Learn about the latest features and change announcements across Microsoft Entra.
Microsoft has introduced new capabilities in Microsoft Entra to enhance AI security and identity protection. These innovations focus on two main areas: securing AI applications and leveraging AI to bolster security measures. To protect AI applications, Microsoft Entra Internet Access now offers granular, identity-based access controls, allowing organizations to tailor policies for different AI apps based on user roles and risk levels. Additionally, AI-driven features in Microsoft Security Copilot assist in optimizing Conditional Access policies and automating identity lifecycle management, thereby simplifying operations and strengthening defenses against evolving threats. Read our blog New innovations in Microsoft Entra to strengthen AI security and identity protection to learn more.
And today, we’re sharing security improvements and innovations across Microsoft Entra from December 2024 to March 2025, organized by product for easier navigation.
Microsoft Entra ID
New releases
- Authentication methods migration wizard
- Microsoft Entra PowerShell
- Expansion of SSPR Policy Audit Logging
- Update Profile Photo in MyAccount
- Temporary Access Pass (TAP) support for internal guest users
- Protected actions for hard deletions
Change announcements
Security improvements
Support for Microsoft Entra ID Authentication without a Service Principal ends March 2026
[Action may be required]
Starting March 2026, Microsoft Entra ID will no longer support service-principal-less authentication behavior. All applications making service-principal-less authentication requests in a tenant will be impacted, and the login flow will fail unless action is taken by March 31, 2026.
Action required: Tenant administrators can verify access for applications, provision them, and check the tokens on their own. Tenant administrators should use sign-in logs to identify impacted applications by following the steps in the "Service-principal-less authentication mitigation" document. They will also receive an email listing the named applications.
All ISVs are requested to notify customers about the deprecation and inform them to take proactive action.
Why this matters: This change aims to strengthen security in Microsoft Entra ID by ensuring that all applications active in a tenant have an associated service principal.
Learn more about the retirement and actions from our Microsoft Learn documentation.
Identity modernization
Important Update: AzureAD PowerShell and MSOnline PowerShell retirement – March 2025
[Action may be required]
What is changing
As announced in Microsoft Entra change announcements and prior blog updates, the MSOnline and Microsoft AzureAD PowerShell modules were deprecated on March 30, 2024. The retirement for MSOnline PowerShell module will start in April 2025. You must take action to avoid impact after this date by migrating any use of MSOnline to Microsoft Graph PowerShell SDK or Microsoft Entra PowerShell, which is currently in preview.
Key points
- MSOnline PowerShell will retire (and stop working) starting in early April 2025 and completing in May 2025.
- AzureAD PowerShell will no longer be supported after March 30, 2025, but its retirement will happen after July 1, 2025. This postponement is to allow you time to finish the MSOnline PowerShell migration.
- To ensure customer readiness for MSOnline PowerShell retirement, a series of temporary outage tests are occurring for all tenants between January and March 2025. You should expect up to two more temporary outages between March 10-26 as the final preparation for retirement of MSOnline PowerShell.
The new Microsoft Entra Recommendation "Migrate from the retiring MSOnline and AzureAD PowerShell usage to Microsoft Graph PowerShell", reports on usage of these legacy PowerShell modules in your tenant in the last 30 days. You can access this recommendation in the Microsoft Entra admin center by browsing to: Identity > Overview > Recommendations.
Note: Earlier versions of Microsoft Entra Connect Sync use MSOnline PowerShell when running the Installation wizard. If you are using Microsoft Entra Connect Sync, you should upgrade to the latest version before April 7, 2025. After this date, use of the installation wizard will fail until the Microsoft Entra Connect Sync client is updated. Learn more: Hardening update to Microsoft Entra Connect Sync AD FS and PingFederate configuration - Microsoft Entra ID | Microsoft Learn
Next steps
- Read the latest updates at: https://aka.ms/msonlineretirement
- Reference documentation on migrating to Microsoft Graph: Migrate from Azure AD PowerShell to Microsoft Graph PowerShell. | Microsoft Learn
Important Update: Azure AD Graph Retirement - March 2025
[Action may be required]
What is changing
Retirement of the Azure AD Graph API service began in September 2024, and the next phase of this retirement started on February 1, 2025. Both new and existing applications are blocked from calling Azure AD Graph APIs unless they are configured for an extension. Setting the extension on the application will allow the app to continue using Azure AD Graph APIs through June 2025.
