Public Preview - Conditional Access Optimization Agent in Microsoft Entra

April 2025
**Public Preview - Conditional Access Optimization Agent in Microsoft Entra
Type: New feature**
Service category: Conditional Access
Product capability: Identity Security & Protection

Conditional Access Optimization Agent in Microsoft Entra monitors for new users or apps not covered by existing policies, identifies necessary updates to close security gaps, and recommends quick fixes for identity teams to apply with a single selection. For more information, see: Microsoft Entra Conditional Access optimization agent.

Public Preview - Microsoft Entra ID Governance: Suggested access packages in My Access
Type: New feature
Service category: Entitlement Management
Product capability: Entitlement Management

In December 2024, we introduced a new feature in My Access: a curated list of suggested access packages. Users view the most relevant access packages, based on their peers' access packages and previous assignments, without scrolling through a long list. By May 2025, suggestions will be enabled by default and we'll introduce a new card in the Microsoft Entra Admin Center Entitlement Management control configurations for admins to see My Access settings. We recommend admins turn on the peer-based insights for suggested access packages via this setting. For more information, see: Suggested access packages in My Access (Preview).

**Public Preview - Conditional Access What If evaluation API
Type: New feature**
Service category: Conditional Access
Product capability: Access Control

Conditional Access What If evaluation API – Leverage the What If tool using the Microsoft Graph API to programmatically evaluate the applicability of conditional access policies in your tenant on user and service principal sign-ins. For more information, see: conditionalAccessRoot: evaluate.

Public Preview - Manage refresh tokens for mover and leaver scenarios with Lifecycle Workflows
Type: New feature
Service category: Lifecycle Workflows
Product capability: Identity Governance

Now customers can configure a Lifecycle workflows task to automatically revoke access tokens when employees move within, or leave, the organization. For more information, see: Revoke all refresh tokens for user (Preview).

General Availability - Use managed identities as credentials in Microsoft Entra apps
Type: New feature
Service category: Managed identities for Azure resources
Product capability: Identity Security & Protection

You can now use managed identities as federated credentials for Microsoft Entra apps, enabling secure, secret-less authentication in both single- and multi-tenant scenarios. This eliminates the need to store and manage client secrets or certificates when using Microsoft Entra app to access Azure resources across tenants. This capability aligns with Microsoft’s Secure Future Initiative pillar of protecting identities and secrets across systems. Learn how to configure this capability in the official documentation.

Plan for change - Roll out of Application Based Authentication on Microsoft Entra Connect Sync
Type: Plan for change
Service category: Microsoft Entra Connect
Product capability: Microsoft Entra Connect

What is changing

Microsoft Entra Connect creates and uses a Microsoft Entra Connector account to authenticate and sync identities from Active Directory to Microsoft Entra ID. The account uses a locally stored password to authenticate with Microsoft Entra ID. To enhance the security of the Microsoft Entra Connect application sync process, we will, in the coming week roll out support for "Application based Authentication" (ABA), which uses a Microsoft Entra ID application based identity and Oauth 2.0 client credential flow to authenticate with Microsoft Entra ID. To enable this, Microsoft Entra Connect will create a single tenant 3rd party application in customer's Microsoft Entra ID tenant, register a certificate as the credential for the application, and authorize the application to perform on-premises directory synchronization

The Microsoft Entra Connect Sync .msi installation file for this change will be exclusively available in the Microsoft Entra admin center within the Microsoft Entra Connect pane.

Check our version history page in the next week for more details of the change.