Public Preview - Convert Source of Authority of synced Active Directory users

September 2025

Public Preview - Convert Source of Authority of synced Active Directory users to the cloud
Type: New feature
Service category: User Management
Product capability: Microsoft Entra Connect and Microsoft Entra Cloud Sync

The Source of Authority (SOA) at the object level allows administrators to convert specific users synced from Active Directory (AD) to Microsoft Entra ID into cloud-editable objects, which are no longer synced from AD and act as if originally created in the cloud. This feature supports a gradual migration process, decreasing dependencies on AD while aiming to minimize user and operational impact. Both Microsoft Entra Connect Sync and Cloud Sync recognize the SOA switch for these objects. The option to switch the SOA of synced users from AD to Microsoft Entra ID is currently available in Public Preview. For more information, see: Embrace cloud-first posture: Transfer user Source of Authority (SOA) to the cloud (Preview).
Public Preview - Use SMS as a verification method in password reset flows in Microsoft Entra External ID
Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

We’re excited to announce the public preview of SMS for self-service password reset (SSPR) in Microsoft Entra External ID. This change is actively rolling out to all tenants in production by end of October.

What’s New

• SMS Authentication for Password Reset: End users can now verify their identity via SMS when using the “forgot password” or self-service password reset flow. Previously, only email one-time passcodes were supported.
• Enhanced Security: If users have two or more registered methods for password reset, they'll now be required to verify their identity with at least two methods, adding an extra layer of protection.
• Fraud Protection: With built-in integration to the Phone Reputation platform, telephony activity is processed in real time to identify risks. Each request is returned with an Allow, Block, or Challenge decision to help protect against telephony fraud.
• Billing: SMS for password reset is a part of add-on feature with tiered pricing based on location/region. Charges per SMS include the fraud protection services. For more information, see: SMS pricing tiers by country/region.

Public Preview - Microsoft Security Copilot Access Review Agent in Microsoft Entra
Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

Say goodbye to time-consuming research and the uncertainty of rushed decisions. With the public preview of the Microsoft Security Copilot Access Review Agent in Microsoft Entra, we’re bringing the power of AI directly into the heart of access governance.

The agent works for your reviewers by automatically gathering insights and generating recommendations to help them make fast, accurate access decisions. Reviewers are guided through a natural, conversational flow right inside Microsoft Teams, so they can make the final call with confidence and clarity.

**General Availability - Cross-tenant synchronization (cross-cloud)
Type: New feature**
Service category: Provisioning
Product capability: Collaboration

Automate creating, updating, and deleting users across tenants across Microsoft clouds. The following combinations are supported:

• Commercial >US Gov
• US Gov >Commercial
• Commercial > China
  For more information, see: Configure cross-tenant synchronization

General Availability - Dedicated new 1st party resource application to enable AD to Microsoft Entra ID sync using Microsoft Entra Connect Sync or Cloud Sync
Type: Plan for change
Service category: Microsoft Entra Connect
Product capability: Microsoft Entra Connect

As part of ongoing security hardening, Microsoft has deployed a dedicated first-party application to enable the synchronization between Active Directory and Microsoft Entra ID. This new application will manifest as a first party service principal called the "Microsoft Entra AD Synchronization Service" (Application ID: 6bf85cfa-ac8a-4be5-b5de-425a0d0dc016) and will be visible in the Enterprise Applications experience within the Microsoft Entra admin center. This application is critical for the continued operation of on-premises to Microsoft Entra ID synchronization functionality through Microsoft Entra Connect.

Microsoft Entra Connect now uses this first party application to synchronize between Active Directory and Microsoft Entra ID. Customers are required to upgrade to version 2.5.79.0 or later by September 2026.

We'll auto-upgrade customers where supported. For customers who wish to be auto-upgraded, ensure that you have auto-upgrade configured.

The Microsoft Entra Connect Sync .msi installation file for this change is exclusively available on Microsoft Entra admin center under Microsoft Entra Connect.

Check our version history page for more details on available versions.

Public Preview - App management policies portal experience
Type: New feature
Service category: Enterprise Apps
Product capability: Directory

App management policies allow administrators to improve the security of their organization by setting rules on how applications in their organization can be configured. They can use them to block insecure configurations like password credentials. These policies have been available through the Microsoft Graph API, but can now also be configured using the Microsoft Entra admin center, under the Enterprise applications experience.

