Learn about the latest features and change announcements across Microsoft Entra.
November was an exciting month for Microsoft Entra customers, with news of significant enhancements to strengthen your security posture in the AI era. Our announcements included:
- New capabilities for managing, governing, and protecting agents with the public preview of Microsoft Entra Agent ID, part of the new Agent 365 control plane for agents;
- Security Copilot inclusion in Microsoft 365 E5 subscription, which ensures more admins can utilize Copilot in Entra and the four new Microsoft Entra agents;
- The Microsoft Entra Suite public preview of Prompt Shield, enabling you to protect enterprise GenAI apps against prompt injection attacks; and
- The public preview of synced passkeys and self-service account recovery for all authentication methods in Microsoft Entra, making it easier for end users to embrace phishing-resistant authentication.
For more details, check out Joy Chik’s blog post and watch the recordings of our breakout sessions from Microsoft Ignite.
This article shares security improvements and innovations across Microsoft Entra from October and November 2025, organized by product.
Microsoft Entra ID
New releases
Change announcements
Security improvements
Jailbreak Detection in Authenticator App
[Action may be required]
What is changing?
Starting February 2026, we'll introduce Jailbreak/Root detection for Microsoft Entra credentials in the Authenticator app. This update boosts security by disabling Microsoft Entra credentials on jail-broken or rooted devices, wiping any existing credentials automatically. It applies to both iOS and Android, requires no admin setup, and does not affect personal or third-party accounts.
Action required
Notify end users about this upcoming change. Authenticator will become unusable for Microsoft Entra accounts on jail-broken or rooted devices. For more information, read About Microsoft Authenticator.
Block External Script Injection in Microsoft Entra ID Sign-in
[Action may be required]
What is changing?
In November 2025, Microsoft Entra ID rolled out a stricter Content Security Policy (CSP) for browser-based sign-ins on login.microsoftonline.com. This update blocks unauthorized scripts and only allows scripts from trusted Microsoft domains, enhancing protection against cross-site scripting (XSS) attacks.
Action required
Admins should ensure that no browser extensions or tools inject scripts into the sign-in experience. Any existing tools that do so must be replaced, and sign-in flows should be tested to identify and fix violations.
Update to Revoke Multifactor Authentication Sessions
[Action may be required]
What is changing?
Starting February 2026, we are replacing the current Revoke multifactor authentication sessions button with the Revoke sessions button in the Microsoft Entra portal. The legacy Revoke MFA sessions action only applies to per-user MFA enforcement, which has led to confusion. To simplify and ensure consistent behavior, the new Revoke sessions button will invalidate all user sessions, including MFA, regardless of whether MFA is enforced via Conditional Access or per-user policies.
Action required
Admins should update workflows and guidance to use Revoke sessions instead of Revoke MFA sessions. The Revoke MFA sessions option will be removed from the portal after this change.
Microsoft Entra ID Governance
New releases
- Conversion of external users to internal members
- Ability to convert Source of Authority of synced on-premises AD groups to cloud groups
- New SCIM 2.0 SAP CIS connector available, with support for group provisioning
- Support for eligible group memberships and ownerships in Entitlement Management access packages
- Reprocess failed users and workflows in Lifecycle Workflows
- Groups Purview sensitivity label support in Lifecycle Workflows
- Trigger workflows for inactive employees and guests in Lifecycle Workflows
Change announcements
Identity Modernization
Retirement of Iteration 2 (beta) Privileged Identity Management (PIM) API
[Action may be required]
What is changing?
Iteration 2 (beta) PIM API for Azure resources and Microsoft Entra roles is deprecated and will stop returning data on October 28, 2026.
Action required
Migrate to the Iteration 3 (GA) APIs:
- Begin migration planning and testing as soon as possible.
- Halt any new development using Iteration 2 APIs.
- Review documentation for Iteration 3 APIs to ensure compatibility.
Learn more:
- Migrate from PIM iteration 2 APIs to PIM iteration 3 APIs
- API concepts in Privileged Identity management - Microsoft Entra ID Governance | Microsoft Learn
- Privileged Identity Management iteration 2 APIs
Microsoft Entra External ID
New releases
- External ID regional expansion to Australia and Japan
- Seamless setup experience for Azure Monitor/Sentinel with external tenants
- Sign up Fraud Protection with Arkose Labs and HUMAN Security for Microsoft Entra External ID
- Edge protection using Cloudflare and Akamai WAF for Microsoft Entra External ID
Global Secure Access
New releases
-Shobhit Sahay
Learn more about Microsoft Entra
Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.
- Microsoft Entra News and Insights | Microsoft Security Blog
- Microsoft Entra blog | Tech Community
- Microsoft Entra documentation | Microsoft Learn
- Microsoft Entra discussions | Microsoft Community
Microsoft