rss.livelink.threads-in-node

Run Global Secure Access with confidence: Introducing the GSA Operations Guide

tdetzner — Fri, 05 Jun 2026 18:04:21 GMT

In working with customers, I’ve seen the same pattern again and again: deployment gets the attention, but day 2 operations are where teams need the most structure. This guide is meant to make that part easier—with practical guidance teams can use right away.

TL;DR: Your day 2 playbook is here

What’s new? A prescriptive Microsoft Entra Global Secure Access operations guide on Microsoft Learn
Why it matters: It brings actionable, alert-first procedures for teams running Global Secure Access after deployment
What’s inside: A role matrix, automated health checks, capability-specific guides, templates, and automation scripts
Start here: Microsoft Entra Global Secure Access operations guide

The day 2 gap

Deploying Global Secure Access (GSA) is only the beginning. Day 2 challenges raise questions like:
Who monitors what? When do checks happen? How do we know everything is healthy?

The deployment guide covers rollout, and the product documentation explains configuration. But until now, there was no single resource that explained how to operate Global Secure Access in production. Customers, FastTrack, and partners built their own runbooks—and rebuilt them for each deployment.

That ends today.

Announcing the Operations Guide

The Microsoft Entra Global Secure Access operations guide is now live on Microsoft Learn.

This post-deployment playbook delivers prescriptive guidance for running Global Secure Access in production at scale. It was created by the Global Secure Access customer experience engineering team with input from Thomas Detzner, Janice Ricketts, Jeff Bley, Luis Flores, Marilee Turscak, Peter Lenzke, Mohammad Zmaili, and Ken Withe.

Who this guide empowers

This guide is for the teams that keep Global Secure Access running every day: IT administrators, network engineers, and platform operations teams that need clear answers to questions like “Who owns what?” and “How do we prevent issues before they happen?”

It also equips security leaders with structured reporting so they can demonstrate value and service health to executives. If you’re responsible for Global Secure Access performance, alerting, or automation, this is your new reference playbook. (And if you haven’t deployed yet, start with the deployment guide.)

What you’ll gain from this guide

Shared practices that work across any environment

Know your roles early: A RACI matrix so responsibilities never overlap

Manage change with confidence: A GSA-tailored change-control framework for smooth updates
Prove success with clarity: Reporting templates for operators, managers, and executives
Adopt continuous improvement: Built-in processes to spot gaps before they become issues

Capability-specific playbooks structured for speed

Every workload (Private Access, Internet Access, Remote Networks, Microsoft Traffic) follows one clear pattern so teams always know what comes next:
✔ Begin with alert-first monitoring steps that catch issues early
✔ Follow daily, weekly, monthly routines for health maintenance
✔ Automate critical workflows with Sentinel, Graph API, and PowerShell scripts
✔ Track and tune KPIs using measured baselines
✔ Diagnose and resolve quickly with symptom-to-fix troubleshooting

Don’t start from zero—use the templates

Daily health check across all GSA capabilities

Ready-made change request forms and notification playbooks
Modular checklists ready for your ITSM process

Why this guide is different

Unlike generic environment monitoring advice, this guide delivers concrete, tested procedures built from field experience. It applies an alert-first approach so teams can act on signals from Microsoft Sentinel and Azure Monitor before dashboards show trouble.

Each alert comes with an action—nothing is left unanswered. Automation is embedded throughout, including role-based access control (RBAC) hygiene checks and failover tests. Because operations demand clarity, the guide also provides measurable thresholds, baseline methods, and recovery steps that reduce noise and reinforce uptime.

Six moves to launch operational maturity

Assign roles using the RACI matrix for full coverage

Configure critical alerts before adding custom workflows
Collect 30 days of baseline data before adjusting thresholds
Automate backups and priority alert notifications early
Schedule routine checks using provided templates
Begin structured reporting starting with weekly operations and monthly management reviews

Why it matters for customers and partners

This framework reduces time to readiness after deployment, documents a defensible Day 2 plan for audits, cuts escalations by linking every alert to a clear action path, and gives FastTrack and partners a baseline for consistency in engagements.

Next up

Soon we will publish the GSA Security Operations Guide for Microsoft Entra Global Secure Access, providing a dedicated security monitoring and detection companion to the operational guides for Private Access, Internet Access, Remote Networks, and Microsoft traffic. It brings together the built-in alerts, log sources, Sentinel detections, and cross-signal investigation patterns that security teams need to identify suspicious activity and unauthorized changes across the GSA environment.

If deployment is still ahead, start with the GSA Deployment Guide.

Your move

Open the full guide
Download templates and run your first daily health check today
Post feedback and ideas to help shape future updates

-Thomas Detzner

Thomas Detzner | LinkedIn

Additional resources

Learn more about Microsoft Entra

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

Build AI agents for production with secure identities from day one

ArLucaID — Tue, 02 Jun 2026 19:15:00 GMT

Building an AI agent is no longer the hard part. The real challenge begins when that agent must run securely in production and meet identity, access, audit, and security requirements. That’s where many agents get stuck. It’s relatively easy to build a prototype, but much harder to deploy an agent that operates with the security controls required for production. Microsoft Entra Agent ID helps close that gap by giving agents a consistent identity foundation. Together with the Microsoft Agent 365 CLI and SDK, it helps you deploy AI agents that are ready to be managed, governed, and protected within your organization.

What is Microsoft Entra Agent ID?

Microsoft Entra Agent ID, now generally available, is the identity and access platform in Microsoft Entra for AI agents. It introduces a set of identity constructs that match how agents are built and operated. There are three key concepts worth noting when deploying agents in your organization.

Agent blueprint: A blueprint is the reusable identity template for a class of agents. It defines the common configuration, accountability model, credentials, and scopes used when creating agent identities so developers can create them consistently across deployments.

The agent blueprint manifest is a JSON representation of the blueprint, which you can view or edit under developer settings.

Agent identity: Every agent instance gets its own identity in Microsoft Entra. Each identity has its own sign-in history, audit trail, assigned scopes, and targetable principal for Conditional Access. When you need to know what agent #4,712 did at 3:47 a.m. yesterday, the answer is in Microsoft Entra sign-in logs, indexed by the agent identity itself. When you need to retire a single malicious instance without touching the rest of your fleet, there is a kill switch for that agent identity.

The agent identities view in the Microsoft Entra admin center shows you an inventory of the agent identities in your tenant.

Agent sponsors and owners: Every agent needs clear accountability through two distinct roles. Sponsors provide business accountability for the agent’s purpose and lifecycle decisions, such as whether it should retain access or be retired. Owners are responsible for the technical configuration and management of the agent identity.

The overview of the individual agent identity shows the sponsor, blueprint, and granted permissions for the agent.

These concepts matter because they shape how agent onboarding works in practice. Once you understand the blueprint, the agent identity, and the accountability roles around it, the next question is how those pieces are created during deployment.

How an agent gets an agent identity, blueprint, and sponsor

There isn’t one single way to provision an agent identity, and that’s intentional. Microsoft Entra documents the official creation channels through which agent identity blueprints and identities can land in your tenant. Each channel has its own audience and control surface, and every creation event is recorded in Microsoft Entra audit logs with the channel attached. The channels developers use most often are outlined here.

Microsoft product integrations: Agents built in Microsoft Foundry, Copilot Studio, and Security Copilot get a Microsoft Entra Agent ID automatically as part of platform onboarding. Identity is provisioned from a blueprint and connected without any additional developer effort.
Microsoft Agent 365 CLI and SDK: For agents built on any other framework (Microsoft Agent Framework, OpenAI Agents SDK, Anthropic Claude Agent SDK, Google ADK, AWS Bedrock, LangChain, LlamaIndex, CrewAI, Semantic Kernel, GitHub Copilot SDK, and others), the Microsoft Agent 365 CLI provisions the agent’s identity through Microsoft Graph, and the Microsoft Agent 365 SDK connects the running agent to the control plane so observability, governance, and security come with the identity.

This is the recommended channel for cross-platform and non-Microsoft agents because one integration delivers Microsoft Entra Agent ID plus the rest of Microsoft Agent 365 as a single bundle.

Get started

For developers who don’t already have an onboarding pipeline, the fastest way to take an agent from a code repository to a managed, governed, and protected agent in your tenant is to use the AI-guided onboarding experience in the Microsoft Agent 365 CLI and SDK documentation. It walks you through the end-to-end steps: running the Microsoft Agent 365 CLI, wrapping your agent entry point with the Microsoft Agent 365 SDK, and configuring the runtime credentials Microsoft Entra will use to issue tokens.

Learn more about Microsoft Entra Agent ID and how it helps organizations secure access for AI agents
Learn how to make any agent enterprise-ready with the Agent 365 SDK
Explore: Microsoft Agent 365

-Arturo Lucatero, Principal Product Manager

Additional resources

Learn more about Microsoft Entra

What's New in Microsoft Entra: June 2026

Martin_Coetzer — Mon, 01 Jun 2026 22:54:12 GMT

Welcome to the June edition of our monthly newsletter, summarizing the latest news and developments in the exciting, ever-evolving world of Microsoft Entra.

What went into General Availability (GA) since May 2026?

Enable Phish‑Resistant MFA for Linux Desktops with Microsoft Entra - Microsoft Entra extends Phish Resistant Multi-Factor Authentication support to Linux desktops through the Microsoft identity broker, closing a long-standing gap in cross-platform identity. This update brings Linux to parity with Windows and macOS, enabling secure, modern authentication using phishing-resistant credentials. Support is now available for Ubuntu 24.04 and 26.04, as well as RHEL 8, 9, and 10, helping organizations consistently enforce strong authentication across all major desktop platforms.

Enable improved B2C-to-External ID migration with High Scale Compatibility (HSC) mode – HSC mode is a new tenant-level migration option that lets Azure AD B2C customers transition their applications to Microsoft Entra External ID without re-registering users or resetting passwords, by keeping existing B2C credentials in place during coexistence. It's intended for high-scale tenants - generally those with 5 million or more objects - where the standard bulk migration with JIT password sync isn't practical. Tenants below the 5M threshold should continue to use the standard migration path, and even eligible high-scale tenants should carefully evaluate both options before choosing. Customers can run the B2C Policy Analyzer to assess migration readiness, and account teams and partners should engage the EEID migration team to guide eligible Azure Active Directory B2C customers toward the right migration path.

Enable system-preferred authentication for first and second factors - Microsoft Entra ID updates system-preferred authentication to apply to both first-factor and second-factor authentication in Microsoft Managed state. The system evaluates registered credentials for the user and selects the highest-ranked method for each authentication step. This update applies automatically in the Microsoft managed state, ensuring seamless and secure authentication experiences.

Modernize account management with redesigned My Account pages - Microsoft Entra introduces redesigned Devices, Security Info, and Organizations pages in the My Account portal. The Devices page simplifies registered device management and prominently surfaces BitLocker recovery keys, reducing IT helpdesk dependency. The Security Info page in Settings & Privacy centralizes profile information, language, and region settings for easier updates. The Organizations page resolves issues with end users leaving organizations and delivers a streamlined experience. These updates automatically roll out to Microsoft Entra ID customers by the end of June 2026, requiring no administrator action.

Cross-tenant group synchronization in Microsoft Entra - This enables organizations to synchronize security groups and memberships across tenants for centralized management and consistent access control. This simplifies cross-tenant collaboration by allowing groups managed in a source tenant to be used in one or more target tenants for scenarios like shared application access and resource authorization. Beyond collaboration, this enables more seamless cross-tenant administration by allowing organizations to extend governance and access control consistently across tenant boundaries.

Account discovery for connected applications in Microsoft Entra ID Governance - Administrators gain visibility into all accounts within connected applications, including orphan accounts not assigned to the enterprise application in Microsoft Entra. Generate discovery reports directly from the provisioning experience to identify access gaps and simplify application onboarding. This capability requires a Microsoft Entra ID Governance or Microsoft Entra Suite license.

Automate agent identity sponsorship transitions - Microsoft Entra ID Governance ensures agent identities always have a delegated human sponsor accountable for their access and lifecycle. With Lifecycle Workflows, when a sponsor leaves the organization, sponsorship automatically transfers to their manager, maintaining continuity. Lifecycle workflows can also notify cosponsors and managers of impending sponsorship changes, streamlining the process and reducing manual oversight.

Drive Passkey Adoption with Microsoft Entra Registration Campaigns - Microsoft Entra Registration Campaigns now supports Passkeys such as Fast Identity Online (FIDO2), as an authentication method. Administrators can configure registration campaigns to nudge users to register passkeys during sign-in, helping organizations drive passkey adoption. This first rollout experience is optimized for users in a passkey profile without restrictions.

