Entra, previously known as Azure Active Directory, is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Entra ID and in the Message Center, Microsoft communicated the following planned, new and changed functionality for Entra for January 2026:

What's New

Service Principal creation audit logs General Availability

Service category: Audit
Product capability: Monitoring & Reporting

New audit log properties now make it easy for admins to understand why a service principal was created and who or what triggered it. The logs now surface the provisioning mechanism, the specific SKUs or service plans that enabled just‑in‑time creation, and the home tenant of the app registration. This helps admins quickly distinguish Microsoft‑driven provisioning from tenant‑driven activity, streamlining alerting and investigations into newly created service principals.

Ability to convert Source of Authority of synced on-premises AD users to cloud users General Availability

Service category: User Management
Product capability: Microsoft Entra Cloud Sync

With object-level Source of Authority (SOA) switching for Microsoft Entra ID, admins can transition individuals from being synchronized with Active Directory to becoming cloud-managed accounts within Microsoft Entra ID. The accounts for these people are no longer tied to Entra Connect Sync and behave like native cloud user accounts, giving admins greater flexibility and control. This capability enables organizations to gradually reduce dependence on Active Directory and simplify migration to the cloud, all while minimizing disruption to people and daily operations. Both Microsoft Entra Connect Sync and Cloud Sync fully support this SOA switch, ensuring a smooth transition process.

Microsoft Entra ID Governance guest billing meter enforcement General Availability

Service category: Entitlement Management, Lifecycle Workflows
Product capability: Entitlement Management, Lifecycle Workflows

Enforcement for the Microsoft Entra ID Governance guest billing meter is now in effect for :

• Entitlement Management
• Lifecycle Workflows

To keep using Entra ID Governance premium features for guest users in workforce tenants, admins must link a valid Azure subscription to activate the Microsoft Entra ID Governance for guests add-on. If a subscription isn’t linked, creation or updates of new guest-scoped governance configurations will be restricted, and guest-specific governance actions may fail until billing is configured.

Note:
Enforcement for the Microsoft Entra ID Governance guest billing meter for Access Reviews will be enforced later in CY26 Q1.

Client Credentials in Microsoft Entra External ID General Availability General Availability

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

Client credentials in Entra External ID are now generally available. The OAuth 2.0 client credentials grant flow permits a web service (confidential client) to use its own credentials, instead of impersonating a user, to authenticate when calling another web service. Permissions are granted directly to the application itself by an administrator.

Billing: When you configure machine-to-machine (M2M) authentication for Microsoft Entra External ID, you must use the M2M Premium add‑on. Review your organization’s premium add‑on usage policy to understand cost implications and ensure the implementation complies with internal governance and licensing guidelines.

App-based branding via Branding themes in Entra External ID General Availability

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

In Entra External ID, organizations can create a single, tenant-wide, customized branding experience that applies to all apps. Microsoft is introducing the concept of Branding "themes" to allow organizations to create different branding experiences for specific applications. A new Live Preview feature also helps quickly visualize the changes before saving.

Session Control Conditional Access Policies in Entra External ID General Availability

Service category: Conditional Access
Product capability: B2B/B2C

Entra External ID admins can configure persistent browser session and sign‑in frequency in Conditional Access.

Entra Private Access for Domain Controllers General Availability

Service category: Private Access
Product capability: Network Access

Bring multi-factor authentication to on‑premises applications when accessed from on‑premises, i.e., local‑to‑local access, while safeguarding domain controllers against identity threats. Enable secure access to private apps that use domain controllers for Kerberos authentication.

What's Changed

Improved enforcement for All resources policies with resource exclusions General Availability

ervice category: Conditional Access
Product capability: Access Control

Microsoft Entra Conditional Access is strengthening how policies that target All resources with resource exclusions are enforced in a narrow set of authentication flows. After this change, in user sign‑ins where a client application requests only OIDC or specific directory scopes, Conditional Access policies that target All resources with one or more resource exclusions, or policies that explicitly target Azure AD Graph, will be enforced. This ensures that policies are consistently applied regardless of the scope set requested by the client application.

