secrets.
This change will roll out over the coming months, and timing will vary by application. Microsoft will share impacted applications, organization deadlines, and supporting documentation through monthly What’s new articles and the Microsoft 365 Message Center.
Switch from basic auth to workload identity based auth for SAP SuccessFactors provisioning integrations
Service category: Provisioning
Product capability: Inbound to Entra ID
Microsoft Entra is introducing workload identity–based authentication for SAP SuccessFactors provisioning. This new capability allows the Microsoft Entra provisioning service to authenticate to SAP SuccessFactors using Entra workload identity and short‑lived tokens instead of static credentials (username and password).
This change helps organizations transition to a more secure authentication model in preparation for SAP’s plan to deprecate basic authentication for SuccessFactors APIs by November 2026.
What's New
License Usage General Availability
Service category: Reporting
Product capability: Monitoring & Reporting
The License Usage page in the Microsoft Entra admin center helps organizations optimize their Entra licenses by providing visibility into feature usage across their Entra tenant. It shows how many Entra ID P1, P2, and Suite licenses the organizations owns, along with usage of key features such as Conditional Access and risk‑based Conditional Access mapped to each license type. Admins can also review usage trends over the past six months. This view gives them a clearer understanding of the license footprint, the value the organization derives from Entra, and potential over‑usage risks within the Entra tenant.
Configurable Token Lifetime Policies General Availability
Service category: Authentications (Logins)
Product capability: Platform
Configurable token lifetime policies are now generally available in Microsoft Entra ID. This feature allows admins to customize the lifetimes of access tokens, ID tokens, and SAML tokens issued by the Microsoft identity platform by creating and assigning token lifetime policies to applications and service principals.
With configurable token lifetime policies, organizations can adjust token durations to meet their security and usability requirements.
Microsoft Entra Agent ID platform General Availability
Service category: Other
Product capability: Identity Security & Protection
The Microsoft Entra Agent ID platform is now generally available. The Agent ID platform provides an identity and authorization framework built specifically for AI agents operating in enterprise environments. It enables developers to create and manage agent identities with enterprise-grade authentication, authorization, and governance, using standard protocols such as OAuth 2.0, MCP, and A2A.
Microsoft Entra Certificate-based authentication (CBA) support on iOS and CBA as second factor General Availability
Service category: Authentications (Logins)
Product capability: User Authentication
Microsoft Entra Certificate-Based Authentication (CBA) is now generally available on iOS. Native iOS sign-ins now avoid unnecessary password and multi-factor authentication (MFA) prompts, enabling CBA as a supported second factor and allowing it to be prioritized as a system‑preferred MFA method. People can choose another allowed MFA method if needed, based on tenant policy.
Entra CBA as third option in system-preferred MFA methods General Availability
Service category: Authentications (Logins)
Product capability: User Authentication
Due to known issues on iOS platform, the Entra certificate-based authentication (CBA) method was not allowed as a second factor on iOS and CBA was moved to the last place in the system-preferred MFA list.
Microsoft has enhanced the user experience during sign-in with certificate in native iOS apps by removing unnecessary passwords and MFA prompts with all the known issues addressed. The feature enhancement enables Microsoft to support CBA as a second factor on iOS, and to move CBA to the third place in system preferred MFA methods.
Issuer Hints for Microsoft Entra CBA General Availability
Service category: Authentications (Logins)
Product capability: User Authentication
The Issuer Hints feature is generally available now and helps improve the sign‑in experience for Entra Certificate‑Based Authentication (CBA) by ensuring people are prompted to select only certificates that are trusted and valid for their organization. This reduces confusion, minimizes sign‑in errors, and streamlines certificate selection especially on devices with multiple certificates installed. Issuers hints are designed to enhance both security and usability without changing how certificates are issued or managed.
Entra CBA Certificate Authority (CA) scoping General Availability
Service category: Authentications (Logins)
Product capability: User Authentication
Entra CBA Certificate Authority (CA) scoping in Microsoft Entra allows tenant admins to restrict the use of specific certificate authorities (CAs) to defined user groups. This feature enhances the security and manageability of certificate-based authentication (CBA) by ensuring that only authorized users can authenticate using certificates issued by specific CAs.
Enforce Conditional Access policies on every PIM activation General Availability
Service category: Privileged Identity Management
Product capability: Privileged Identity Management
Configuring reauthentication with Conditional Access for Microsoft Entra Privileged Identity Management role activation is now generally available.