App Deactivation for Microsoft Entra applications - App Deactivation introduces a safe, reversible, and self-service way for app owners and admins to turn off applications that are unused, deprecated, or under investigation - without deleting them or breaking tenant-level governance. Deactivating an app registration provides a reversible way to prevent the application from accessing protected resources without permanently removing it from your tenant. When you deactivate an application, it immediately stops receiving new access tokens, but existing tokens remain valid until they expire. This approach is useful for security investigations, temporary suspension of suspicious applications, or when you need to maintain application configuration data. Unlike permanently deleting an application, deactivation preserves all application metadata, permissions, and configuration settings, making it easy to reactivate the application if needed. The application remains visible in your tenant's enterprise applications list, but users can't sign in and no new tokens are issued.

Enable phishing-resistant sign-in with Microsoft Entra passkeys on Windows - Users register device-bound passkeys in the local Windows Hello container and use them for secure sign-in with Windows Hello biometrics or PIN. These passkeys function as FIDO2 credentials and work without requiring the device to be Microsoft Entra joined or registered. This capability is automatically available in tenants where passkey profiles permit Windows Hello as a provider, supporting phishing-resistant authentication for Entra-protected cloud resources. Interactive Windows console sign-in is not supported.

New in Public Preview

Support domain-less SAML Federation on workforce tenants - Domainless SAML federation with a SAML Identity Provider allows external users to authenticate into your apps or workforce resources using their IdP-managed credentials, regardless of their email domain. Domainless federation removes the need for domain matching between the user's email and pre-configured IdP domains during sign-in or invitation redemption.

Sensitivity labels for Entra security groups - Microsoft Entra ID supports applying Microsoft Purview sensitivity labels to Entra cloud security groups in public preview. This enables administrators to use the same labels and policies already used for Microsoft 365 groups to govern security group behaviors such as guest access and other controls. Sensitivity labels are managed in Microsoft Purview and can be applied through the Entra Admin Center, Azure portal, and Microsoft Graph, helping organizations apply consistent governance across identities and access.

Safely remove and restore devices with Device Soft Delete - This enables administrators to move device objects to a recoverable state instead of permanently deleting them. Organizations can restore devices within a defined retention period while preserving critical data like device identity and associated security artifacts. The feature supports Microsoft Entra joined, registered, and hybrid joined devices, reducing risks from accidental deletions and improving device lifecycle management.

Move SAP SuccessFactors Provisioning to Workload Identity-based authentication - Microsoft Entra introduces Workload Identity-based authentication for SAP SuccessFactors provisioning, replacing long-lived usernames and passwords with Entra-managed credentials and short‑lived, standards‑based access tokens. This update allows customers to perform this authentication upgrade in-place on their existing provisioning jobs, without recreating or restarting them. This will switch their Entra or SuccessFactors integrations to a more secure model that is aligned with SAP SuccessFactors' plan to deprecate basic authentication for SAP SuccessFactors' APIs by November 2026. The new option applies to SAP SuccessFactors inbound provisioning to Active Directory and Microsoft Entra ID, as well as writeback scenarios, and improves security by eliminating the need to manually handle credentials and rotate them periodically.

Govern Azure role assignments with access packages - Microsoft Entra enables governance of eligible and active assignments to Azure roles at the Management Group, Subscription, and Resource Group levels through access packages. Role assignments now follow the same request, approval, and lifecycle governance model as apps and groups. This simplifies managing access to Azure resources at scale while supporting least privilege and just-in-time access principles.

Automate user attribute updates in Lifecycle Workflows - Microsoft Entra introduces the User Attribute Updates task in Lifecycle Workflows, enabling automated attribute changes directly within workflows. Administrators can set or clear attribute values including custom attributes with a secure, consistent, and auditable process. This feature reduces manual effort, enhances governance, and scales identity automation with confidence.

Improve privileged identity response for Security Operations Center (SOC) – Microsoft is extending the Entra Security Operator role so SOC analysts can take identity response actions such as disable users, revoke sessions, mark users compromised, force password resets (including cloud-only accounts), and delete individual authentication methods , directly from the Microsoft Defender unified role-based access control (RBAC) experience, without broad Entra admin roles or identity and access management (IAM) escalation during active incidents. Permissions are scoped to non-admin users enabling faster containment, least-privilege boundaries, and auditability.

Announcements

Require registered methods for Self-Service Password Reset - Microsoft Entra Self-Service Password Reset (SSPR) will only accept explicitly registered authentication methods for identity verification starting September 7, 2026. Directory-sourced contact information, such as phone numbers and email addresses stored as user object properties, will no longer be accepted unless registered as authentication methods. This change applies to all users, including administrators, across Public cloud, GCC, GCC High, and DoD. Beginning July 6, 2026, Microsoft will automatically launch a registration campaign prompting affected users to register authentication methods after sign-in. Administrators should ensure users have at least one registered method to meet SSPR policy requirements before enforcement to avoid disruptions.

Enforce conditional Access during credential registration - Starting July 6, 2026, Entra ID Conditional Access policies scoped to the Register security information user action will be evaluated during credential registration for Windows Hello for Business and macOS Platform SSO .This ensures registration policies apply consistently across all registration flows. Users must satisfy policy controls, such as multifactor authentication (MFA), network restrictions, device compliance, or other tenant defined requirement before completing registration. Organizations without Conditional Access policies targeting this user action are unaffected, and MFA remains required by default for all passwordless credential registrations. Enforcement completes by July 13, 2026.

Expand passkey policy size and profiles in authentication methods policy - Microsoft Entra increases the passkey (Fast Identity Online 2, FIDO2) policy size limit to a dedicated 20 KB allocation within the authentication methods policy. Previously, all authentication methods shared a single 20 KB limit. This update ensures passkey policies have their own allocation, simplifying adoption and advanced targeting scenarios. Additionally, the maximum number of passkey profiles per tenant increases from 3 to 10, allowing greater flexibility in managing passkey configurations.

New guidance and information

Global Secure Access Operations Guide - The new GSA Operations Guide is your post-deployment companion for running Global Secure Access reliably at scale. It covers alerting, health checks, change management, metrics, and recovery playbooks, with ready-to-use KQL queries and templates you can adopt on day one. Capability-specific guides are included for Private Access, Internet Access, Remote Networks, and Microsoft Traffic.

Tell us what you think!

If you have feedback on this newsletter, fill out the dedicated Microsoft Form.

Blogs

Check out the latest blog posts on our Microsoft Entra Blog and our Microsoft Entra Identity Developer Blog.

What's new in Microsoft Entra?

Learn what is new with Microsoft Entra, such as the latest release notes, known issues, bug fixes, deprecation functionality, and upcoming changes. You can find releases specific for Sovereign Clouds on a dedicated release notes page.

Become a certified Microsoft Identity and Access Administrator

Check out the certification and related training for the Microsoft Identity and Access Administrator available for customers and partners.

-Martin Coetzer

Principal Product Manager, Identity and Network Access, Customer Experience Engineering (CXE)

Microsoft Entra Community | LinkedIn

Learn more about Microsoft Entra

Entra ID Governance vs Saviynt for SAP IGA Use Cases

carltonflewis — Wed, 27 May 2026 17:28:07 GMT

Hi everyone,

We are currently evaluating Microsoft Entra ID Governance as a potential replacement for Saviynt for SAP-focused IGA requirements across a mixed SAP landscape, including:

SAP SuccessFactors
SAP Concur
SAP S/4HANA Private Cloud
Other SAP SaaS and enterprise applications

I wanted to get insights from anyone who has implemented or worked extensively with Entra Governance in SAP-centric environments, specifically around the following areas:

1. Birthright RBAC Provisioning

Can Entra Governance provision a single composite/business role (similar to Saviynt Enterprise Roles) through HR-driven JML events?

For example:

HR event triggers provisioning
User automatically receives bundled SAP access/business roles
Role assignment follows birthright/access package logic

How mature/scalable is this approach in Entra compared to Saviynt?

2. SoD (Segregation of Duties) Capabilities

Saviynt supports preventative SoD checks directly during request submission, including SAP-specific SoD analysis.

Questions:

Does Entra Governance support preventative SoD evaluation at request time?
Can conflicts be surfaced before approval/provisioning?
Is there native SAP SoD support or dependency on external tooling (for example SAP GRC/IAG)?

Additionally, Saviynt supports granular SAP authorization object analysis down to field-level min/max values within SAP Private Cloud environments.

Does Entra provide similar depth for SAP authorization analysis?

3. SAP Integrations / Connectors

While Entra provides OOTB Enterprise Applications and provisioning connectors for SAP applications:

What differences or limitations have you observed compared to Saviynt’s SAP connectors?
How well does Entra handle SAP role imports, entitlement hierarchy, and provisioning workflows?
Any known gaps for SAP Private Cloud integrations?

Would appreciate any implementation experiences, architecture guidance, lessons learned, or recommendations from teams who have evaluated or deployed Entra Governance in SAP-heavy environments.

Thanks in advance.

Find shadow tenants and reduce risk fast with Microsoft Entra Tenant Governance

CindyCrane — Tue, 26 May 2026 15:00:00 GMT

As organizations grow, so does their tenant footprint. Over time, tenants created for acquisitions, development projects, regional operations, or partner collaboration can fall outside central IT visibility, creating what many security teams now refer to as shadow tenants.

One of the foundational pillars of Microsoft Entra Tenant Governance is discovering related tenants. This capability helps you identify tenants connected to your environment through signals such as B2B collaboration, multitenant applications and shared billing relationships. With that visibility, you can reduce hidden security risks before they become incidents.

Let’s explore what this looks like in practice through the lens of the Related Tenants pillar.

Scenario: Contoso discovers its hidden tenant landscape

Contoso's IT security team knows about their primary production tenant and a handful of dev/test tenants. But after reading about the Midnight Blizzard attack, the CISO wants a complete picture. Are there tenants out there that Contoso doesn't know about?

Step 1: Turn on discovery. A Contoso admin, Alice, opens the Microsoft Entra admin center, navigates to Tenant governance > Related tenants, and enables discovery. It takes a single click—no infrastructure to configure.

Step 2: Discover what’s connected. Within hours, the system surfaces tenants connected to Contoso through cross-tenant signals (B2B collaboration, multitenant app registrations, and shared billing accounts). Alice sees 14 related tenants. The team recognizes nine of them. The other five are a mix of tenants from a 2023 acquisition that were never onboarded, a proof-of-concept tenant a partner team spun up, and two legacy test environments nobody remembered existed.

Step 3: Assess and act. For each discovered tenant, Contoso can see the relationship type and the signals behind it. The security team flags unknown tenants for review and immediately runs a quarantine workflow for one unsanctioned tenant that has high-risk multitenant app permissions:

Confirm exposure. Validate which app permissions were granted, whether admin consent exists, and which users or workloads are affected.
Block user sign-in paths. In cross-tenant access settings, add the suspect tenant and block inbound and outbound user sign-in so collaboration with that tenant is stopped without disrupting trusted tenants.
Contain application access. Find enterprise applications whose “appOwnerOrganizationId” matches the suspect tenant, then revoke granted permissions or delete the corresponding service principals to cut off app-based access.
Harden with tenant restrictions. Apply a tenant restrictions v2 policy through Global Secure Access and universal tenant restrictions so managed users can’t authenticate unsanctioned tenants.
Validate and decide. Verify blocking in sign-in and audit logs, run a short scream test for business impact, then either onboard the tenant into governance relationships and policy baselines or keep it isolated until retirement.

Microsoft Entra Tenant Governance related tenants.

Microsoft Entra Tenant Governance discovery signals.

This isn’t a one-time scan. Related tenants are a continuously updated inventory; as new tenants appear in Contoso’s identity landscape, they surface automatically. No more blind spots waiting to be exploited.

Following the guidance in Discover your Microsoft cloud footprint, organizations can further expand their visibility by using additional telemetry sources including:

Azure subscription billing data
Authentication logs (Microsoft Entra sign-ins)
Microsoft 365 activity
Audit logs

These sources help organizations inventory all Microsoft tenants where users have signed in or resources are provisioned, identify cross-tenant relationships through app consent and Global Secure Access network traffic, and surface potential risks from tenants with elevated permissions or suspicious patterns.

For tenants that are discovered but not yet trusted, organizations can take immediate action using existing tenant quarantine capabilities to isolate potentially risky tenants and restrict their interactions until they've been assessed.

Important: Using the new add-on tenant creation flow is a crucial part of establishing a secure tenant landscape. To ensure organizations are using the most secure methods possible to create add-on tenants, the legacy workforce tenant creation flow will be retired August 15, 2026.

