Learn about the latest features and change announcements across Microsoft Entra.
Microsoft has launched advanced AI-driven security features within Microsoft Entra, enhancing identity protection through intelligent automation. The Security Copilot in Microsoft Entra provides organizations with AI-generated insights and recommendations to improve access governance, while the Conditional Access Optimization Agent conducts ongoing policy analysis to maintain effectiveness and streamline processes in response to emerging threats. These solutions integrate artificial intelligence at the core of security operations, supporting more efficient decision-making, robust defenses, and increased assurance in identity management.
Here we’re sharing the latest security improvements and innovations across Microsoft Entra from July 2025 to September 2025, organized by product for easier navigation.
Microsoft Entra – AI for security
New releases
- Security Copilot in Microsoft Entra
- Conditional Access Optimization Agent in Microsoft Entra
- Conditional Access Agent Supports Disabling Agent Creation of Report-Only Policies
Microsoft Entra ID
New releases
- Platform SSO for macOS with Microsoft Entra ID
- QR + PIN Simple Auth method for FLW
- Bicep templates for Microsoft Graph resources
- Conditional Access What If API
- Enterprise App SSO via pre-integrated gallery app or customer SAML apps
- Restricted Management Administrative Units
Change announcements
Security improvements
Securing the Microsoft Entra ID Authentication Experience by blocking malicious code injection
[Action May Be Required ]
As part of the Microsoft Secure Future Initiative (SFI), we’re making an important update to our Content Security Policy (CSP) that will enhance the security of the Microsoft Entra work or school sign-in experience. This change will block unauthorized script and malicious code injection into sign-in flows starting with the URL, login.microsoftonline.com/*, ensuring that only trusted Microsoft code runs during authentication.
We are implementing this change to proactively shield your users from modern security threats, like cross-site scripting (XSS) attacks, in which an attacker can inject malicious code into the victim's site.
When will you see the change?
The rollout has two phases: Phase 1 begins mid-to-late April 2026 for tenants with little impact; Phase 2 starts mid-to-late October 2026 for everyone else. Microsoft Entra External ID customers are not affected.
How to prepare?
Before the update, switch to tools that don’t inject code into the Microsoft Entra sign-in page. Unsupported tools will no longer work, but users can still sign in as usual.
With this update, you can feel confident that your users and data are better protected, helping your organization stay ahead of emerging threats.
Upgrade to the latest version of Microsoft Entra Connect by September 30, 2026
[Action may be required]
What is changing?
Microsoft has introduced a first-party service principal, Microsoft Entra AD Synchronization Service (Application ID: 6bf85cfa-ac8a-4be5-b5de-425a0d0dc016), to support secure synchronization between Active Directory and Microsoft Entra ID. This application is essential for on-premises to Entra ID sync via Microsoft Entra Connect and can be managed in the Enterprise Applications section of the admin center.
Microsoft Entra Connect now uses this first party application to synchronize between Active Directory and Microsoft Entra ID. Customers are required to upgrade to version 2.5.79.0 or later by September 2026.
Review our roadmap for a timeline of upcoming releases, so that you can plan your upgrade accordingly. We will auto-upgrade customers where supported. For customers who wish to be auto-upgraded, ensure that you have auto-upgrade configured.
For a list of minimum requirements and expected impacts of the service change, please refer to this article. For upgrade-related guidance, check out our docs.
Enable Browser Access (EBA) by default for all Android users
[Action may be required]
What is changing?
Originally announced in September 2024, as part of ongoing security hardening, we are deprecating the Enable Browser Access (EBA) user interface in the Android Authenticator and Company Portal apps. Consequently, browser access will be enabled by default for all Android users starting in March 2026. This change will occur automatically, so no action is required from admins or Android users.
If you are an Android Mobile Device Management (MDM) provider, review this documentation to support enabling browser access during device registration.
Identity modernization
Retirement of ADAL to MSAL Recommendations API
[Action may be required]
What is changing?
The ADAL to MSAL Recommendations API will be retired on December 15, 2025. After this date, admins will no longer see automated “Migrate from ADAL to MSAL” recommendations in Microsoft Entra Recommendations, nor retrieve them through the API.
We recommend querying sign-in logs directly via Microsoft Graph API. Admins can still determine the authentication library used for each request in the Entra sign-in logs, specifically in the authenticationProcessingDetails field under the optional Azure AD App Authentication Library field.
What to do to prepare:
- No action is required to disable the API—it will retire automatically.
- Notify users, update documentation, and transition to querying via Microsoft Graph API to track authentication libraries going forward.
Deprecation - Automatically capture sign-in fields for an app in Microsoft Entra admin center.
[Action may be required]
What is changing?
The Automatically capture sign-in fields for an app option in the Microsoft Entra admin center is retired. Existing apps already configured with this feature continues to work, but it will no longer be available for new configurations. Going forward, admins should use the Capture sign-in fields for an app. This requires the MyApps Secure Sign-In Extension, available for Microsoft Edge and Chrome.
For more information, see: Capture sign-in fields for an app
Requestors can view who their access package approvers are in My Access
[Action may be required]
What is changing?
As communicated earlier, requestors will be able to see the name and email address of approvers for their pending access package requests directly in the My Access portal. This feature increases transparency and streamlines communication between requestors and approvers. By default, all members (excluding guests) have approver visibility at the tenant level, which can be managed in Entitlement Management settings in Microsoft Entra Admin Center. At the access package level, admins and owners can adjust approver visibility or override tenant settings using advanced request options.
New end user homepage in My Account
[Action may be required]
What is changing?
As communicated earlier, the homepage at https://myaccount.microsoft.com will be updated to provide a more task-focused experience. Users will see pending actions like renewing expiring groups, approving access package requests, and setting up MFA directly on the homepage. Quick links to apps, groups, access packages, and sign-in details will be easier to find and use. This change is designed to streamline account management and help users stay on top of access and security tasks.
Updates to License Usage Blade UI and Entra License Metrics
[No action is required]
What is changing?
We’re updating the License Usage Blade with improved UI and new Entra-wide license metrics in the top widget, displaying feature usage across all licenses. This gives admins and managers a comprehensive overview of product adoption and utilization. No action needed.
Rollout of the Microsoft Entra ID Free subscription
[No action is required]
What is changing?
Microsoft is rolling out the no-cost Microsoft Entra ID Free subscription to track Microsoft Entra tenant ownership through billing accounts. It will appear in Microsoft 365 and Azure portals starting October, requires no action, does not affect billing or functionality, and helps manage tenant ownership securely.
Microsoft Entra: Refreshed credential enrollment and management UX
[No action is required]
What is changing?
Microsoft Entra will update its credential enrollment and management interface in November 2025 to improve usability and accessibility. No action is needed, but help desks should be informed for a smoother transition. No compliance concerns were found.
Microsoft Entra ID Protection
New releases
Microsoft Entra ID Governance
New releases
- Cross-tenant synchronization (cross-cloud)
- Application Based Authentication on Microsoft Entra Connect Sync
- New Lifecycle Workflows task to revoke refresh tokens
- Audit administrator events in Microsoft Entra Connect Sync
Microsoft Entra External ID
New releases
- Enabling native authentication JavaScript SDK for sign-in, sign-up and sign-out experiences in Microsoft Entra External ID.
- Microsoft Entra External ID: Custom 3rd party email OTP provider
Best Regards,
Shobhit Sahay
Learn more about Microsoft Entra
Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.
Microsoft