Plan for Change - Update to Revoke Multifactor Authentication Sessions

October 2025

Plan for Change - Update to Revoke Multifactor Authentication Sessions
Type: Plan for change
Service category: MFA
Product capability: Identity Security & Protection

Starting February 2026, we are replacing the current “Revoke multifactor authentication sessions” button with the “Revoke sessions” button in the MicrosoftEntra portal.

The legacy “Revoke MFA sessions” action only applies to per-user MFA enforcement, which has led to confusion. To simplify and ensure consistent behavior, the new “Revoke sessions” button will invalidate all user sessions, including MFA, regardless of whether MFA is enforced via Conditional Access or per-user policies.

Action required

Admins should update workflows and guidance to use “Revoke sessions” instead of “Revoke MFA sessions”. The “Revoke MFA sessions” option will be removed from the portal after this change.

Public Preview - Delegated Workflow Management in Lifecycle Workflows
Type: New feature
Service category: Lifecycle Workflows
Product capability: Identity Governance

Lifecycle workflows can now be managed with Administrative Units (AUs), enabling organizations to segment workflows and delegate administration to specific admins. This enhancement ensures that only authorized admins can view, configure, and execute workflows relevant to their scope. Customers are able to associate workflows with AUs, assign scoped permissions to delegated admins, and ensure that workflows only impact users within their defined scope. For more information, see: Delegated workflow management (preview).

Public Preview - App-based branding via Branding themes in Microsoft Entra External ID
Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

In Microsoft Entra External ID (EEID), customers can create a single, tenant-wide, customized branding experience that applies to all apps. We're introducing a concept of Branding "themes" to allow customers to create different branding experiences for specific applications. For more information, see https://learn.microsoft.com/en-us/entra/external-id/customers/how-to-customize-branding-themes-apps

Public preview - Expanded attribute support in Lifecycle Workflows attribute changes trigger
Type: Changed feature
Service category: Lifecycle Workflows
Product capability: Identity Governance

The Attribute Changes trigger in Lifecycle Workflows now supports additional attribute types, enabling broader detection of organizational changes. Previously, this trigger was limited to a set of core attributes. With this update, you can configure workflows to respond when any of the following attributes change:

Custom security attributes
Directory extension attributes
EmployeeOrgData attributes
On-premises attributes 1–15
This enhancement gives administrators greater flexibility to automate lifecycle processes for mover events based on custom or extended attributes, improving governance for complex organizational structures and hybrid environments. For more information, see: Use Custom attribute triggers in lifecycle workflows (Preview).

Public Preview - Sign-in with username/alias
Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

In Microsoft Entra External ID (EEID), users with a local email+password credential can sign in with email address as identifier. We are adding the ability for these users to sign in with an alternative identifier such as customer/member id, for example insurance number, frequent flier number assigned via Graph API or Microsoft Entra admin center. For more information, see Sign in with an alias or username (preview).

Deprecation - Iteration 2 beta APIs for Microsoft Entra PIM will be retired. Migrate to Iteration 3 APIs.
Type: Deprecated
Service category: Privileged Identity Management
Product capability: Identity Governance

Introduction

Starting Oct 28, 2026, all applications and scripts making calls to Microsoft Entra Privileged Identity Management (PIM) Iteration 2 (beta) APIs for Azure resources, Microsoft Entra roles and Groups will fail.

How this will affect your organization

After Oct 28, 2026, any applications or scripts calling Microsoft Entra PIM Iteration 2 (beta) API endpoints will fail. These calls will no longer return data, which might disrupt workflows or integrations relying on these endpoints. These APIs were released in beta and are being retired, Iteration 3 are generally available (GA) APIs which offer improved reliability and broader scenario support.

What you need to do to prepare

We strongly recommend migrating to the Iteration 3 (GA) APIs, which are generally available.

Begin migration planning and testing as soon as possible.
Halt any new development using Iteration 2 APIs.
Review documentation for Iteration 3 APIs to ensure compatibility.
Learn more:

API concepts in Privileged Identity management - Microsoft Entra ID Governance | Microsoft Learn
Privileged Identity Management iteration 2 APIs
Migrate from PIM iteration 2 APIs to PIM iteration 3 APIs

Public Preview - Soft Delete & Restore for Conditional Access Policies and Named Locations
Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

We’re thrilled to announce the Public Preview of soft delete and restore for Conditional Access (CA) policies and Named Locations in Microsoft Entra. This new capability extends our proven soft delete model to critical security configurations across Microsoft Graph APIs (in beta) and the Microsoft Entra Admin Center, helping admins recover from accidental or malicious deletions quickly and strengthen overall security posture.

With this feature, admins can:

Restore deleted items to their exact prior state within 30 days
Review deleted items before restoring
Permanently delete when needed
Soft delete has already been proven at scale across Microsoft Entra (7M+ objects restored in the last 30 days). Bringing it to CA policies and Named Locations ensure quick disaster recovery, minimizes downtime, and maintains security integrity.

General Availability - Suggested Access Packages can be shown to users in My Access
Type: New feature
Service category: Entitlement Management
Product capability: Entitlement Management

In My Access, Microsoft Entra ID Governance users can see a curated list of suggested access packages in My Access. This capability allows users to quickly view the most relevant access packages for them based off their peers' access packages and previous assignments without scrolling through all their available access packages.