Learn more about how to configure app management policies.

Public Preview - Delegate approvals in My Access
Type: New feature
Service category: Entitlement Management
Product capability: Entitlement Management

Users can now delegate their access package approvals in My Access. Approvers can assign another individual to respond to access package approval requests on their behalf. The original approvers can still respond to their approvals during the delegation period.

Note
This feature currently applies only to access package approvals and will be expanded to support access reviews in November 2025.

For more information, see: Delegate approvals in My Access.

Public Preview - Reprocess failed users and workflows in Lifecycle Workflows
Type: New feature
Service category: Lifecycle Workflows
Product capability: Identity Governance

Lifecycle Workflows now supports reprocessing of your workflows to help organizations streamline the reprocessing of workflows when errors or failures are discovered. This feature includes the ability to reprocess previous runs of workflows including failed runs or just runs that you might want to process again. Customers can choose from the following options to fit their needs:

Select specific workflow run to be reprocessed
Select which users from the workflow run to be reprocessed. For example either failed users, or all users from the run
For more information, see: Reprocess workflows

Public Preview - Trigger workflows for inactive employees and guests in Lifecycle Workflows
Type: New feature
Service category: Lifecycle Workflows
Product capability: Identity Governance

Lifecycle Workflows now enables customers to configure custom workflows to proactively manage dormant user accounts by automating identity lifecycle actions based on sign-in inactivity. After detecting inactivity, the workflow automatically executes predefined tasks—such as sending inactivity notifications, disabling accounts, or initiating offboarding—for users that exceed the inactivity threshold. Admins can configure the inactivity threshold and scope, ensuring dormant accounts are handled efficiently and consistently - reducing security exposure, reducing license waste, and enforcing governance policies at scale.

For more information, see: Manage inactive users using Lifecycle Workflows (Preview).

Retirement - Microsoft Authentication Library to MSAL Recommendations API
Type: Deprecated
Service category: Other
Product capability: Developer Experience

We’re retiring the ADAL to MSAL Recommendations API on December 15, 2025.

To continue monitoring authentication library usage, customers can query sign-in logs manually via Microsoft Graph API. The relevant data is available in the authenticationProcessingDetails field under the key "Azure AD App Authentication Library".

For guidance, see:

Recommendation: Migrate from Microsoft Authentication Library to MSAL
Analyze a sign-in with Microsoft Graph API
No action is required to disable the API.

Deprecation - Automatically capture sign-in fields for an app in Microsoft Entra admin center.
Type: Deprecated
Service category: My Apps
Product capability: Platform

The “Automatically capture sign-in fields for an app” option in the Microsoft Entra admin center is retired. Existing apps already configured with this feature continues to work, but it will no longer be available for new configurations. Going forward, admins should use the “Capture sign-in fields for an app”. This requires the MyApps Secure Sign-In Extension, available for Microsoft Edge and Chrome.

For more information, see: Capture sign-in fields for an app

To learn about our passwordless strategy, see:Passwordless is here and at scale.

Public Preview - Global Secure Access Internet profile support for iOS client
Type: New feature
Service category: Internet Access
Product capability: Network Access

We're excited to announce the Internet Access support with iOS app. This feature protects access to internet and SaaS apps with an identity-based Secure Web Gateway (SWG), blocking threats, unsafe content, and malicious traffic from the iPhones and iPads.

Global Secure Access client on mobile platforms requires no new agent installation/deployment for secure access to their resources, and uses existing MDE (Microsoft Defender for Endpoint) to route traffic through Microsoft SSE for both Microsoft 365, internet access and private access.

For more information, see: Global Secure Access client for iOS (Preview).

Public Preview - Basic HTML support in Lifecycle Workflow custom email notifications
Type: New feature
Service category: Lifecycle Workflows
Product capability: Identity Governance

Now customers can further customize their Lifecycle workflows email notifications to personalize, or emphasize, specific information using basic HTML elements. Email notifications can now be customized to include sending links using HTML hyperlinks and basic text formatting like bold, italics, and underline. For more information, see: Customize emails sent from workflow tasks.