Microsoft Graph is the replacement for Azure AD Graph APIs, and we strongly recommend immediately migrating use of Azure AD Graph APIs to Microsoft Graph and limiting any further development using Azure AD Graph APIs.
In the Microsoft Entra admin center, Recommendations is the best tool to identify applications that are using Azure AD Graph APIs in your tenant and require action.
Applications with the extension set will still need to be migrated to Microsoft Graph as soon as possible. For applications provided by software vendors, including Microsoft, you will likely need to update the software to a new version. Please reference the blog Action required: Azure AD Graph API retirement | Microsoft Community Hub for step-by-step guidance.
Next steps
- You can find the latest updates on Azure AD Graph retirement at https://aka.ms/AzureADGraphRetirement.
- Reference documentation on migrating from Azure AD Graph to Microsoft Graph: Migrate from Azure Active Directory (Azure AD) Graph to Microsoft Graph - Microsoft Graph | Microsoft Learn
User interface change to sign-in experience
[No action is required]
We’re updating the sign-in user experience for authentications with the Authenticator app. In the sign in UX, the new update includes a new message: “Didn’t receive a sign-in request? Swipe down to refresh the content in your app.” This conveys to users that they can refresh notifications on the Authenticator app or Outlook app if they have not received a sign-in notification. This change is expected by April 2025 and will be rolled out automatically to all customers. No action is necessary from customers for this UX change.
Microsoft Entra ID Protection
New releases
- Real-time Password Spray Detection in Microsoft Entra ID Protection
- New Microsoft-managed Conditional Access polices to limit device code and legacy authentication flows
Microsoft Entra ID Governance
New releases
- Granular Microsoft Graph permissions for Lifecycle workflows
- Microsoft Entra Connect Version 2.4.129.0
- Privileged Identity Management integration in Azure Role Based Access Control
Change announcements
Certificate-based authentication on Microsoft Entra Connect
[Action may be required]
What is changing
We’re introducing optional application-based authentication for Microsoft Entra Connect to Microsoft Entra ID calls in April 2025 in addition to the existing directory service account authentication. To take advantage of this, customers will need to have an environment that supports hardware-based storage of the cryptographic keys. This can be either TPM or Hardware Security Module (HSM).
Customers interested in using this authentication method should review their environment readiness and decide on which of the above key storage options applies in their case. Additional information will be shared when the new Microsoft Entra Connect version is released in April 2025.
Licensing requirements for on-behalf-of access package policies in Entitlement Management
[Action may be required]
We’re updating the licensing requirements for access packages that include on-behalf-of policies. Going forward, organizations must have the appropriate license when configuring access package policies that allow on behalf of requests.
Users with Entitlement Management permissions who create or edit access package policies will need a Microsoft Entra ID Governance or Microsoft Entra Suite license to enable on-behalf-of requests.
Existing access packages with on-behalf-of policies will remain unchanged and continue to function. However, once the feature reaches general availability (GA), new on-behalf-of policies cannot be created or enabled without the required license.
To continue using the on-behalf-of feature beyond the preview phase, ensure your organization has either the Microsoft Entra ID Governance or Microsoft Entra Suite license. We will provide an update as we approach the GA date. For more details on licensing, refer to Microsoft Entra ID Governance licensing fundamentals.
