Stay ahead of identity and access changes—see what’s new in Microsoft Entra this quarter.
From January through March 2026, Microsoft Entra introduced key updates to help organizations strengthen identity security, simplify governance, and improve user experience. This Q1 roundup highlights the latest feature releases and important changes—organized by product—so you can quickly see what’s new, what’s changing, and what actions you may need to take.
Microsoft Entra ID
New releases
- Synced passkeys in Microsoft Entra ID
- Passkey profiles in Microsoft Entra ID
- Microsoft Single Sign-On for Linux support for authenticating with Phish-Resistant MFA credentials
- Improved readability for Authentication Methods Policy Update audit logs
- External MFA is Generally Available
- Service Principal creation audit logs for alerting & monitoring
- Improved enforcement for All resources policies with resource exclusions
Change announcements
Security improvements
Jailbreak detection in Authenticator app
[Action may be required]
Starting February 2026, Microsoft Authenticator introduced jailbreak/root detection for Microsoft Entra credentials in the Android app. The rollout progresses from warning mode → blocking mode → wipe mode. Users must move to compliant devices to continue using Microsoft Entra accounts in Authenticator. Learn more.
Microsoft Entra Agent ID
Change announcements
Simplifying agent management with Agent 365
[Action may be required]
We’re consolidating agent management experiences to make it easier to observe, govern, and secure all agents in your tenant. Agent 365 will be the single source of truth, offering a unified catalog, consistent visibility, and simplified management.
What’s changing
- The Agent registry and Agent collections blades in the Entra admin center will be retired on May 1, 2026.
- No action is required by administrators. Agent functionality and management remain unaffected. You can still access the agent inventory in the All agents view within the Microsoft 365 admin center (MAC).
With this change:
- Agent 365 becomes the unified registry and control plane for agents.
- Microsoft Entra continues to provide the identity foundation through Agent ID.
- The existing registry Graph API will be deprecated and replaced by a new API powered by Agent 365. Agents registered via the current API will need to be re-registered. You'll be notified soon about the deprecation date and the availability of the new registry Graph API.
- All agent access and governance capabilities remain fully available through Agent ID and Agent 365.
Microsoft Entra ID Governance
New releases
- SCIM 2.0 APIs for Microsoft Entra ID
- New M365 group creation experience in My Groups
- Microsoft Entra Connect Health now enforces TLS 1.2
- Tenant configuration management APIs
- Expanded attribute support in Lifecycle Workflows attribute changes trigger
- Delegated Workflow Management in Lifecycle Workflows
- Microsoft Entra Connect Sync now supports Windows Server 2025
- Revoke previously approved access package assignments in My Access
- Ability to convert Source of Authority of synced on-premises AD users to cloud users is now available
- Microsoft Entra ID Governance guest billing meter enforcement
Change announcements
Identity Modernization
Microsoft Entra Connect security update to block hard match for users with Microsoft Entra roles
[Action may be required]
What is hard matching in Microsoft Entra Connect Sync and Cloud Sync?
When Microsoft Entra Connect or Cloud Sync adds new objects from Active Directory, the Microsoft Entra ID service tries to match the incoming object with a Microsoft Entra object by looking up the incoming object’s sourceAnchor value against the OnPremisesImmutableId attribute of existing cloud managed objects in Microsoft Entra ID. If there's a match, Microsoft Entra Connect or Cloud Sync takes over the source or authority (SoA) of that object and updates it with the properties of the incoming Active Directory object in what is known as a "hard match."
To strengthen the security posture of your Microsoft Entra ID environment, we are introducing a change that will restrict certain types of hard match operations by default.
What’s changing
Beginning June 1, 2026, Microsoft Entra ID will block any attempt by Microsoft Entra Connect Sync or Cloud Sync from hard-matching a new user object from Active Directory to an existing cloud-managed Microsoft Entra ID user object that hold Microsoft Entra roles.
This means:
- If a cloud managed user already has onPremisesImmutableId (sourceAnchor) set and is assigned a Microsoft Entra role, Microsoft Entra Connect Sync or Cloud Sync will no longer be able to take over the Source of Authority of that user by hard-matching with an incoming user object from Active Directory.
- This safeguard prevents attackers from taking over privileged cloud managed users in Microsoft Entra by manipulating attributes of user objects in Active Directory.
What’s not changing
- Hard match operations for cloud users without Microsoft Entra roles are not affected.
- Soft match behavior isn't affected.
- Ongoing sync from Active Directory to Entra ID for previously hard-matched objects will not be affected.
Customer action required
If you encounter a hard match error after June 1, 2026, see our documentation for mitigation steps.
Microsoft Entra External ID
New releases
- Just‑in‑Time Password Migration in Microsoft Entra External ID
- Device authorization grant flow in Microsoft Entra External ID
- Sign-in with username/alias in Entra External ID
- Custom banned password lists supported in Microsoft Entra External ID
- Client Credentials in Microsoft Entra External ID
- App-based branding via Branding themes in Entra External ID
- Session Control Conditional Access Policies in Entra External ID
Global Secure Access
New releases
-Shobhit Sahay
Learn more about Microsoft Entra
Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.
Microsoft