Get started

Threat actors continue to innovate, but so do we. By making tenant discovery a foundational part of your identity strategy, you can close gaps before adversaries find them.

To get started, enable related tenants discovery in the Microsoft Entra admin center or through the tenant governance API. Your feedback is instrumental in shaping these tools. We invite you to try the public preview and share your experience.

Stay secure, stay informed, and stay ahead.

-Cindy Crane, Principal Product Manager

Additional resources

Learn more about Microsoft Entra

ssoSilent() not working across Next.js apps — timed_out or account picker on localhost

CilansSystem — Thu, 21 May 2026 07:08:45 GMT

Hi everyone,

I've been stuck on this for a few days and would really appreciate some guidance from anyone who has dealt with cross-app silent SSO using MSAL.js v5.

Here's the setup. We have 3 separate Next.js applications all belonging to the same organisation, all registered under a single Azure Entra ID App Registration with the same clientId and tenantId. In production they all live under the same parent domain — app1.contoso.com, app2.contoso.com, app3.contoso.com — so localStorage is shared between them. On localhost we run them on ports 3000, 3001, and 3002.

The goal is simple: if a user is already signed into App 1, opening App 2 in a new tab should silently authenticate them without any popup, redirect, or account picker. Just seamless SSO.

Here is how I've set up the msalConfig:

export const msalConfig: Configuration = {

auth: {

clientId: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',

authority: 'https://login.microsoftonline.com/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy',

redirectUri: 'http://localhost:3001/',

postLogoutRedirectUri: '/login',

cache: {

cacheLocation: 'localStorage',

storeAuthStateInCookie: true,

};

export const loginRequest = {

scopes: ['openid', 'profile', 'email', 'User.Read'],

};

Inside a component called SsoInitializer that sits inside MsalProvider, I scan localStorage for a sibling app's MSAL account on mount. I check both msal.2.account.keys (MSAL v5 format) and msal.account.keys (older format), extract the username/email as a loginHint, and then call ssoSilent(). If no loginHint is found — which is always the case on localhost since different ports are different origins — I still call ssoSilent() without a hint, expecting it to fall back to the Entra session cookie that was set when the user logged into port 3000.

instance.ssoSilent({

...loginRequest,

...(loginHint ? { loginHint } : {}),

redirectUri: `${window.location.origin}/silent-callback.html`,

})

The silent-callback.html in /public is just a blank HTML page with no scripts, which I believe is the correct approach based on the docs since MSAL v5 uses postMessage to communicate with the iframe.

The Azure app registration has the SPA platform selected, all redirect URIs including the /silent-callback.html variants are registered for all three localhost ports, ID tokens are enabled, and User.Read has admin consent.

Now here is the problem.

When App 1 is logged in on localhost:3000 and I open App 2 on localhost:3001, ssoSilent() fires but one of two things happens:

The first failure is a timed_out error — BrowserAuthError: timed_out from BrowserUtils.ts. The server-telemetry key in localStorage shows redirect_bridge_timeout repeated multiple times with cacheHits of 0. This started happening when I had a CDN import of MSAL inside silent-callback.html trying to call handleRedirectPromise(). The CDN download was too slow for the iframe timeout window, so I removed it.

The second failure happens after switching to the blank HTML silent-callback page. The timed_out goes away but now ssoSilent() seems to fall through entirely and the Microsoft "Pick an account" full-page redirect opens — which completely defeats the purpose.

I've also tried passing prompt: 'none' explicitly in the ssoSilent request. No change.

One important observation from DevTools: the Entra session cookie IS present in the browser. The user is fully signed in on port 3000. Based on my understanding of the docs, ssoSilent() without a loginHint should detect this session cookie and authenticate silently. But it's either timing out or showing the account picker.

I have a few specific questions I'm hoping someone can help with:

First, is ssoSilent() actually supposed to work without a loginHint using only the Entra session cookie? Or does it require a hint and will always show the account picker if multiple accounts are signed in to the browser?

Second, what is the correct content of silent-callback.html for MSAL v5 specifically? The blank page causes redirect_bridge_timeout, but adding MSAL scripts causes a different timeout because they load too slowly. Has the iframe handshake mechanism changed between v1/v2 and v5?

Third, is there an officially recommended pattern for cross-app silent SSO when developing on localhost with different ports? In production the same-domain setup handles localStorage sharing fine, but on localhost the browser's same-origin policy makes each port completely isolated, so the sibling token scan always returns null.

Fourth, does the redirectUri passed to ssoSilent() need to point to a page that actively runs MSAL code, or is a blank page genuinely sufficient for the iframe to complete its handshake in v5?

Using azure/msal-browser 5.6.1, azure/msal-react 3.0.20, Next.js 14 App Router, Chrome on Windows 11, single tenant.

Any help or a working example from someone who has done this in MSAL v5 would be hugely appreciated. Thanks in advance.

Platform SSO during automated device enrollment is now generally available for macOS

Justin-Ploegert — Mon, 18 May 2026 15:00:00 GMT

Getting new devices into users’ hands quickly while maintaining strong identity and compliance has always required a careful balance. IT admins need streamlined deployment workflows, while end users expect a frictionless experience from the very first sign-in.

Today, we’re excited to announce that Platform SSO (PSSO) during Automated Device Enrollment (ADE) on macOS is now generally available. This capability simplifies onboarding by enabling device registration and Platform SSO setup to occur automatically during enrollment, eliminating extra steps for both IT administrators and end users.

Streamline setup for IT admins

Automated Device Enrollment already provides a powerful way to provision macOS devices with the right configuration, policies, and applications from the start. With Platform SSO now integrated directly into this flow, IT admins can:

Ensure Platform SSO is enabled as part of enrollment — no post-setup steps required.
Standardize device identity and access configuration from day one.
Reduce deployment complexity by avoiding separate workflows for completing SSO setup.
Improve compliance posture immediately with identity-backed device trust.

By incorporating PSSO into ADE, organizations can treat identity configuration as a core part of provisioning—not as an afterthought.

Reduce friction for end users

Previously, users enrolling macOS devices might encounter an additional step after setup to complete Platform SSO registration, typically requiring them to respond to a prompt or click a “Finish” action.

With this new capability, that extra step is removed:

No additional prompts to complete Platform SSO
No need for users to manually finish enrollment steps
Immediate access to single sign-on experiences after setup

The result is a smoother, more intuitive onboarding experience where users can begin working right away without interruption.

Understand how it works

With the EnableRegistrationDuringSetup capability, Platform SSO registration is performed as part of the Automated Device Enrollment process. This ensures that:

The device is properly registered with Microsoft Entra ID during setup.
Platform SSO is activated automatically.
The user’s identity is fully integrated into the device experience from first sign-in.

Because this happens within the managed enrollment flow, it aligns naturally with existing MDM configurations and provisioning policies.

See why it matters

For organizations adopting modern identity and device management, reducing friction during onboarding is critical—not just for productivity, but for security consistency at scale.

With Platform SSO during ADE:

IT admins gain a predictable, simplified setup experience.
Users avoid confusing or redundant steps during onboarding.
Organizations achieve faster time-to-productivity with stronger identity integration.

This is especially impactful in environments where devices are deployed at scale, such as enterprise rollouts, education, or frontline scenarios.

Get started

Ready to simplify macOS onboarding? Configure Platform SSO during Automated Device Enrollment in Microsoft Intune to reduce setup friction and strengthen identity from day one.

To enable Platform SSO during Automated Device Enrollment, follow the MDM configuration steps below:

Configure Automated Device Enrollment for macOS in your MDM solution.
Ensure Platform SSO is configured for your organization.
Enable the EnableRegistrationDuringSetup setting as part of your deployment profile.

Once enabled, new devices will automatically complete Platform SSO setup during enrollment—with no additional user action required.

- Justin Ploegert

Additional resources

Learn more about Microsoft Entra

Microsoft Identity Manager 2016 SP3 now available: Enhanced stability for hybrid identity

benmann — Thu, 14 May 2026 17:30:53 GMT

Many organizations continue to depend on Microsoft Identity Manager (MIM) 2016 for scenarios that are not easily replicated elsewhere, such as:

Synchronization across multiple directories and forests:

Complex attribute flows and identity correlation logic
Management of custom objects and extended schemas
Deep integration with on-premises applications

Microsoft Identity Manager (MIM) 2016 Service Pack 3 (SP3) is now generally available. SP3 focuses on stability and supportability and updates compatibility with current platform components such as SQL Server, SharePoint, and Exchange. It also adds a new deployment option for the Synchronization Service: Azure SQL Database, with authentication through system-assigned and user-assigned managed identities to help reduce operational risk in hybrid identity environments.

In this release

Run MIM on current platform components

Updated compatibility for newer platform releases, including SQL Server 2022 and Exchange Server Subscription Edition (SE).
New Synchronization Service database option: Azure SQL Database with authentication via system-assigned and user-assigned managed identities.

Modernize the MIM Service and Portal experience

Deploy the MIM Portal on SharePoint Subscription Edition (SE).
Support for System Center Service Manager Data Warehouse (DW) 2022 for reporting and audit integration.
Active Directory Federation Services (AD FS) single sign-on (SSO) support for claims-based authentication, enabling users to sign in through AD FS instead of Windows integrated authentication.

Download and upgrade information

Based on your licensing, you can download the installer packages here: Microsoft Identity Manager licensing and downloads | Microsoft Learn
SP3 introduces a new upgrade process. Please follow the documented steps carefully: Upgrade Microsoft Identity Manager 2016 from SP2 to SP3 | Microsoft Learn
Operational recommendation: Validate SP3 in a non-production environment first, then roll it out to your production environment.

Support lifecycle

MIM 2016 SP2 will remain supported for 12 months (through May 2027), in line with the service pack support lifecycle policy. Customers should plan to upgrade from SP2 to SP3 within that window. For details, see: Fixed Lifecycle Policy | Microsoft Learn

MIM 2016 remains supported through January 9, 2029, under Microsoft’s Fixed Lifecycle Policy. While MIM continues to support critical identity scenarios, Microsoft is actively investing in Microsoft Entra as the long-term platform for identity governance and lifecycle management. We recognize that some MIM use cases require a phased or hybrid approach, and we are working closely with customers to support these transitions.

Questions about upgrading to SP3 or planning your longer-term identity strategy? Contact your Microsoft account team or support contact to review your environment, timelines, and transition path.

Ben Mann, Group Product Manager
Microsoft Entra

Africa Development Center (ADC)

Additional resources

About MIM 2016 - Microsoft Identity Manager | Microsoft Learn
Migrate from MIM to Entra ID - Migrating to Microsoft Entra ID from Microsoft Identity Manager | Microsoft Learn

Learn more about Microsoft Entra

"Access package assignment manager" role with "Restricted access to Microsoft Entra admin center"

PawelKowalczyk — Thu, 14 May 2026 11:49:27 GMT

Hi,

How can I allow a user with the "Access package assignment manager" role assigned only to a single catalog to manage access package assignments when "Restricted access to Microsoft Entra admin center" is set to Yes?

I do not see any option to manage assignments through the MyAccess portal, so it seems this must be done through the Entra Admin Center. However, the user cannot access the Entra Admin Center because they do not have any Entra administrative roles.

I do not have an Entra ID Governance license, so the option to use on-behalf-of access package assignment requests is not available.

How can this scenario be solved?

Thanks.

Secure the moments attackers target: onboarding, access requests, and account recovery

AnkurPatel — Mon, 11 May 2026 18:35:54 GMT

High assurance identity verification is no longer limited to regulated industries or edge cases. It is increasingly becoming a baseline requirement for scenarios like remote onboarding, account recovery, and access to sensitive resources. Microsoft tracks over 600 million identity attacks every day, with more than 7,000 password attacks blocked per second across Microsoft Entra environments.

Even as organizations adopt multifactor identification and move towards passwordless sign-in, including passkeys, an essential step toward eliminating passwords, security teams also need to protect the passkey lifecycle (enrollment, device changes, and recovery). Attackers are shifting upstream to impersonation and gaps in identity verification. Microsoft reports that more than 99% of identity attacks still target passwords, often combined with phishing or adversary-in-the-middle techniques designed to bypass traditional authentication controls.

This shift exposes a growing challenge. Possession of a credential is no longer enough to establish trust. Organizations increasingly need to verify that the person attempting to log in is the legitimate owner during high-risk moments such as onboarding, access requests, and account recovery.

That's where Face Check with Microsoft Entra Verified ID can help.

What is Face Check?

Face Check is a privacy‑respecting facial matching capability built into Microsoft Entra Verified ID. It helps organizations perform high‑assurance identity verification by matching a real‑time selfie with a trusted photo from a verified credential.