Entra ID, previously known as Azure Active Directory, is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Entra ID and in the Message Center, Microsoft communicated the following planned, new and changed functionality for Entra ID for December 2025:

What's New

Modernizing Microsoft Entra ID auth flows with WebView2 in Windows 11 Generally Available

Service category: Authentications (Logins)
Product capability: SSO

Windows has many user experiences that uses WebView to gather web information to present web information to users that looks like native content. One of the common scenarios for this is for authentication flows, where a user is prompted for credentials.

Microsoft Entra ID app sign-in through Web Account Manager (WAM) now has the option to be powered by WebView2, the Chromium-based web control, starting with the December 9, 2025, updates for Windows 11 (KB5072033 (OS Builds 26200.7462 and 26100.7462)). This release marks a significant step forward in delivering a secure, modern, and consistent sign-in experience across apps and services.

WebView2 will become the default framework for WAM authentication in an expected future Windows release, with the EdgeHTML WebView being deprecated. Moving to WebView2 is more than a technical upgrade, it’s a strategic investment in secure, user-friendly identity experiences. Microsoft is committed to evolving Microsoft Entra ID to meet the needs of modern organizations and developers.

Just-in-time password migration to Microsoft Entra External ID Public Preview

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

The Just-in-Time (JIT) Password Migration feature is designed to provide a seamless and secure experience for customers transitioning to Microsoft Entra External ID. This capability enables external identity providers to migrate user credentials during sign-in, eliminating the need for bulk password resets and minimizing disruption for end users. When a user meets the migration conditions at sign-in, their credentials are securely transferred as part of the process, ensuring continuity and reducing friction.

By integrating migration into the authentication flow, organizations can simplify administrative tasks while maintaining security standards. This approach not only enhances user experience but also accelerates adoption of Microsoft Entra External ID without compromising operational efficiency.

Protect enterprise generative AI applications with Prompt Shield Public Preview

Service category: Internet Access
Product capability: Network Access

Admins can now block prompt injection attacks to enterprise Generative AI apps in real-time with universal policy controls, extending Azure AI Prompt Shield to all network traffic.

B2B guest access support in Global Secure Access Public Preview

Service category: B2B
Product capability: Network Access

Admins can now enable the B2B guest access feature for guest users with the Global Secure Access client, signed in to their home organization's Microsoft Entra ID account. The Global Secure Access client automatically discovers partner tenants where the user is a guest and offers the option to switch into the customer's tenant context. The client routes only private traffic through the customer's Global Secure Access service.

Data exploration using Microsoft Security Copilot in Entra Public Preview

Service category: N/A
Product capability: Identity Security & Protection

Microsoft Security Copilot in Microsoft Entra now supports data exploration when prompts return datasets with more than 10 items. This feature is available for select Microsoft Entra scenarios. From the Copilot chat response, select Open list to access a comprehensive data grid. This allows admins to explore large datasets with complete and accurate results, enabling more efficient decision-making. Each data grid displays the underlying Microsoft Graph URL, helping admins verify query accuracy and build confidence in the results.

What's Fixed

Microsoft Entra Connect security hardening to prevent user account takeover Generally Available

Service category: Entra Connect
Product capability: Access Control

As part of ongoing security hardening, Microsoft has implemented new safeguards to block account takeover attempts via hard match abuse in Microsoft Entra Connect. These tactics are known as SyncJacking. Enforcement of this change begins in March 2026.

What’s Changing:

• Enforcement logic now checks OnPremisesObjectIdentifier to detect and block remapping attempts.
• Audit logs have been enhanced to capture changes to OnPremisesObjectIdentifier and DirSyncEnabled.
• Admin capability added to clear OnPremisesObjectIdentifier for legitimate recovery scenarios.

To prevent SyncJacking before March 2026, upgrade to the latest Microsoft Entra Connect version, and disable hard match takeover.

Entra ID, previously known as Azure Active Directory, is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Entra ID and in the Message Center, Microsoft communicated the following planned, new and changed functionality for Entra ID for November 2025:

What's New

External ID regional expansion to Australia and Japan Generally Available

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

Microsoft is expanding Microsoft Entra External ID to Australia and Japan with Go‑Local add‑on that keeps External ID data stored and processed in location. This premium add‑on is selectable when admins create a new External ID tenant and is designed for organizations with strict data residency requirements. A small set of centralized platform services remains global, with no change to security or compliance posture.