Microsoft Entra External ID
New releases
Change announcements
Retirement announcement: Azure AD External Identities P2
[Action may be required]
Effective May 1, 2025, we'll stop selling Azure AD External Identities P2 to new customers in preparation for its retirement in B2C tenants on March 15, 2026.
What this means for you
- May 1, 2025 – End of sale to new customers: We'll end the sale of Identity Protection (Azure AD External Identities P2) for new customers at the same time as the previously announced end of sale of Azure AD B2C to new customers.
- March 15, 2026 – No changes in service for existing B2C customers until this date: Please see list below of alternate ID Protection providers to switch to before this date.
- March 16, 2026 – Service retired: Please choose an alternate provider for ID Protection for Azure AD B2C (as highlighted below) in place for continuity. Please note, Azure AD B2C retirement will be no sooner than 2030 and ID Protection will still be available in your workforce tenant.
Required action
We understand that these changes can impact your operations, and we're committed to ensuring a smooth transition. Here's a detailed list of partners and migration guidance you can consider in place of P2:
Migrating to partners
To migrate off Microsoft Entra ID Protection in B2C tenants, we recommend using the following partners that integrate with Azure AD B2C:
- Deduce: an identity verification and proofing provider focused on stopping account takeover and registration fraud. It helps combat identity fraud and creates a trusted user experience.
- eID-Me : an identity verification and decentralized digital identity solution for Canadian citizens. It enables organizations to meet Identity Assurance Level (IAL) 2 and Know Your Customer (KYC) requirements.
- Experian: an identity verification and proofing provider that performs risk assessments based on user attributes to prevent fraud.
- IDology: an identity verification and proofing provider with ID verification solutions, fraud prevention solutions, compliance solutions, and others.
- Jumio: an ID verification service, which enables real-time automated ID verification, safeguarding customer data.
- LexisNexis: a profiling and identity validation provider that verifies user identification and provides comprehensive risk assessment based on user's device.
- Onfido: a document ID and facial biometrics verification solution that allows companies to meet Know Your Customer and identity requirements in real time.
Switching to Azure AD External Identities P1
If you're no longer interested in using ID Protection in your B2C tenant and wish to switch over to the Azure AD External Identities P1 meter, please refer to our documentation for instructions to change your pricing tier.
Help and support
If you need additional support, we recommend you contact your Microsoft Account Manager. If you have additional questions, please contact us.
Learn more about service retirements that may impact your resources in the Azure Retirement Workbook. Please note that retirements may not be visible in the workbook for up to two weeks after being announced.
This change is also mentioned in this public document: https://learn.microsoft.com/en-us/entra/external-id/customers/faq-customers#whats-happening-to-azure-ad-b2c-and-azure-ad-external-identities. More information on the March 2026 retirement and migration options will be shared when they become available.
Microsoft Entra Permissions Management
Change announcements
Retirement notice: Microsoft Entra Permissions Management
[Action may be required]
Effective April 1, 2025, Microsoft Entra Permissions Management (MEPM) will no longer be available for sale to new Enterprise Agreement or direct customers. Additionally, starting May 1, it will not be available for sale to new CSP customers. Effective October 1, 2025, we will retire Permissions Management and discontinue support of this product.
Existing customers will retain access to this product until September 30, 2025, with ongoing support for current functionalities. We have partnered with Delinea to provide an alternative solution, Privilege Control for Cloud Entitlements (PCCE), that offers similar capabilities to those provided by Microsoft Entra Permissions Management. The decision to phase out Microsoft Entra Permissions Management was done after deep consideration of our innovation portfolio and how we can focus on delivering the best innovations aligned to our differentiating areas and partner with the ecosystem on adjacencies. We remain committed to delivering top-tier solutions across the Microsoft Entra portfolio. Click here to learn more.
Microsoft Entra Domain Services
New releases
Best Regards,
Shobhit Sahay
Learn more about Microsoft Entra
Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.
Updated Apr 03, 2025
Version 1.0
ShobhitSahay
Microsoft
Microsoft