Face Check adds an extra layer of confidence during verification by:

Comparing a live selfie with a photo already associated with a Verified ID credential.
Performing facial matching using Azure AI services.
Sharing only a match confidence score with the relying application, rather than the selfie or biometric data.

Face Check is designed with privacy in mind. The verifier receives only the match result and confidence score. Sensitive identity data and liveness footage are not shared or stored long term.

To make it easier to use Face Check across your organization, we have removed the per user Face Check limit in Microsoft Entra Suite. This lets you apply Face Check more broadly across key scenarios like remote onboarding, access requests with entitlement management, and account recovery.

In addition, as we announced on World Passkey Day, verified account recovery is now generally available. In this blog, we will dive into three scenarios, including account recovery where you can enable high assurance identity verification with Face Check today:

Employee verification when onboarding
Access to sensitive resources via access packages
Self-service account recovery

Remote onboarding with Face Check

Alex is joining Contoso as a remote finance employee. Like many organizations, Contoso must onboard new hires who are not yet inside the trust boundary and cannot complete in‑person identity checks.

To address this, Contoso has created a custom onboarding workflow that allows new employees to verify their identity with Face Check with Microsoft Entra Verified ID. This workflow uses government‑issued, ID‑based attestations from verification partners to help establish trust during remote onboarding.

Face Check in Authenticator App

How the onboarding flow works

Alex receives a unique, time‑limited onboarding link that maps to his HR record. Through a custom onboarding portal, Alex is guided to acquire a Verified ID credential from an identity verification partner and then present it back to the organization.

Using Verified ID APIs, the system validates the credential claims, matches them to Alex’s pre‑created Microsoft Entra ID account, and continues the onboarding flow. This can include generating a Temporary Access Pass for first sign‑in.

Face Check strengthens this flow by helping confirm that Alex is the person presenting the Verified ID. During credential presentation, Face Check compares a live selfie with the photo on Alex’s government-issued ID and returns a confidence score to the relying application.

This is especially useful in remote onboarding scenarios where:

The initial interaction occurs outside the organization’s trust boundary.
In‑person verification is not possible.
Organizations want higher assurance without adding manual review for every hire.

Face Check fits naturally into the Verified ID presentation step without changing the overall onboarding architecture.

Learn how to enable Face Check for onboarding.

Requesting access with Face Check

After onboarding, Alex needs access to an internal financial tool through an access package. Because this access carries higher risk, the organization requires stronger identity assurance before approving the request.

With Microsoft Entra entitlement management, organizations can configure access packages to require Verified ID verification as part of the request flow. This allows the system to confirm the requester’s identity before access is granted.

When Alex requests access:

The access package policy requires Verified ID verification.
Alex presents a Verified ID credential during the request process.
The system validates the credential before continuing with approval and assignment.

Face Check in Entitlement Management

Face Check helps confirm that Alex is the person presenting the credential. A live selfie is matched against the photo associated with the Verified ID, and the relying application receives a confidence score.

This is especially useful for:

Access to sensitive or high‑impact resources.
Time‑bound or just‑in‑time access scenarios.
Reducing the risk of impersonation during access requests.

Learn how to enable Face Check for in entitlement management.

Account recovery with Face Check (Now generally available)

After a few months in the role, Alex experiences a device issue and can no longer access his passkey. All registered authentication methods are unavailable.

In these total lockout scenarios, traditional self‑service password reset does is not sufficient because it depends on access to an existing authentication method. This often results in help desk calls, delayed recovery, and lost productivity.

Microsoft Entra self-service account recovery is designed for these scenarios by focusing on identity verification and trust re‑establishment rather than simple credential reset.

A better experience for Alex

Instead of contacting the help desk, Alex can start account recovery directly from the sign-in experience. Identity verification is performed through a selected identity verification partner from the Microsoft Security Store, which validates government-issued documents such as passports or driver’s licenses. This will be further cross-validated with the internal HR system with Alex’s government ID information. Face Check helps confirm that the person presenting the credential is the legitimate holder.

Once verified:

Alex receives temporary access to reregister his authentication methods
He can return to work without prolonged downtime.

This turns account recovery into a guided, self-service experience rather than a disruptive support escalation.

📺 Watch the account recovery experience in action

Lower help desk costs, stronger security

Account recovery with government IDs and Face Check also helps organizations:

Reduce high‑risk, high‑touch help desk tickets related to lockouts.
Minimize reliance on human judgment, which can be vulnerable to social engineering.
Support passwordless users who have no fallback recovery options.

We have also released a cost saving calculator to help you estimate potential help desk savings when enabling self-service account recovery. You can find this calculator under the Microsoft Entra ID blade under Account Recovery.

Cost savings with account recovery

Learn how to enable account recovery.

Get started with Face Check in Microsoft Verified ID

To get started with Face Check across these scenarios and more, visit Microsoft Learn to see how to enable Face Check and integrate it into your Verified ID and Microsoft Entra workflows.

- Ankur Patel

Additional resources

Learn more about Microsoft Entra

passkeys in the Authenticator app regarding attestation

jgeisler — Mon, 11 May 2026 13:22:45 GMT

I have a question about passkeys in the Authenticator app regarding attestation in connection with QR code-based cross-device sign-in.

When we register a passkey with attestation enabled in the Authenticator app, it can be used to complete the sign-in process on another device via QR code and Bluetooth Low Energy. According to Microsoft’s documentation, this shouldn’t be possible with attestation enabled, yet it works. What are we misunderstanding here?

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-passkeys-fido2

Thanks for your inputs.

Johannes

What's New in Microsoft Entra: May 2026

Martin_Coetzer — Fri, 08 May 2026 22:03:27 GMT

Welcome to the May edition of our monthly newsletter, summarizing the latest news and developments in the exciting, ever-evolving world of Microsoft Entra.

What went into General Availability (GA) since April 2026?

Network content filtering by file type in Global Secure Access - Microsoft Global Secure Access supports network-based content filtering, based on file types. Administrators can monitor and control file transfers to generative AI and software-as-a-service (SaaS) applications. Organizations can define policies to block or restrict transfers of sensitive file types, such as documents, spreadsheets, and PDFs, preventing unauthorized data exfiltration across the network. This feature adds data loss prevention (DLP) on the network level.

Prompt injection protection - AI Gateway, part of Microsoft Global Secure Access, safeguards generative AI applications, agents, and language models. The prompt injection protection capability in AI Gateway is real-time protection against malicious prompt injection attacks on enterprise generative AI apps, a top risk for large language models (LLMs). By enforcing guardrails at the network level, prompt injection protection ensures consistent security across generative AI applications, without the need for code changes.

Global Secure Access client on iOS and iPadOS - Global Secure Access is available on iOS and iPadOS, extending secure network access to mobile Apple devices. No new agent installation is required, the client uses Microsoft Defender for Endpoint to route traffic through Global Secure Access for Microsoft 365, Microsoft Entra Internet Access, and Microsoft Entra Private Access. This enables organizations to apply consistent Zero Trust network policies across Microsoft Windows, macOS, and iOS platforms.

Configure Global Secure Access with Cloud Firewall and remote networks for internet access - Customers can use Global Secure Access with Cloud Firewall to apply administrator-configurable filtering: source IP, destination IP, protocol, source port, destination port for internet traffic acquired from branch offices through Global Secure Access remote networks capability.

External user access in the Global Secure Access Windows client - Enable Microsoft Private Access for external guest users and external members signing in with their home organization’s Microsoft Entra ID. The client automatically detects external tenant context and allows users to seamlessly switch to the appropriate external tenant. External guest users are now billed using Monthly Active User (MAU) licensing.

Secure branch office Microsoft Entra Internet Access with Global Secure Access remote network connectivity - Global Secure Access remote network connectivity enables secure access to full internet, including Microsoft 365, from branch offices and remote sites using Internet Protocol Security (IPsec) tunnels, without requiring Global Secure Access on end‑user devices. Traffic from customer-premises equipment, such as firewalls or routers, is routed to Global Secure Access, where centralized security controls like web filtering, cloud firewall, and threat inspection are applied at the network layer. This capability extends Zero Trust protections to branch offices and unmanaged devices such as printers, servers, kiosks, Internet of Things (IoT), and bring-your-own-device (BYOD), enabling consistent policy enforcement, unified logging, and simplified operations without additional hardware.

View approver details for access package requests in the My Access portal - Entitlement management in Microsoft Entra ID enables requestors to view approver name, email address, and their pending access package requests in the My Access portal. Streamline communication between requestors and approvers, reduce delays in access approvals. Approver information appears, by default, to members and can be controlled at the tenant and access package level.

Enforce Conditional Access policies on Privileged Identity Management role activation - Privileged Identity Management (PIM) in Microsoft Entra ID supports configuration of reauthentication through Microsoft Entra Conditional Access policies for role activation. Administrators can require multifactor authentication (MFA) or other Conditional Access controls when a user activates a privileged role. Help ensure elevated access is protected with current authentication signals. This enhancement strengthens privileged identity security and enforces Zero Trust principles for administrative access.

Reduce risk with Microsoft Identity Manager 2016 Service Pack 3 - Microsoft Identity Manager 2016 Service Pack 3 (MIM 2016 SP3) delivers improved stability, broader platform compatibility, and reduced operational risk for hybrid identity environments. SP3 supports Microsoft SQL Server 2022, Microsoft SharePoint Server Subscription Edition, Microsoft Exchange Server Subscription Edition, and Microsoft System Center Service Manager DW 2022. SP3 has a new deployment option for the MIM Synchronization Service using Microsoft Azure SQL Database with managed identity authentication.

Issuer Hints streamline certificate selection in certificate-based authentication - Microsoft Entra certificate-based authentication (CBA) supports Issuer Hints to improve the sign-in experience for users with multiple certificates installed on their devices. Issuer Hints ensures the certificate picker shows trusted certificates valid for the organization, reducing confusion and minimizing sign-in errors. This enhancement improves security and usability without requiring changes to how certificates are issued or managed.

Certificate-based authentication on iOS - Microsoft Entra CBA is available on iOS, delivering phish-resistant authentication on Apple mobile devices. Native iOS sign-ins no longer generate unnecessary password or multifactor authentication (MFA) prompts. CBA is supported as a second factor with priority (third place) in the system-preferred MFA list. Users can select another allowed MFA method, based on tenant policy, ensuring a more secure and seamless experience.

Certificate-based authentication elevated in system-preferred MFA list on iOS - Microsoft Entra CBA is supported as a second-factor method on iOS and is compatible with single sign-on (SSO) and Primary Refresh Token (PRT). Native iOS sign-in flows reduce unnecessary password and MFA prompts, enabling an easier user experience. In addition, CBA is third in the system-preferred MFA hierarchy, ensuring stronger, phishing-resistant authentication methods are prioritized, when available.

Certificate Authority scoping for certificate-based authentication - Microsoft Entra now supports Certificate Authority (CA) scoping for certificate-based authentication (CBA). Tenant administrators can restrict specific certificate authorities to defined user groups. This ensures authorized users authenticate using certificates issued by a particular CA, improving security and policy enforcement. Administrators can create tailored authentication policies for differing user scenarios, while they maintain a seamless sign-in experience.

Configurable token lifetimes in Microsoft Entra ID - This feature enables administrators to customize the lifetime of access tokens, ID tokens, and Security Assertion Markup Language (SAML) tokens issued by the Microsoft Identity Platform. Create and assign token lifetime policies to applications and Service Principals. With this capability, organizations align token duration with their security and operational needs.

Social identity provider support for native authentication in Microsoft Entra External ID - Microsoft Entra External ID supports social identity providers (IdPs) such as Apple, Facebook, Google and custom Open ID Connect (OIDC) providers through browser-delegated, web-view, authentication in native authentication. Developers can build native sign-up and sign-in experiences using software development kits (SDKs), while keeping users in the app for primary authentication. Social IdP sign-in is handled through secure web-view flows enforced by Microsoft Entra Conditional Access. This helps organizations streamline user onboarding, meet modern security expectations, and deliver authentication experiences customers trust.

Prefetch Workday termination data to customize account disable logic - This update to the Workday connector addresses termination processing delays affecting workers in the Asia Pacific (APAC) and Australia and New Zealand (ANZ) regions. Admins can enable the termination look-ahead setting to prefetch data and customize deprovisioning logic for accounts in Microsoft Entra ID and on-premises Active Directory.