New SCIM 2.0 SAP CIS connector Generally Available

Service category: Enterprise Apps
Product capability: Outbound to SaaS Applications

An updated SCIM 2.0 SAP Cloud Identity Services (CIS) connector was released to the Microsoft Entra app gallery on September 30, 2025. It replaces Microsoft's previous SAP CIS provisioning integration and now provides support for provisioning and deprovisioning groups to SAP CIS, custom extension attributes, and the OAuth 2.0 Client Credentials grant.

Reprocess failed users and workflows in Lifecycle Workflows Generally Available

Service category: Lifecycle Workflows
Product capability: Identity Governance

Lifecycle Workflows now supports reprocessing of workflows to help organizations streamline the reprocessing of workflows when errors or failures are discovered. This feature includes the ability to reprocess previous runs of workflows including failed runs or just runs that admins may want to process again. Organizations can choose from the following options to fit their needs:

• Select specific workflow run to be reprocessed
• Select which users from the workflow run to be reprocessed e.g. failed users or all users from the run

Service category: Lifecycle Workflows
Product capability: Identity Governance

Organizations can now view Purview sensitivity labels assigned to groups and Teams in Lifecycle Workflows. When configuring workflow tasks for managing group or Teams assignments, admins can now see actively assigned sensitivity labels to support informed group selection decisions. This helps customer achieve stronger organizational compliance.

Trigger workflows for inactive employees and guests in Lifecycle Workflows Generally Available

Service category: Lifecycle Workflows
Product capability: Identity Governance

Lifecycle Workflows now enables organizations to configure custom workflows to proactively manage dormant user accounts by automating identity lifecycle actions based on sign‑in inactivity. By detecting inactivity, the workflow automatically executes predefined tasks — such as sending notifications, disabling accounts, or initiating offboarding — when users exceed the inactivity threshold. Admins can configure the inactivity threshold and scope, ensuring dormant accounts are handled efficiently and consistently, reducing security exposure, reducing license waste, and enforcing governance policies at scale.

GSA + Netskope ATP & DLP integration Generally Available

Service category: Internet Access
Product capability: Network Access

In today's evolving threat landscape, organizations face challenges protecting sensitive data and systems from cyber attacks. Global Secure Access combines Entra Internet Access protections with Netskope's Advanced Threat Protection (ATP) and Data Loss Prevention (DLP) capabilities to deliver real-time protection against malware, zero-day vulnerabilities, and data leaks, and simplifies management through a unified platform. Microsoft’s SSE solution adopts an open platform approach, enabling integration with third-party companies, with Netskope being the first.

Synced passkeys in Microsoft Entra ID Public Preview

Service category: Authentications (Logins)
Product capability: User Authentication

Microsoft Entra ID now supports synced passkeys stored in native and third‑party passkey providers. With this change, the passkey (FIDO2) authentication methods policy has been expanded to support group‑based configurations enabling separate rollouts of different types of passkeys.

Soft Deletion for Cloud Security Groups Public Preview

ervice category: Group Management
Product capability: Identity Security & Protection

Soft deletion for cloud security groups introduces a safety mechanism that allows administrators to recover deleted groups within a 30‑day retention period. When a cloud security group is deleted, it is not immediately removed from the directory; instead, it enters a soft‑deleted state, preserving its membership and configuration. This feature helps prevent accidental data loss and supports business continuity by enabling quick restoration of groups without requiring manual recreation. Admins can restore soft‑deleted groups through the Microsoft Entra admin center or Microsoft Graph API during the retention window.

End user experience for managing agent identities Public Preview

Service category: Other
Product capability: End User Experiences

The Manage agents end user experiences lets people in the organization view, and control, agent identities they own or sponsor. With the manage agents feature, they can easily see which agents they’re responsible for, review their agent identities' details, and take action to enable, disable, or request access for their agents.

Conditional Access for Agents Public Preview

Service category: Conditional Access
Product capability: Identity Security & Protection

Conditional Access for Agent ID is a new capability in Microsoft Entra that brings Conditional Access evaluation and enforcement to AI agents. This capability extends the same Zero Trust controls that already protect human users and apps to agents. Conditional Access treats agents as first‑class identities and evaluates their access requests the same way it evaluates requests for human users or workload identities, but with agent‑specific logic.