Enabling Social Identity Providers in Entra External ID Native Authentication via browser‑delegated (web‑view) flows using SDKs for applications General Availability
Service category: B2C – Consumer Identity Management
Product capability: Developer Experience
Build secure sign‑in and sign‑up experiences for applications in Entra External ID using Native Authentication, with Social Identity Provider support such as Google, Facebook, and Apple available through browser‑delegated (web‑view) authentication using developer‑friendly SDKs.
As an AP requestor, I can see in My Access who my approver(s) are if the access package owner allows me to General Availability
Service category: Entitlement Management
Product capability: Entitlement Management
In May, requestors will be able to see the name and email address of approvers for their pending access package requests directly in the My Access portal. This feature improves transparency and helps streamline communication between requestors and approvers. At the tenant level, approver visibility is enabled by default for all members (non-guests) and can be controlled through the Entitlement Management settings in the Microsoft Entra Admin Center. At the access package level, admins and access package owners can configure the approver visibility and choose to override the tenant level setting under the advanced request settings in the access package policy.
Prefetch Workday termination data to customize account disable logic General Availability
Service category: Provisioning
Product capability: Inbound to Entra ID
This Workday connector update resolves termination processing delays observed for workers in APAC and ANZ regions. Admins can now enable termination lookahead setting to prefetch data and tailor deprovisioning logic for accounts in Microsoft Entra ID and on-premises Active Directory.
Microsoft Identity Manager (MIM) 2016 Service Pack 3 (SP3) General Availability
Service category: Microsoft Identity Manager
Product capability: Identity Governance
Microsoft Identity Manager (MIM) 2016 Service Pack 3 (SP3) is now available. SP3 focuses on stability and supportability, modernizes compatibility with current platform components (SQL Server, SharePoint, and Exchange), and adds an additional deployment option for the Synchronization Service by enabling Azure SQL Database with managed identity authentication, helping reduce operational risk for hybrid identity environments.
GSA iOS client support General Availability
Service category: iOS client
Product capability: Network Access
The iOS Global Secure Access (GSA) client is now generally available. The Global Secure Access client on iOS and iPadOS requires no new agent installation. It leverages the existing Microsoft Defender for Endpoint (MDE) to route traffic through Microsoft SSE for Microsoft 365, internet access, and private access.
GSA Cloud Firewall for Remote Networks General Availability
Service category: Internet Access
Product capability: Network Access
Organizations can use GSA cloud firewall to apply admin configurable, 5-tuple (source IP, destination IP, protocol, source port, destination port) based filtering for all internet traffic acquired from branch offices through GSA remote networks capability.
Network Content Filtering based on File Types General Availability
Service category: Internet Access
Product capability: Network Access
Global Secure Access supports network-based content filtering based on file types. This allows admins to monitor and control file transfers across the network to GenAI and SaaS apps to prevent unauthorized exfiltration of content.
$count filtering in sign-ins API Public Preview
Service category: MS Graph
Product capability: Monitoring & Reporting
The ability to use $count in sign-ins API requests is now here, allowing organizations to perform count computations directly in API requests.
App-based branding via Branding themes in Microsoft Entra tenants Public Preview
Service category: User Experience and Management
Product capability: User Authentication
In Microsoft Entra tenants, organizations can create a single, tenant-wide, customized branding experience that applies to all apps. Microsoft is introducing the concept of Branding themes to allow organizations to create different branding experiences for specific applications.
Microsoft Entra ID federation with External ID Public Preview
Service category: B2C – Consumer Identity Management
Product capability: 3rd Party Integration
Microsoft Entra ID federation with External ID enables organizations to let people sign in to customer‑facing applications using their existing workforce Entra ID identities. By leveraging standards‑based federation, people authenticate with their home tenant while applications hosted in an External ID tenant rely on trusted identity assertions from Entra ID. This approach reduces the need for duplicate accounts, streamlines sign‑in experiences, and allows organizations to extend consistent security controls across workforce and customer scenarios.
Account Discovery Public Preview
Service category: Provisioning
Product capability: 3rd Party Integration
Microsoft Entra ID Governance now supports account discovery for connected applications in public preview. This capability provides administrators with visibility into all accounts that exist within connected applications, including orphan accounts.
By generating discovery reports directly from the provisioning experience, organizations can identify accounts in connected applications that are not assigned to the enterprise application in Entra and simplify onboarding the application.
This capability requires a Microsoft Entra ID Governance or Microsoft Entra Suite license.
Login