Track and optimize Microsoft Entra license usage in the Microsoft Entra admin center - The License Usage page in the Microsoft Entra admin center gives organizations visibility into feature usage across the tenant. Administrators can view Microsoft Entra ID P1, P2, and Suite licenses and usage metrics for key features such as Conditional Access and risk-based Conditional Access, mapped to license tiers. Usage trends over the past six months illustrate license footprint, the value derived from Microsoft Entra, and potential over-usage risks.

New in Public Preview

Explicit Forward Proxy for Microsoft Entra Internet Access - Explicit Forward Proxy (EFP) for Internet Access enables secure web and AI gateway features in scenarios where installation of the GSA client is difficult or not possible. EFP is an effective mechanism to protect internet traffic when users use browsers to access resources from: multi-session Virtual Desktop Infrastructure (VDI), kiosks, browsers on Linux desktops, on lightly managed devices, and on bring-your-own devices with Microsoft Edge and Intune app policies.

Account discovery for connected applications in Microsoft Entra ID Governance - Microsoft Entra ID Governance supports account discovery for connected applications. Administrators gain visibility into accounts in connected applications, including orphan accounts not assigned to the enterprise application in Microsoft Entra. Generate discovery reports from the provisioning experience and identify access gaps while simplifying application onboarding.

Improve privileged identity response for Security Operations Centers - Microsoft is extending the Entra Security Operator role, so a Security Operations Cetner (SOC) analyst can take identity response actions such as disable users, revoke sessions, mark users compromised, force password resets (including cloud-only accounts), and delete individual authentication methods. These actions are done from the Microsoft Defender role-based access control (RBAC) experience, without broad Microsoft Entra admin roles, or IAM escalation during active incidents. Permissions are scoped to non-admin users and a limited set of administrative roles, enabling faster containment, least-privilege boundaries, and auditability.

Create app‑specific sign‑in experiences with branding themes - Microsoft Entra introduces branding themes to create multiple, app‑specific, sign‑in branding experiences, instead of a limited tenant‑wide configuration. This capability supports differing audiences, use cases, and application requirements.

Federate external tenants with Microsoft Entra ID using OIDC - Microsoft Entra ID supports OIDC federation between Microsoft Entra ID workforce and Microsoft Entra External ID tenants. Users sign in to customer-facing applications with their Microsoft Entra ID workforce identities. Users authenticate with their home tenant and access Microsoft Entra External ID tenant applications. This action eliminates the need for duplicate accounts, simplifies sign-in, and enables consistent security controls across workforce and external scenarios.

Optimize sign‑in insights with $count in Microsoft Graph - Microsoft Graph supports $count in sign-in Application Programming Interface (API) requests. Customers compute record counts in their queries. Combined with Microsoft Graph query parameters such as $filter, $select, $orderby, $top, and $expand, developers return the data they need, reduce response size, and improve application performance. These query options make it easier to build efficient, scalable solutions, especially for security and identity scenarios in Microsoft Entra, by optimizing how sign-in data is queried, processed, and presented.

Announcements

In April 2026, Microsoft transitions from Microsoft Entra Connect Sync to the cloud‑native Microsoft Entra Cloud Sync to simplify hybrid identity management and strengthen Zero Trust security. This move reduces on‑premises complexity while it improves reliability, security, and day‑to‑day operations. Starting July 2026, customers will be notified of their assigned transition window through the Microsoft 365 Message Center, Microsoft Entra Connect Health, and targeted emails. Phased transitions start with tenants supported by Microsoft Entra Cloud Sync, and expand as capabilities grow. During the transition window, tools and guidance help you assess readiness, migrate, and test. Microsoft Entra Cloud Sync becomes the primary identity synchronization solution, with unchanged hybrid authentication experiences.

Microsoft Entra transitions SCIM apps from OAuth authorization code grant – Microsoft Entra transitions System for Cross-domain Identity Management (SCIM) provisioning applications, from the OAuth 2.0 Authorization Code grant, to modern authentication methods: OAuth 2.0 client credentials or workload identity federation. As the service change rolls out, updated applications prompt customers to reconfigure provisioning jobs and use more secure options. Some applications, which can’t migrate, will be retired from the Microsoft Entra app gallery.

This change improves security, simplifies credential management and rotation, and prepares customers for a more resilient provisioning experience. Customers are advised to not create new provisioning jobs using the Authorization Code grant and instead to monitor upcoming What's New updates for timelines and guidance from the Microsoft Entra team.

New guidance and information

New video | Build secure verification with Microsoft Entra Verified ID - Ever wonder what secure, seamless identity verification looks like? In this video, see the full journey with Microsoft Entra Verified ID. From an organization issuing digital credentials, to individuals presenting and verifying them. Whether you're looking for a quick deployment or a tailor-made solution, Microsoft Entra Verified ID flexes to fit your identity verification requirements.

Microsoft Entra ID Governance guest usage monitoring workbook - Administrators can monitor and understand guest user governance activity under the new Monthly Active User (MAU) billing model for Microsoft Entra ID Governance. The workbook has billable governance actions, so admins can track guest usage, forecast costs, and optimize governance posture before billing enforcement. It's located under Identity Governance and Access in Microsoft Entra ID Workbooks.

Troubleshoot prompt injection protection article - This article walks through prompt injection protection policies that help Global Secure Access administrators inspect, and control malicious prompts sent to AI services and reduce the risk of sensitive data exfiltration. It provides steps to validate that policies are applying as expected.

Tell us what you think!

If you have feedback on this newsletter, fill out the dedicated Microsoft Form.

Blogs

Check out the latest blog posts on our Microsoft Entra Blog and our Microsoft Entra Identity Developer Blog.

What's new in Microsoft Entra?

Become a certified Microsoft Identity and Access Administrator

Check out the certification and related training for the Microsoft Identity and Access Administrator available for customers and partners.

-Martin Coetzer

Principal Product Manager, Identity and Network Access, Customer Experience Engineering (CXE)

Microsoft Entra Community | LinkedIn

Learn more about Microsoft Entra

Passkeys aren’t the finish line: Eliminating fallbacks and fixing recovery

AnkurPatel — Thu, 07 May 2026 16:28:47 GMT

Every year, World Passkey Day gives us an opportunity to reflect on how far we’ve come in moving beyond passwords—and how much further we still need to go. Billions of accounts are protected by passkeys worldwide. At Microsoft, hundreds of millions of people use passkeys every day. The progress is real.

But deploying a strong sign-in method isn’t enough if attackers can get around it. According to the Microsoft Digital Defense Report, AI-driven phishing campaigns are achieving click-through rates as high as 54%. Impersonation attacks—deepfakes, SIM swaps, and social engineering of help desks—target the moments when a user isn’t signing in: when they’re locked out, recovering access, or calling IT to prove who they are. In an enterprise where AI agents act autonomously on behalf of users, a compromised identity isn’t just a stolen mailbox—it’s an attacker operating agents and triggering actions at machine speed.

These attack paths expose three critical gaps that organizations must close.

Three gaps attackers exploit

Even in an organization that has deployed passkeys, a sophisticated attacker still has options:

Gap 1 · Phishable sign-in methods. Passwords, SMS codes, push notifications — as long as users sign in with these methods, the sign-in moment remains vulnerable.

Gap 2 · Dormant credentials. Even after passkeys are deployed, most accounts still have a password or SMS method attached "just in case." The user doesn't use it. The attacker does.

Gap 3 · Weak recovery channels. Recovery typically means calling a helpdesk and answering knowledge-based questions—information easily available from social media and data breaches. In an era of AI-generated deepfakes, that isn’t verification.

Here's how we're closing each one.

Closing gap 1—passkeys on every platform, for every user

Over the past year, synced passkeys have become the default sign-in method for hundreds of millions of Microsoft account users — across every major operating system, device type, and browser. Our consumer users are 3× more successful signing in with passkeys than with legacy methods (95% vs. 30%), and sign-ins are 14× faster compared to password-plus-code MFA. These aren't lab results — that's what we've measured across one of the most diverse, heterogeneous user bases on the internet.

Our consumer and enterprise identity platforms share a common foundation, so every usability improvement we make for Microsoft account users—registration flows, error handling, cross-device sync—reaches Microsoft Entra ID and Microsoft Entra External ID customers too. We’re thrilled to bring these advances to our enterprise customers—for workforce and external users alike.

Think about what sign-in looks like for most enterprise users right now. Type a password. Switch to your phone. Approve a push notification — or copy an SMS code — then switch back to the browser. On mobile, it's even worse: juggling between an authenticator app and the app you're trying to reach, losing context along the way. Every one of those steps is friction for the user and a phishable surface for an attacker.

Synced passkeys—now generally available for external users and already available for workforce users—change that completely. The employee taps a fingerprint or glances at their camera, on any device, and they’re in. Phone, browser, laptop. No password, no code, no app switching. The passkey syncs across devices via iCloud Keychain, Google Password Manager, Microsoft Password Manager or other platform credential managers, so it works wherever they work. The same seamless experience extends to your customers through Microsoft Entra External ID—passkey sign-in out of the box for customer-facing applications, with no custom integration.

Sign in experience with synced passkeys.

And now, Windows. Contractors, frontline workers, and bring-your-own-device (BYOD) users on unmanaged Windows devices have historically fallen back to passwords and SMS—because managed device enrollment wasn’t practical. With Microsoft Entra passkeys on Windows, they create a device-bound passkey using Windows Hello—face, fingerprint, or PIN—directly on their own device. No enrollment. No hardware token to ship.

General availability is a milestone, not a finish line. We're continuing to invest in making passkeys the default experience — not just an option:

Passkey profiles— Group-based passkey policies: attestation requirements, passkey type, specific provider selection — applied differently to different user groups.
Passkey-preferred authentication (preview)—Detects registered methods and prompts the strongest one first. If a passkey is registered, that’s what the user sees immediately.

Passkey profiles for granular admin control.

Synced passkeys are the simplest path for most users — and for high-privilege roles or regulated industries, Microsoft Entra ID continues to support device-bound passkeys, Microsoft Authenticator passkeys, and FIDO2 security keys. With passkey profiles, admins deploy both side by side in the same tenant.

Close the fallback gap—and the recovery gap it reveals

Deploying passkeys improves sign-in. But most accounts still have a password or SMS method attached “just in case”—and as long as those credentials exist, they’re an attack surface. Admins can now remove phishable credentials from user accounts entirely. At Microsoft, we’ve rolled out phishing-resistant authentication to 99.9% of our users and devices, eliminating weaker methods from our own accounts.

⚠️ Deprecation notice: Security questions for password reset in Microsoft Entra ID will be deprecated starting March 2027. If your organization still uses knowledge-based recovery, now is the time to migrate to high-assurance account recovery.

Removing phishable credentials is the right move—but it raises an important question. Synced passkeys handle the most common lockout scenario by design: lose one device, your passkey is still on your other devices. But device-bound passkey users—including those on FIDO2 security keys and Windows Hello—don’t get cross-device sync. And for any user who loses all their credentials, recovery today still means helpdesk calls, temporary passwords, and knowledge-based questions that are easily guessable. That’s the weakest link.

Reduce impersonation—verified account recovery

Picture what happens when an employee gets locked out. They call the helpdesk, wait on hold, answer questions an attacker could guess from a LinkedIn profile, and eventually receive a temporary password—which they then have to change immediately. Twenty to thirty minutes: frustrating for the user, expensive for the organization, and vulnerable to social engineering.

Microsoft Entra ID account recovery—now generally available—replaces all of that. The employee opens any browser, selects “Recover my account,” scans their driver’s license, takes a quick selfie, and registers a new passkey—all in minutes, without a phone call, and with controls that are harder to spoof. Since preview, we’ve expanded identity verification (IDV) provider coverage, added recovery profiles for regional compliance, and refined the end-user flow based on customer feedback across 192+ countries.

As NIST recommends, high-assurance recovery requires government-issued ID and biometric verification. We've made it simple — setup takes minutes, not months:

Verify identity with a government-issued ID — driver's license, passport, or other supported document
Complete a live face check—Face Check in Microsoft Entra Verified ID, powered by Azure AI, matches a real-time selfie with the photo on the identity document
Match verified attributes against the organization's directory and HR system via custom authentication extensions
Register a synced passkey immediately — so the user is protected going forward

Only the match result is shared — never the sensitive identity data itself. Privacy is preserved. And this is what makes removing phishable fallbacks safe: the recovery channel is now harder to compromise than the primary authentication.

Account recovery user flow.

Ericsson: Phishing-resistant MFA is one of those rare opportunities that strengthens security while simultaneously improving the employee experience. Ericsson has been at the forefront of this journey since 2020, early adopting Microsoft’s passwordless technologies—what we today refer to as passkeys or phishing-resistant MFA. Our approach has been to seamlessly integrate passkeys into managed user devices, such as Windows Hello for Business and passkeys in Microsoft Authenticator, complemented by FIDO2 security keys (YubiKey 5-series) for high-risk and privileged use cases—delivering strong protection with simplicity and peace of mind for users.