Agent identity sponsor lifecycle support in Lifecycle Workflows Public Preview

Service category: Lifecycle Workflows
Product capability: Identity Governance

Managing agent identity sponsors is key for lifecycle governance and access control of agent identities. Sponsors oversee agent identities' lifecycles and access. Lifecycle Workflows now automates and streamlines sponsor lifecycle management by notifying managers and co‑sponsors when a sponsor changes roles or leaves the organization. Keeping sponsor information accurate and current ensures effective governance and compliance.

Microsoft Entra agent registry Public Preview

Service category: Other
Product capability: Platform

Microsoft Entra agent registry is a centralized metadata store of all deployed agents in an organization. As AI agents increasingly handle data retrieval, orchestration, and autonomous decision‑making, enterprises face rising security, compliance, and governance risks without clear visibility or control. Microsoft Entra agent registry, part of Microsoft Entra Agent ID, solves this by providing an extensible repository that delivers a unified view of every agent across Microsoft and non‑Microsoft ecosystems, enabling consistent discovery, governance, and secure collaboration at scale.

User centric access reviews including disconnected applications Public Preview

Service category: Access Reviews
Product capability: Identity Governance

User centric access reviews (UAR) provide a user‑centric review model that lets reviewers view a user’s access across multiple resources in a catalog in one unified view, streamlining the process of ensuring the right access at the right time. Resources include Entra groups, and both connected and disconnected (BYOD) applications, providing customers with a consolidated, holistic review experience.

New experience for Entra account registration page on Windows Public Preview

Service category: Device Registration and Management
Product capability: User Authentication

Microsoft is introducing a new modernized user experience for the Entra account registration flow on Windows. The new user experience is updated to be consistent with Microsoft design patterns and splits the experience into two separate pages for registration and enrollment.

Microsoft is also introducing a new admin property in public preview to control the MDM enrollment option in the account registration flow. This is targeted at organizations who want to enable Windows MAM for work or school accounts. The new setting controls the user experience screen for end users to MDM enroll in this flow.

Microsoft Entra ID with Entra Kerberos has added support for cloud‑only identities Public Preview

Service category: Authentications (Logins)
Product capability: User Authentication

Microsoft Entra ID with Entra Kerberos has added support for cloud-only identities which allows Entra-joined session hosts to authenticate and access cloud resources like Azure file shares and Azure virtual desktop without relying on Active Directory infrastructure. This capability is essential for organizations adopting a cloud-only strategy, as it removes the need for domain controllers while preserving enterprise-grade security, access control, and encryption.

Externally determine the approval requirements for an access package using custom extensions Public Preview

Service category: Entitlement Management
Product capability: Entitlement Management

In Entitlement Management, approvers for access package assignment requests can either be directly assigned, or determined dynamically. Entitlement management natively supports dynamically determining approvers such as the requestors manager, their second-level manager, or a sponsor from a connected organization.

With the introduction of this feature admins can now use custom extensions for callouts to Azure Logic Apps and dynamically determine approval requirements for each access package assignment request based on your organizations specific business logic. The access package assignment request process will pause until the business logic hosted in Azure Logic Apps returns an approval stage which will then be leveraged in the subsequent approval process via the My Access portal.

Support for eligible group memberships and ownerships in Entitlement Management access packages Public Preview

Service category: Entitlement Management
Product capability: Entitlement Management

This integration between Entitlement Management and Privileged Identity Management (PIM) for Groups adds support for assigning eligible group memberships and ownerships via access packages. Admins can now govern these just-in-time access assignments at scale by offering a self-service access request & extension process and integrate them into the organization's role model.

Microsoft Entra ID Account Recovery Public Preview

Service category: Verified ID
Product capability: Identity Security & Protection

Microsoft Entra ID Account Recovery is an advanced authentication recovery mechanism that enables users to regain access to their organizational accounts when they've lost access to all registered authentication methods. Unlike traditional password reset capabilities, account recovery focuses on identity verification and trust re‑establishment prior to replacement of authentication methods rather than simple credential recovery.

Self-remediation for passwordless users Public Preview

Service category: Identity Protection
Product capability: Identity Security & Protection

Risk-based access policies in Microsoft Entra Conditional Access now support self-remediation of risks across all authentication methods, including passwordless ones. This new control revokes compromised sessions in real-time, enables frictionless self-service, and reduces help-desk load.