The suggested access packages list is created by finding people related to the user (manager, direct reports, organization, team members) and recommending access packages based on what the users’ peers have. The user is also suggested access packages that were previously assigned to them.

We recommend admins turn on the peer-based insights for suggested access packages via this setting. For more information, see: Suggested access packages in My Access

General Availability - Conversion of external users to internal members
Type: New feature
Service category: User Management
Product capability: User Management

External user conversion enables customers to convert external users to internal members without needing to delete and create new user objects. Maintaining the same underlying object ensures the user’s account and access to resources isn’t disrupted and that their history of activities remains intact as their relationship with the host organization changes.

The external to internal user conversion feature includes the ability to convert on-premises synchronized users as well.

General Availability - Granular, Least-Privileged Permissions for UserAuthenticationMethod APIs
Type: New feature
Service category: MS Graph
Product capability: Developer Experience

Summary

We're introducing new, granular permissions for the UserAuthenticationMethod APIs in Microsoft Entra ID. This update enables organizations to apply the principle of least privilege when managing authentication methods, supporting both security and operational efficiency.

What’s New?

New per-method permissions: Fine-grained permissions for each authentication method (for example, Password, Microsoft Authenticator, Phone, Email, Temporary Access Pass, Passkey, Windows Hello for Business, QR+PIN, and others).
Read-only policy permission: A new permission allows read-only access to authentication method policies, improving role separation and auditability.
For more information, see Microsoft Graph permissions reference - Microsoft Graph | Microsoft Learn

Public Preview - Cloud Managed Remote Mailboxes
Type: New feature
Service category: User Management
Product capability: Microsoft Entra Cloud Sync

The Source of Authority (SOA) at the object level allows administrators to convert specific users synced from Active Directory (AD) to Microsoft Entra ID into cloud-editable objects, which are no longer synced from AD and act as if originally created in the cloud. This feature supports a gradual migration process, decreasing dependencies on AD while aiming to minimize user and operational impact. Both Microsoft Entra Connect Sync and Cloud Sync recognize the SOA switch for these objects. The option to switch the SOA of synced users from AD to Microsoft Entra ID is currently available in Public Preview. For more information, see: Embrace cloud-first posture: Transfer user Source of Authority (SOA) to the cloud (Preview).

Public Preview - Prefetch Workday termination data to customize account disable logic
Type: Fixed
Service category: Provisioning
Product capability: Inbound to Microsoft Entra ID

This Workday connector update resolves termination processing delays observed for workers in APAC and ANZ regions. Admins can now enable termination lookahead setting to prefetch data and tailor deprovisioning logic for accounts in Microsoft Entra ID and on-premises Active Directory. For more information, see: Configure Workday termination lookahead (Preview).

General Availability - Ability to convert Source of Authority of synced on-premises AD groups to cloud groups is now available
Type: New feature
Service category: Group Management
Product capability: Microsoft Entra Cloud Sync

The Group SOA feature lets organizations move application access governance from on-premises to the cloud by transferring Active Directory group authority to Microsoft Entra ID using Connect Sync or Cloud Sync. With phased migration, admins can reduce AD dependencies gradually and minimize disruption. Microsoft Entra ID Governance manages access for both cloud and on-premises apps linked to security groups, and customers of either sync client can now use this feature. For more information, see: Group source of authority.

Plan for Change - Jailbreak Detection in Authenticator App
Type: Plan for change
Service category: Microsoft Authenticator App
Product capability: Identity Security & Protection

Starting February 2026, we'll introduce Jailbreak/Root detection for Microsoft Entra credentials in the Authenticator app. This update strengthens security by preventing Microsoft Entra credentials from functioning on jail-broken or rooted devices. All existing credentials on such devices will be wiped to protect your organization.

This capability is secure by default and requires no admin configuration or control. The change applies to both iOS and Android.This change won't apply to personal or third party accounts.

Action required: Notify end users about this upcoming change. Authenticator will become unusable for Microsoft Entra accounts on jail-broken or rooted devices.

For more information, see: About Microsoft Authenticator.

Public Preview - Global Secure Access B2B support with AVD and W365
Type: New feature
Service category: B2B
Product capability: Network Access

Guest access support for Global Secure Access (GSA) using W365 and AVD is now in public preview. This B2B support addresses secure access using GSA to external identities such as Guests, Partners, Contractors using Windows Cloud - Azure Virtual Desktop (AVD), and Windows 365 (W365). This feature empowers 3rd party users from a foreign tenant to securely access resources within a company’s tenant also known as the resource tenant. As a resource tenant administrator, you can enable Private Access, Internet Access, and Microsoft 365 traffic to these 3rd party users.

For more information, see: Learn about Global Secure Access B2B Guest Access (Preview) - Global Secure Access | Microsoft Learn.

Public Preview - Global Secure Access Internet profile support for iOS client
Type: New feature
Service category: Internet Access
Product capability: Network Access

Kerberos SSO experience for users on mobile devices with Global Secure Access is now supported. On IOS, create and deploy profile for Single sign-on app extension, see: Single sign-on app extension. On Android. You need to install and configure a 3rd party SSO client.