Easy to set up, flexible by design

Admins configure recovery in a few steps: choose an IDV provider from the Microsoft Security Store, assign user groups, and optionally match verified attributes against HR data via custom authentication extensions. You can simulate the entire flow before activating it for production. Just like passkey profiles, account recovery profiles let admins assign different IDV providers by region or country to meet local regulatory requirements.

Through the Microsoft Security Store, customers can choose from leading IDV providers—Au10tix, IDEMIA, TrueCredential (LexisNexis), 1Kosmos, and CLEAR1—without custom business contracts or bespoke integrations. These providers cover most government-issued ID documents across 192+ countries.

Bringing it all together

The gap	Before	What's better now
Phishable sign-in	Passwords, SMS codes, app-switching, push fatigue	Synced passkeys — one biometric tap, on any device
Dormant credentials	Passwords and SMS sit on accounts "just in case"	Phishable credential removal — admins eliminate every weak method
Weak recovery	Helpdesk calls, security questions, temporary passwords	Verified account recovery — government ID + live face check, self-service in minutes

Each capability is valuable on its own. Together, they close the entire credential lifecycle — not just the sign-in moment, but everything before and after.

Licensing and availability

Capability	Availability
Synced passkeys in Microsoft Entra ID	Included for all Microsoft Entra ID customers
Passkeys in Microsoft Entra External ID	Included with Entra External ID
Microsoft Entra passkeys on Windows	Included for all Microsoft Entra ID customers
Passkey profiles	Included for all Microsoft Entra ID customers
Passkey-preferred authentication	Preview — included for all Microsoft Entra ID customers
Microsoft Entra ID account recovery	Included with Microsoft Entra ID P1 license
Microsoft Entra Verified ID (Face Check)	Available as an add-on per verification, or as part of Microsoft Entra Suite
Government ID verification	Pay-per-verification via Microsoft Security Store

Get started

We've been on this journey together — from introducing these capabilities at Ignite 2025, to the general availability we're announcing today. Tens of thousands of organizations helped shape these experiences during preview.

Passkeys make sign-in faster and phishing-resistant. Verified identity makes recovery seamless and impersonation-proof. Credential removal closes the fallback gap. Together, there's no weak link left.

This matters even more as AI reshapes how work gets done. Every agent that acts on behalf of a user, every automated workflow that touches sensitive data, every copilot that executes a decision — all of it traces back to an identity. The person using, developing, and managing these agents must be securely verified. Passkeys and verified recovery ensure that identity is genuine, from sign-in to recovery. That's the foundation safe AI is built on.

And we're just getting started.

We love hearing from you — share your feedback and let us know how it's going.

Ankur

Ankur Patel | LinkedIn

Additional resources

Learn more about Microsoft Entra

Build a secure identity foundation: 5 webinars to strengthen access management with Microsoft Entra

Melanie_Maynes — Mon, 11 May 2026 16:59:28 GMT

To avoid gaps in protection, organizations need to fully deploy and scale core identity protections–from phishing-resistant authentication to Conditional Access policies to risk remediation and resiliency–across cloud and hybrid deployments.

That’s why we’re launching the Secure identity foundation with Microsoft Entra series: a five-part webinar lineup focused on implementing these core identity capabilities across Microsoft Entra.

Think of this series as a guided path to building secure foundations, identifying quick wins, and applying repeatable patterns across your identity environment. Across five sessions, Microsoft experts share practical implementation guidance to help teams strengthen access strategies, improve visibility across tenant environments, and apply identity security controls across users, applications, and workloads.

Moving off passwords in Microsoft Entra ID: Deployment guidance

May 7, 2026

Malak Moussa, Senior Customer Experience Tech SME

This session delivers a hands-on walkthrough of deploying phishing-resistant, passwordless authentication in Microsoft Entra ID. Led by a Customer Experience Engineering subject matter expert, we’ll demonstrate real-world implementation in a live tenant—covering passkey rollout, policy configuration, and securing both sign-in and recovery flows. Attendees will leave with clear deployment steps and the opportunity to engage directly with an expert during live Q&A chat.

Strengthen your security posture with Microsoft Entra Conditional Access

June 8th, 2026

Swaroop Krishnamurthy, Principal Product Manager; Danielle Augustin, Product Marketing Manager

In this session, learn how Microsoft Entra Conditional Access—our Microsoft Zero Trust policy engine—protects access for workforce users and agents by enforcing real-time, adaptive access policies that continuously assess risk signals and use AI-driven automation to dynamically allow, challenge, or block access for every identity. Join Microsoft experts as they walk through real-world scenarios and share practical guidance to help your identity team address policy sprawl, enforce consistent Conditional Access policies, and strengthen security posture across your environment.

Stop identity attacks in real-time with Microsoft Entra ID Protection

June 17, 2026

Anna Qi, Senior Product Marketing Manager; Jared Ross, Principal Product Architect
In this session, learn how Microsoft Entra ID Protection delivers premium, real-time protection with adaptive risk remediation, comprehensive detections, and expanded coverage for human and non-human identities. Join us to learn how identity and security operations teams scale risk remediation with Entra ID, and how these capabilities extend across your broader identity security portfolio—natively integrated with Microsoft Defender and Security Copilot—to strengthen protection in both cloud and hybrid environments.

Protect and govern every tenant with Microsoft Entra Tenant Governance

July 1, 2026

Cindy Crane, Principal Product Manager

As organizations scale, tenant sprawl becomes inevitable. This session introduces Microsoft Entra Tenant Governance, a new Entra capability that provides centralized visibility and control across multi-tenant environments. We’ll cover how Tenant Governance enables tenant discovery, secure governance relationships, configuration monitoring, and governed tenant creation from day one. Walk away with a clear framework for bringing order, visibility, and governance to your multi-tenant identity landscape.

Recover with confidence using Microsoft Entra Backup and Recovery

Danielle Augustin, Product Marketing Manager; Yuan Karppanen, Principal Product Manager

Accidental changes and security compromises can quickly cascade across your tenant. Learn how to recover with confidence using Microsoft Entra Backup and Recovery.

Tune in to see how this Microsoft-managed, always-on solution helps minimize downtime and protects your tenant by enabling rapid recovery of critical identity data. We will walk through how automated backups, Difference Reports, and recovery workflows help you return to a known good state. Whether you work in identity, security, or IT operations, you will leave with practical guidance and a clear checklist to strengthen identity resilience in your organization.

Watch on demand

Whether you’re modernizing access, reducing identity risk, or operationalizing Zero Trust, this series gives you a clear path to stronger protection.

-Melanie Maynes

Additional resources

Learn more about Microsoft Entra

Lock down AI, web, and private apps: what’s new in Internet Access and Private Access

Sinead_ODonovan — Tue, 05 May 2026 02:15:47 GMT

One theme is crystal clear across the security industry: AI is transforming security, and security must transform with it. Organizations everywhere are embracing generative AI to boost productivity and accelerate innovation. But with this rapid adoption comes new challenges that security teams can’t ignore:

Which AI tools are your employees using?
Is sensitive data being uploaded to unsanctioned services?
How do you prevent AI-specific attacks like prompt injection?
How do you secure private apps without slowing down users?

These aren’t hypothetical questions. They’re the reality for every organization today. And the answer starts with identity.

Identity: The foundation for AI and app security

Traditional network security was built for a time when users, devices, and applications were mostly on-premises and predictable. Today, employees work from anywhere on any device, and generative AI and SaaS apps often sit outside the corporate perimeter. Static controls struggle to keep pace, creating gaps that increase risk.

That’s why we built Microsoft Entra Internet Access and Microsoft Entra Private Access within the Global Secure Access platform. These solutions extend Zero Trust protections to web, SaaS, AI, and private-app traffic. They provide the visibility and control organizations need to embrace AI and hybrid work with confidence—without slowing innovation.

A key capability of Microsoft Entra Internet Access is the Secure Web and AI Gateway, which applies identity-centric network controls to web and AI traffic. Identity-based network security ties access decisions to the user’s sign-in risk, device posture, and data sensitivity—not just an IP address or network location. This approach delivers consistent protection everywhere users work, reduces risk, and helps organizations scale AI adoption securely across the enterprise.

Late last year, we introduced most of the capabilities in public preview at Microsoft Ignite. Today, we’re excited to share the latest features now generally available in Microsoft Entra Internet Access and Private Access and to announce brand-new capabilities in public preview.

Figure 1: Microsoft’s identity-centric Secure Access Service Edge (SASE) solution.

Public preview: More flexibility for diverse environments

Microsoft Entra Internet Access & Microsoft Entra Private Access

We’re introducing new capabilities in public preview, giving you more options to secure every scenario:

BYOD with client in Microsoft Entra Private Access lets you enforce Zero Trust for unmanaged devices, so employees and contractors can securely access private apps without compromising security or user experience.
Explicit Forward Proxy for Microsoft Entra Internet Access extends secure web access to agentless and legacy devices using PAC file-based proxy configuration.
Secure Browser Integration enables Intune-managed Microsoft Edge to route internet traffic through Microsoft Entra Internet Access using Explicit Forward Proxy with TLS termination and inspection, delivering deep visibility and policy enforcement for secure browsing.
Shadow MCP visibility identifies unauthorized or high‑risk MCP servers on the network traffic and surfaces MCP data paths, logs, and observability to help monitor and manage AI‑related risk.

These new features help you reduce risk across every device type, simplify deployment, and deliver consistent protection everywhere.

Now generally available: New AI security capabilities

Microsoft Entra Internet Access

AI adoption is accelerating, but so are the risks. Employees often experiment with AI tools without IT approval, creating compliance and data security gaps. With Microsoft Entra Internet Access, you can see what is happening, protect what matters, and simplify how you manage it all.

Shadow AI discovery gives you visibility into unsanctioned AI tools and SaaS apps so you can uncover unknown risks and make informed decisions before enforcing policy.
Prompt Injection Protection helps block malicious prompts that could trick AI models into exposing sensitive data, reducing AI-specific attack risk without slowing innovation.
Network content filtering prevents sensitive files from being uploaded to unsanctioned AI services, reducing compliance risk and data loss.
URL filtering and threat intelligence block access to risky or malicious sites, enforce acceptable use policies, and reduce data leakage.
Cloud firewall for remote networks provides advanced network-layer protection for traffic from remote sites, enabling granular policy enforcement and reducing exposure to threats.
iOS support and remote network connectivity extend protection everywhere your users work.

The result is simple. Your teams can use AI tools to work smarter while you maintain control and reduce risk without introducing friction.

Figure2: Demo of prompt injection protection.

Now generally available: New capabilities for modernizing app connectivity

Microsoft Entra Private Access

While Internet Access secures your web and AI traffic, Microsoft Entra Private Access helps you replace legacy VPNs with Zero Trust Network Access for private apps:

External User Access enforces Zero Trust for partners and contractors, simplifying onboarding while maintaining strong security.
Intelligent Local Access improves user experience by routing traffic efficiently, reducing latency, and delivering consistent security without unnecessary backhauling.
The result is a better experience for users and simpler operations for your IT teams.

Ready to secure AI and modernize identity?

Watch the Microsoft Entra Showcase webinar
Watch the Microsoft Entra Mechanics video for a deep dive into AI-aware protections
Start your journey today: Entra Suite Trial

-Sinead O’Donovan | VP of Product Management, Identity and Network Access

Sinead O'Donovan | LinkedIn

Additional resources

Learn more about Microsoft Entra

SASE 101: How to get started with secure access in a cloud-first world

SuleTatar — Wed, 06 May 2026 16:51:38 GMT

As organizations adopt cloud applications, hybrid work, and distributed teams, many are re-evaluating how users securely access applications and data. Secure Access Service Edge (SASE) has become a common starting point for these conversations, but for many teams, understanding where to begin can feel unclear.

This article provides a practical foundation for teams learning about SASE for the first time. It explains what SASE is, why it emerged, how it differs from Security Service Edge (SSE), and how organizations can use SASE as a modern framework for secure access. The goal is to build shared understanding before diving into tools or technical decisions.

What is SASE?

Secure Access Service Edge (SASE) is a cloud-delivered approach that combines networking and security capabilities into a unified access model.

Instead of relying on centralized data centers and fixed network perimeters, SASE delivers secure access closer to users and applications, using cloud services to apply policies in most user locations.

At a foundational level, SASE shifts access and security from being network-centric to identity-centric. This is why SASE is often discussed early in security modernization efforts that also include Zero Trust.