Microsoft Entra ID Protection for Agents Public Preview

Service category: Identity Protection
Product capability: Identity Security & Protection

As organizations adopt, build, and deploy autonomous AI agents, the need to monitor and protect those agents becomes critical. Microsoft Entra ID Protection helps protect the organization by automatically detecting and responding to identity‑based risks on agents that use the Microsoft Entra Agent ID platform.

Unified Entra App Gallery Public Preview

Service category: Enterprise Apps
Product capability: Access Control

Microsoft is enhancing Global Secure Access (GSA) with Integrated App Risk Insights, now in Preview.

This new capability unifies Global Secure Access and the Microsoft Entra App Gallery—which now includes applications and risk scores from Microsoft Defender for Cloud Apps—into one unified, risk-aware experience. It allows admins to discover, assess, and protect all their applications directly within the Microsoft Entra Admin Center.

With this integration, organizations can evaluate app risk in real time and enforce access policies based on that risk. Admins can view each app’s risk score, compliance data, and configuration (SSO and provisioning) in the Entra App Gallery, while GSA applies Conditional Access and session controls based on the app’s risk level.

Cloud Firewall for Remote Networks for Internet Traffic Public Preview

Service category: Internet Access
Product capability: Network Access

Cloud Firewall (CFW), also known as Next Gen Firewall as a Service (FWaaS), can protect organizations using Global Secure Access (GSA) from unauthorized egress access (like connections to the Internet networks) by monitoring and applying policies on the network traffic, providing centralized management, visibility, and consistent policies for branches.

Secure Web and AI Gateway for Microsoft Copilot Studio Agents Public Preview

Service category: Internet Access
Product capability: Network Access

As organizations adopt autonomous and interactive AI agents to perform tasks previously handled by humans, administrators need visibility and control over agent network activity. Global Secure Access for agents provides network security controls for Microsoft Copilot Studio agents, enabling admins to apply the same security policies to agents that the organization uses for users.

With Global Secure Access for agents, admins can regulate how agents use knowledge, tools, and actions to access external resources. Admins can apply network security policies including web content filtering, threat intelligence filtering, and network file filtering to agent traffic.

Internet traffic support over GSA remote network connectivity Public Preview

Service category: Internet Access
Product capability: Network Access

Remote Network Connectivity enables secure, clientless access to Microsoft 365 and internet resources from branch offices via IPsec tunnels. While Microsoft 365 traffic support is generally available, full internet access has now gone to public preview.

URL Filtering Public Preview

Service category: Internet Access
Product capability: Network Access

This public preview allows admins to configure URL filtering rules to granularly deny or allow access to full URLs (including hostname and full path). These rules are part of the existing web content filtering policy schema that allows security policies to become context-aware by linking a policy to a security profile to a conditional access policy.

What's Changed

Microsoft Entra Internet Access TLS Inspection Generally Available

Service category: Internet Access
Product capability: Network Access

Transport Layer Security (TLS) Inspection for Microsoft Entra Internet Access delivers deep visibility into encrypted traffic and advanced security controls. TLS Inspection provides the foundation for user-friendly block messages, full URL filtering, file policy enforcement, and prompt inspection with AI Gateway.

Organizations can define flexible TLS inspection policies to specify which traffic to inspect, and which users or devices policies apply to. Custom rules offer granular control to intercept or bypass traffic based on destination FQDNs or web categories, while traffic logs provide detailed insights into matched policies and rules.

Passkey profiles Public Preview

Service category: Authentications (Logins)
Product capability: User Authentication

Microsoft Entra ID now supports group‑based passkey (FIDO2) configurations, enabling separate rollouts of different types of passkeys to different sets of users.

Entitlement Management Introduces Additional Approval Flows for Risky Users’ Access Package Requests Based on IRM and IDP Risk Signals Public Preview

Service category: Entitlement Management
Product capability: Entitlement Management

Entitlement Management now supports risk-based approval escalation. When a user requesting an access package is flagged by Insider Risk Management or Identity Protection as requiring additional scrutiny, the request is automatically routed to designated security approvers for an extra approval step before access is granted.