Why SASE is often a starting point

Many organizations begin exploring SASE because existing models no longer match how work happens today.

Traditional assumptions:

Users worked primarily from corporate offices
Applications lived inside data centers
Network location determined trust

Today’s reality:

Employees work remotely or in hybrid models
Applications live across multiple clouds and SaaS platforms
Contractors and partners require controlled access
Devices connect from many different networks

SASE provides a way to align secure access with these realities, making it a natural entry point for organizations looking to modernize without immediately restructuring their entire environment.

Core concepts to understand when getting started with SASE

SASE is not a single technology or deployment. It is a framework made up of several core ideas:

Cloud-Delivered Networking
Connectivity adapts to where users and applications are located rather than forcing traffic through fixed sites.
Integrated Security Controls
Security inspection and enforcement are applied consistently across users, devices, and destinations.
Identity-Aware Access
Access decisions are based on who the user is and the context of the request, not the network they are coming from.
Globally Distributed Delivery
Services are delivered through cloud infrastructure that operates close to users around the world.

Understanding these concepts early helps teams define what SASE means for their environment before evaluating vendors or technologies.

How SASE fits with Zero Trust

SASE is closely aligned with Zero Trust principles, which require continuous verification of access requests and avoid relying on implicit trust.

Rather than replacing Zero Trust, SASE provides a scalable architecture for supporting it in distributed, cloud-first environments. It helps enforce identity-based access and apply consistent security policies regardless of user or application location.

For many organizations, SASE is a practical way to begin operationalizing Zero Trust for real-world access scenarios.

SASE vs. SSE: An important early distinction

When getting started with SASE, teams often encounter the related term Security Service Edge (SSE). Understanding the distinction helps clarify scope and expectations.

What Is SSE (Security Service Edge)?

SSE is a cloud-delivered security model focused specifically on protecting user access to:

The web
Cloud and SaaS applications
Private applications

SSE concentrates on security controls and policy enforcement. It does not address network optimization or routing.

How SASE and SSE Are Related:

SASE is the broader architecture that combines networking and security.
SSE represents the security portion of SASE.

In other words, SSE is a subset of SASE. Many organizations begin their modernization journey with SSE because it allows them to improve user access security before making broader networking changes.

Using scenarios to build early understanding

When first learning about SASE, scenarios often help bring the concepts to life. For example:

A remote employee securely accesses applications without routing traffic through a corporate office.
A contractor receives limited, identity-based access without joining the internal network.
A branch office connects directly to cloud services without relying on complex on-premises infrastructure.
These examples illustrate the outcomes that SASE helps enable, which helps teams evaluate alignment with their needs.

Who should be involved when getting started with SASE?

SASE discussions often involve multiple roles, even in early conversations:

IT leaders evaluating future access models
Security teams supporting Zero Trust initiatives
Network professionals adapting connectivity to cloud delivery
Business leaders focused on reducing complexity and risk

Because SASE spans both networking and security, early alignment across these teams often determines long-term success.

How to get started with Microsoft Global Secure Access

Microsoft Global Secure Access helps organizations begin their SASE journey by delivering identity-aware, cloud-delivered access controls. Here’s how to start:

Deploy the traffic forwarding client to route user traffic through Microsoft’s global network for policy enforcement.
Apply Conditional Access policies to enforce identity-based access decisions.
Enable shadow AI visibility to monitor and control unsanctioned app usage.

These steps help organizations operationalize Zero Trust principles while building toward a full SASE architecture.

See Microsoft Global Secure Access in action

Getting started means building the right foundation

Getting started with SASE does not begin with tools or deployments. It begins with a shared understanding. SASE provides a way to think about secure access that is:

Cloud-based
Identity-driven
Consistent across users and locations

For organizations navigating hybrid work and cloud adoption, understanding SASE concepts early helps create a foundation for designing secure access strategies that scale with the business.

Next Steps

Explore Microsoft Global Secure Access documentation
Take the Microsoft Learn Zero Trust modules
Read related blogs on modern identity security strategies

-Sule Tatar, Senior Product Marketing Manager

Additional resources

What Is Secure Access Service Edge (SASE)? | Microsoft Security

Learn more about Microsoft Entra

You can’t govern what you can’t see: Closing the identity visibility gap for apps

Joseph Dadzie — Thu, 30 Apr 2026 15:00:00 GMT

Effective identity governance often starts with a simple question: who has access? Today, I am happy to introduce account discovery with Microsoft Entra ID Governance, a new capability designed to close this visibility gap from day one.

As organizations connect SaaS and on-premises applications to Microsoft Entra, they unlock critical identity governance capabilities. But applications are rarely greenfield. By the time an app is connected, it already contains users and permissions that were created outside modern governance workflows.

Account Discovery brings those existing accounts into view so teams can act on them with confidence. When you run a discovery, Microsoft Entra connects directly to the target application and retrieves the full list of user accounts and their properties. Each account is then evaluated against your Microsoft Entra directory using configurable matching attributes such as user principal name or email address. The service also checks whether matched users are already assigned to the enterprise application in Entra.

The result is a clear, actionable discovery report that shows exactly where governance is strong and where gaps still exist.

Why does this matter? Applications often contain access that was created manually, migrated from legacy systems, or provisioned directly—without consistent ownership or policy. Former employees can retain access. Service accounts can accumulate without owners. Local accounts can bypass MFA and Conditional Access entirely. These are not edge cases. Our latest Secure Access research found that 97% of organizations experienced an identity or access-related incident in the past year, and 22% of those had direct business impact. One of the most persistent contributors is fragmented access environments that limit visibility and slow response when risk emerges.

How account discovery classifies application accounts

Every account returned from a discovery run is cate into one of three categories:

Matched and assigned: The user exists in Microsoft Entra and is assigned to the application. These accounts are already governed and subject to your existing access controls.
Matched but unassigned: The user exists in Microsoft Entra but is not assigned to the application. Access exists directly in the application, outside of Entra governance controls such as Conditional Access, access reviews, and lifecycle policies.
Orphaned or local accounts: No matching identity is found in Microsoft Entra. These accounts exist only in the application and have no corporate identity association.

This classification gives identity teams immediate visibility into the true access state of an application. More importantly, it provides a clear path forward. Govern what is already aligned. Bring unassigned users under policy. Investigate or remove orphaned accounts that introduce unnecessary risk.

Discover identities (Preview).

A real‑world example: Gaining visibility into Salesforce with account discovery

To see how account discovery works in practice, consider an organization onboarding Salesforce into Microsoft Entra ID Governance.

For Zava, Salesforce has been in use for several years. During that time, accounts were created through a mix of manual provisioning, direct sign‑ups, contractors, and a legacy identity system. While the organization is ready to standardize access using Microsoft Entra, the identity team does not yet have a clear picture of who already has access or how that access was granted.

Account discovery provides that visibility before any governance changes are made.

Phase 1: Establishing a baseline during application onboarding

As part of the onboarding process, the identity team runs an account discovery report directly from the Salesforce enterprise application in the Microsoft Entra admin center.

Within minutes, the report returns a complete, complete view of Salesforce users:

Hundreds of users match identities in Microsoft Entra but are not assigned to the application.
A small number of accounts have no matching Entra identity and appear to be local or orphaned.
Several service and test accounts are clearly visible for separate review.

This baseline matters. Before provisioning, access packages, or Conditional Access policies are applied, the team now understands the true access state of the application. There are no assumptions and no spreadsheets. Every existing account is accounted for.

This visibility allows the identity team to plan governance intentionally instead of reacting to surprises after rollout.

Phase 2: Bringing existing users under policy‑driven access

With the discovery report in hand, the next priority is addressing the matched but unassigned users. These users are legitimate employees who already rely on Salesforce, but their access assignments exist entirely outside Entra governance.

The organization has already defined access packages in Entitlement Management aligned to job functions, such as sales and customer support. Each package includes approval workflows, expiration policies, and recurring access reviews.

With the discovery results, the identity team can then bring these users under governance by mapping them to the right Entitlement Management access packages—for example, assigning sales users to the sales package and support users to the support package. This turns “existing but unmanaged” access into access that’s explicitly owned and governed in Entra, with guardrails like approvals, time-bound access, and regular access reviews.

Orphaned accounts are handled separately. The identity team partners with application owners to determine whether these accounts should be removed, disabled, or linked to a valid corporate identity. Importantly, these decisions are now informed by data rather than guesswork.

Phase 3: Maintaining visibility with ongoing discovery

Once Salesforce is governed and provisioning is enabled, account discovery continues to play a role in detecting and reconciling any future drift.

Each month, the app owners run another discovery. This time, the report highlights a small number of new local accounts that were created directly in Salesforce outside the approved provisioning workflow. A closer look reveals a mix of expired contractor accounts, a temporary test user, and one former employee whose account was missed during offboarding.

None of these accounts are subject to Conditional Access or MFA policies. Without periodic discovery, they would likely remain unnoticed.

The team disables the accounts and updates internal processes so that future exceptions trigger investigation. Account Discovery becomes a recurring governance checkpoint that helps ensure access remains aligned with policy over time.

Closing the visibility gap

Effective identity governance includes having visibility into ungoverned access.

Most organizations inherit access across their applications. Without a clear view of who already has access, governance efforts begin with blind spots that introduce unnecessary risk. Account discovery helps close that gap by giving identity teams a practical, repeatable way to see existing application accounts and bring them under policy.

Whether you are onboarding an application for the first time or validating access in a long‑running environment, visibility provides the foundation for confident governance.

This is the first step in a broader journey to make identity governance more proactive, expanding visibility into access across groups and memberships, and adding enforcement controls to help prevent changes to access unless those changes come through a governed process.

Licensing and availability

Account discovery is available in public preview for organizations with Microsoft Entra ID Governance, Microsoft Entra Suite and Microsoft E7 licenses. The capability is accessible through the Microsoft Entra admin center and through Microsoft Graph APIs.

Get started

To get started, navigate to an enterprise application in the Microsoft Entra admin center and select account discovery. Run your first discovery in minutes and begin building a complete picture of application access across your environment.

We welcome your feedback as we continue to evolve this capability.

Joseph Dadzie
Vice President, Product Management
Microsoft Entra

Additional resources

Learn more about Microsoft Entra

Microsoft’s perspective on agentic identity standards

Pamela Dingle — Wed, 06 May 2026 16:57:22 GMT

A new identity inflection point

If you’ve gotten past the headline to this first sentence, you’re probably my kind of people. You’re probably a professional in the world of IAM (Identity and Access Management) who’s looking after their own enterprise; and you may even have opinions about what the future holds that range from salty to optimistic. In the world of granting access to enable productivity while preventing fraud, we’ve been supporting impulsive humans and predictable non-human identities… and now we are in the wild and wooly world where the software could be way more YOLO than the employees.

In the last year, AI agents have moved quickly from experimentation into real business roles, and identity infrastructure is necessarily along for the ride, absorbing new constructs and adapting old ones. The landscape of standards has been evolving rapidly as well, and I believe it's important to share updates with those who may not be immersed in these discussions day-to-day. In this fast-changing environment, staying informed about developments is crucial. My goal here is to talk about what is changing in the industry at large, why it is changing, and how we at Microsoft view this critical architectural identity layer.

From a standards perspective, I think the biggest industry change has been mental. There were always entities in the standards world that were non-human and needed resource access, but a clear line in the sand existed as to what those non-human entities would be allowed to accomplish. Different kinds of non-human entities were described by their task orientation and given different names that seemed separate – OAuth Clients, SPIFFE workloads, Token Exchange Actors. These standards had different taxonomies partly so that the security promise of non-human and human interactions could be kept straight. If software needed an access token to act on behalf of “something”, the aligned delegation request flows presumed that the “something” in that sentence was a real person; the idea of “user present” transactions became a critical part of our access management threat model and vocabulary. In the absence of a user, different flows and standards apply. Because consent is a human concept, software cannot grant access on behalf of other software, and a separate decision-making mechanism is required. Yet here we are in a world where agents are delegating, because they have enough reasoning capability to make choices.

You may come to the logical conclusion that the agentic revolution therefore must have caused a standards revolution to match – but no. The mindset change was pretty quick. In my opinion it has been aided in great part by the community developing the Model Context Protocol (MCP). MCP developed an incredible amount of momentum, and their choice to adopt OAuth for MCP authorization created a forcing function that all of us in the Enterprise world will be benefitting from for a long time to come.

Identity standards innovation

There’s a growing set of identity standards we’re paying close attention to, and each merits deeper discussion. For now, I’ll anchor on three broad areas of interest that are shaping how identity standards are evolving for agentic systems: bootstrapping of trust, delegation, and shared secrets. As a broad statement, a lot of work is going on to connect the agentic dots between families of standards, especially in areas for which manual processes could previously bridge automation gaps.

The first area of work is the bootstrapping of trust between non-human entities. If you are wondering what a non-human entity is, it could be anything from an infrastructure endpoint like an OAuth authorization server to a directory-based service principal representing an application, to a workload identity working within in a hypervisor context, or now an agentic identity such as an LLM harness or an autonomous business agent. In the federation world, SAML standardized an IDP discovery protocol in 2008, OpenID Connect v1 included a discovery spec in 2014 and OAuth 2.0 Protected Resource Metadata became RFC 9728 in 2025. Despite widespread ratification, IAM admins typically uploaded metadata manually from installation guides or app galleries. The data was static, and admins themselves served as the explicit trigger that established a clear starting point of authority for each federation contract. Agents, however, operate at different scale, and the incentive is finally in place to consistently automate a non-human entity announcing itself and requesting access, not just in one identity silo but across the entire technical landscape. The result will be a much more connected and consolidated embrace of all sorts of secure non-human onboarding options, including OAuth CIMD (ClientID Metadata Document), a lot of work in the WIMSE working group at IETF that help SPIFFE and OAuth work better (SPIFFE is an open standard that operates similarly to Managed Identities for Azure). It’s also worth calling out IoT and identity wallet standards, but those deserve a deeper dive, which we’ll save for later.

In addition to bootstrapping, the standards world is debating the question of delegation. This is another place where bifurcation between human and non-human identity is breaking down. We have multiple existing concepts in identity standards like token exchange, identity chaining, transaction tokens, OBO (on behalf of), token upscoping/downscoping, and a slew of new IETF proposals all occupying everyone’s minds. Take a look through Khaled Zaky’s blog on this topic, and stay tuned – this debate has not yet concluded in any way.

One quieter thread of work is worth calling out here. The standards world is filling those connective tissue gaps around eliminating shared secrets from agentic use. We are already seeing abuse (and perhaps a blurring of the line between what is use and what is abuse) of shared secrets such as API keys in agent contexts – for anyone taking the time to look, bearer token abuse will be next. Looking ahead, there will be a follow-up blog where my colleagues will explore how we’re building critical standards in this area and what that enables next.

Perspective on agentic identity standards

The deep nature of our Microsoft agentic investment is clear for all to see, but it isn’t always obvious just how much of that investment lies in collaborative spaces such as the standards community. We have already created a foundational identity layer built on open standards, with a continued commitment to a standards‑based approach to trust for AI authentication, authorization, and management - one that can scale across the many industries we work with every day. Participation in communities of interest for agentic identity such as AAIF, MCP, IETF, FIDO Alliance and OpenID Foundation are ways in which we stay relevant, and they are communities I’d encourage you to follow as well. We have a lot of learnings about what works and does not work in our very large environment and I look forward to the writing of my brilliant colleagues as they share that hard-won wisdom. In addition, for anyone who does enjoy the technical complexity of agentic standards, follow me on LinkedIn for much deeper content. One last important perspective – while I have a job title that sounds lofty in this area, the truth is that many people are working on this goal all over the company. It is those contributions, those daily decisions to care about whether any given identity standard serves its purpose, that mean a lasting success. Cheers to them.

-P. Dingle, Director of Identity Standards

Additional resources

Learn more about Microsoft Entra Agent ID

Get ahead of agent sprawl: manage and govern AI agents at scale

NgoziNwoko — Wed, 06 May 2026 16:55:35 GMT

Recently, my team and I met with customers across several industries including finance, retail, telecommunications, and the public sector regarding the topic of agent adoption. During our time with them, several key themes bubbled to the surface. While AI agent adoption is growing rapidly, we need to ensure governance is built-in right from the start and that it is designed for the rapid proliferation of agents. Our customers see agents appearing within their admin portal, but accountability, lifecycle management and access guardrails are lacking, creating situations that could lead to significant security concerns.

Without clear ownership and access boundaries, risk can build quickly without clear insight about what those agents can access or do.

Agents are a new type of identity

From an identity perspective, agents can authenticate, access resources, and take action. As outlined in the Secure Access in the Age of AI report, security leaders need to find ways to manage, govern, and protect agent identities with the same rigor as human identities, especially as they scale agents across the enterprise. What makes agents different is that they do not fit neatly into existing categories. Sometimes an agent acts as an assistive agent and at other times it behaves more autonomously. Unlike traditional apps, agents are not static. As models and workflows evolve, agents can acquire new capabilities, which in turn can change what they are able to accomplish over time.

Without a unique agent identity, customers struggle to address key questions such as:

Which agent identity is acting?
What can it access?
What actions did it take?

These questions point to a fundamental gap in how identity has traditionally been applied. As agents take on more responsibilities across multiple workflows, treating them simply as applications or as extensions of a user's identity is no longer sufficient. Agents need to be recognized and managed as first-class identities. Microsoft Entra Agent ID provides an identity foundation that applications and platforms can integrate with, enabling agents to authenticate, access resources, and be governed using familiar identity controls

When platforms integrate with Entra as their identity provider, organizations gain clearer visibility into which agent is acting, what it can access, and how its permissions evolve as models and workflows change. Built on this foundation, Microsoft Entra Agent ID organizes agent identity around three pillars, helping organizations manage AI agents at scale, govern agent identities and lifecycle, and protect agent access to resources.

Manage AI agents at scale

Organizations consistently face the same initial challenge: gaining visibility into the AI agents operating across their environment. According to our study, 80% of leaders report that AI agent usage has increased over the past year. This underscores the need for a clear view of which agents exist throughout the organization. Microsoft Agent 365 was purpose-built to serve as the control plane for AI agents, tackling the challenges of agent management head-on. With Microsoft Agent 365, organizations can streamline management for AI agents in their environment. Its agent registry provides a unified inventory of all agents operating across the organization, including both Microsoft and non‑Microsoft agents.

Get a complete view of all agents in your organization, including agents built with Microsoft AI platforms, agents from our ecosystem partners, and any agents you register yourself.

A key building block in Microsoft Entra Agent ID is the agent blueprint. An agent identity blueprint serves as a reusable template for creating agents. It defines how agents are created, authenticated, and governed, while still allowing individual agents to be provisioned or deprovisioned independently, as needed. With the agent blueprint, security teams can consistently apply consistent access controls to every agent that is created from that specific template.

Govern agent identities and lifecycle

Once your agents are up and running, one of the biggest challenges organizations face is governing agent identities at scale. As teams experiment and deploy agents across environments, agent proliferation can happen quickly, often without consistent sponsorship, review, or retirement processes.

Effective identity governance must therefore include automated lifecycle management to address agent sprawl. This means ensuring every agent has a designated sponsor, enforcing policies for how agents are created and reviewed, and automatically removing access when agents are no longer needed. Without automated lifecycle controls, dormant or inactive agents can persist and retain access long after their purpose has ended, increasing security risk and administrative burden.

Microsoft Entra Agent ID helps organizations apply identity governance practices across the full agent lifecycle, from creation through decommissioning, so agent growth remains intentional, auditable, and manageable as environments become larger and more complex.

Entra Agent ID supports structured governance by allowing organizations to:

Identify orphaned agents and ensure every agent always has an accountable human to ensure accountability is maintained as users move or leave the organization
Automate agent lifecycle management from creation through deactivation to help prevent agent sprawl
Ensure agent's access is intentional, auditable and time bound with access packages

Identify orphaned agents and automate sponsor assignments.

Protect agent access to resources

One final, and key, pain point they anticipate is maintaining operational control as agents evolve. Our recent whitepaper, Protect Identities in the Era of AI reveals how identity attacks are rapidly increasing as organizations embrace cloud and AI technologies. As agents gain new capabilities and interact with more resources, organizations need confidence that access is adaptive and secure.

Entra Agent ID extends familiar identity controls to agents, thereby providing organizations with the ability to:

Apply Conditional Access policies tailored to agents, enforcing requirements based on the agent identity and access.
Block agent access automatically when risk signals increase and detect anomalous behavior such as unusual sign-in spikes or unfamiliar resource access.

Apply Conditional Access for agents: Enforce Conditional Access policies with custom security attributes, and agent compromise risk assessments.

Built for an expanding agent ecosystem

Enterprise environments are incredibly diverse, with organizations building agents across Microsoft platforms as well as a broad ecosystem of non‑Microsoft frameworks and tools. To support this reality, the Microsoft Agent 365 SDK enables developers to extend agents built using any agent SDK or platform with enterprise‑ready identity, observability, security, and governed access to Microsoft 365. By integrating with Microsoft Agent 365, the SDK helps organizations onboard and operate agents from any source using consistent management and identity controls.

Get started

To learn more about Microsoft Entra Agent ID and how it empowers organizations to secure access for AI agents:

Learn: Microsoft Entra Agent ID
Explore: Microsoft Agent 365
Watch: Microsoft Entra Agent ID Explained
View a demo: Secure access for AI agents, the new frontier of identity

- Ngozi Nwoko, Director of Product Marketing, IDNA

Related resources:

Learn more about Microsoft Entra

Tenant Configuration Management APIs are now generally available

AdityaMukund — Wed, 06 May 2026 16:58:33 GMT

In our previous post, we introduced Microsoft Entra Tenant Governance and how it helps organizations secure and manage multi-tenant environments at scale. Today, we’re excited to announce that the Tenant Configuration Management (TCM) APIs are now generally available, providing the foundation for managing configuration at scale with greater consistency and control.

Before we dive deeper, let’s clarify the distinction:

Microsoft Entra Tenant Governance is the product experience. It delivers a centralized control plane for visibility, policy enforcement, and governance across tenant configurations.
The TCM APIs are the underlying Microsoft Graph API that powers Tenant Governance’s configuration management capabilities. It enables organizations to programmatically define, export, monitor, and manage configurations across services.

Why this matters

As organizations grow, configuration complexity increases across identity, security, and productivity workloads. Over time, even well-configured environments can drift due to incremental changes, operational overhead, and lack of centralized control.

The challenge isn’t just setting configurations correctly. It’s maintaining that state continuously.

The TCM API addresses this by enabling a shift from reactive configuration management to a declarative and continuous model, where desired state is defined and automatically validated over time. This helps organizations reduce risk, improve compliance, and simplify operations.

Core concepts of the TCM API

At its core, the TCM API brings configuration-as-code to Microsoft Entra. It introduces a model built around four connected concepts: snapshots, baselines, monitors, and configuration drifts:

Snapshot: Captures the current state of tenant configurations at a point in time. This is often the starting point, helping organizations understand what’s deployed today or to establish a “known good” reference.
Baseline: Represents the desired configuration state. Instead of manually checking settings across portals, organizations can define what compliant configuration looks like in a structured, repeatable way.
Monitor: Continuously compares the live environment against that baseline. Any deviation is surfaced as configuration drift, giving teams clear insight into where their environment no longer aligns with expectations.
Configuration drifts: Represents the delta between the desired configuration state and the current configuration state.

Together, these concepts create a closed loop: capture current state, define desired state, and continuously monitor alignment between the two.

A scalable model for configuration management

What makes the TCM API powerful is not just visibility, but repeatability and scale. Because everything is exposed through Microsoft Graph, configuration management can now be:

Integrated into automation workflows
Connected to existing security and compliance systems
Applied consistently across multiple tenants and services

This introduces a true configuration-as-code approach, where tenant settings are no longer static or manually enforced, but programmatically defined and continuously evaluated.

How this fits into Tenant Governance

The TCM API is the foundation that enables many of the capabilities within Microsoft Entra Tenant Governance.

While the API provides raw access to configuration data and state comparison, Tenant Governance builds on top of it to deliver a unified experience for administrators. This includes surfacing insights, highlighting drift, and enabling governance actions without requiring customers to build their own tooling.

In the near future, Tenant Governance will provide a single pane of glass for managing multiple tenants centrally, powered by the TCM API. This relationship is key:

Customers can rely on Tenant Governance for an out-of-the-box solution.
Partners and advanced organizations can use the TCM API directly to build custom workflows, integrations, or managed services.

Final thoughts

Tenant configuration is no longer a one-time activity. It is an ongoing process that directly impacts security, compliance, and operational consistency.

With the general availability of the TCM API, organizations now have a scalable way to define, monitor, and enforce configuration across their environments. Whether used directly or through Microsoft Entra Tenant Governance, it enables a more proactive and automated approach to managing tenant configuration.

-Aditya Mukund

Additional resources

Learn more about Microsoft Entra