xpanded attribute support in Lifecycle Workflows attribute changes trigger

February 2026

General Availability - Expanded attribute support in Lifecycle Workflows attribute changes trigger

Type: New feature
Service category: Lifecycle Workflows
Product capability: Identity Governance

The Attribute Changes trigger in Lifecycle Workflows now supports additional attribute types, enabling broader detection of organizational changes. Previously, this trigger was limited to a set of core attributes. With this update, you can configure workflows to respond when any of the following attributes change:

• Custom security attributes
• Directory extension attributes
• EmployeeOrgData attributes
• On-premises attributes 1–15
  This enhancement gives administrators greater flexibility to automate lifecycle processes for mover events based on custom or extended attributes, improving governance for complex organizational structures and hybrid environments.

General Availability - Delegated Workflow Management in Lifecycle Workflows
Type: New feature
Service category: Lifecycle Workflows
Product capability: Identity Governance

Lifecycle workflows can now be managed with Administrative Units (AUs), enabling organizations to segment workflows and delegate administration to specific admins. This enhancement ensures that only authorized admins can view, configure, and execute workflows relevant to their scope. Customers are able to associate workflows with AUs, assign scoped permissions to delegated admins, and ensure that workflows only impact users within their defined scope.

General Availability - Device authorization grant flow in Microsoft Entra External ID
Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

Similar to Microsoft Entra ID (workforce tenants), Microsoft Entra External ID (external tenants) now supports device authorization grant flow, which allows users to sign in to input-constrained devices such as a smart TV, IoT device, or a printer.

General Availability - Sign-in with username/alias
Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

In Microsoft Entra External ID (EEID), users who authenticate with a local email and password now can also sign in using a username (alias) as an alternate sign-in identifier. This alias can represent a customer or member ID, insurance number, frequent flyer number, or a self-chosen username. The alias can be collected from user or assigned during self-service sign-up, or assigned during user creation or user update via the Microsoft Graph API or Microsoft Entra admin center.

Upcoming change – Microsoft Entra Connect security update to block hard match for privileged roles
Type: Plan for change
Service category: Entra Connect
Product capability: Entra Connect

What is Hard-matching in Microsoft Entra Connect Sync and Cloud Sync?

When Microsoft Entra Connect or Cloud Sync adds new objects from Active Directory, the Microsoft Entra ID service tries to match the incoming object with an Microsoft Entra object by looking up the incoming object’s sourceAnchor value against the OnPremisesImmutableId attribute of existing cloud managed objects in Microsoft Entra ID. If there's a match, Microsoft Entra Connect or Cloud Sync takes over the source or authority (SoA) of that object and updates it with the properties of the incoming Active Directory object in what is known as "hard-match."

To strengthen the security posture of your Microsoft Entra ID environment, we're introducing a change that restricts certain types of hard-match operations by default.

What’s changing

Beginning June 1 2026, Microsoft Entra ID will block any attempt by Microsoft Entra Connect Sync or Cloud Sync from hard-matching a new user object from Active Directory to an existing cloud-managed Microsoft Entra ID user object that holds privileged roles.

This means:

• If a cloud managed user already has onPremisesImmutableId (sourceAnchor) set and is assigned a privileged role, Microsoft Entra Connect Sync or Cloud Sync will no longer be able to take over the Source of Authority of that user by hard-matching with an incoming user object from Active Directory.
• This safeguard prevents attackers from taking over privileged cloud managed users in Microsoft Entra by manipulating attributes of user objects in Active Directory.

What’s not changing

• Hard match operations for non-privileged accounts aren't affected.
• Soft match behavior isn't affected.

General Availability - External Auth Methods is Generally Available
Type: New feature
Service category: MFA
Product capability: User Authentication

We’re excited to announce that External Authentication Methods (EAM) in Microsoft Entra ID has reached General Availability. EAM enables organizations to integrate their preferred third-party MFA solutions seamlessly with Microsoft Entra ID for enhanced security and flexibility. This release includes full registration support and updated documentation to help you get started.

General Availability - Custom banned password lists supported in Microsoft Entra External ID
Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

In addition to the global banned password lists already supported, EEID admins can now add specific strings to block during password creation and reset.

Upcoming Changes - Jailbreak Detection in Authenticator App
Type: New feature
Service category: Microsoft Authenticator App
Product capability: Identity Security & Protection

Starting February 2026, Microsoft Authenticator will introduce jailbreak/root detection for Microsoft Entra credentials in the Android app. The rollout progresses from warning mode → blocking mode → wipe mode. Users must move to compliant devices to continue using Microsoft Entra accounts in Authenticator.

Public Preview - BYOD support for Windows client using Microsoft Entra registration
Type: New feature
Service category: BYOD support
Product capability: Network Access

Bring Your Own Device (BYOD) support for Windows using Microsoft Entra‑registered devices is now available in public preview. Users and partners can access corporate resources from their own devices. Admins can assign the Private Application traffic profile to internal accounts, including internal guest users.

General Availability - Custom Block pages
Type: New feature
Service category: Internet Access
Product capability: Network Access

When you configure policies blocking your users from accessing a risky, NSFW, or unsanctioned sites or apps in GSA, they receive a clear HTML error message with Microsoft Entra Internet Access branding. We’ve heard from many admins that they’d like to start customizing that experience with text aligned to a company style guide, callouts to company Terms of Use documentation, hyperlinks to IT workflows, and more.

Global Secure Access now offers customized block pages for Internet Access. In the Microsoft Graph API, Admins can now:

• Configure the tenant-wide body text of the GSA block page.
• Add hyperlinks via limited markdown to reference Terms of Use, ServiceNow/IT ticketing services, or even MyAccess for ID Governance workflow integration.

General Availability - Microsoft Entra Connect Sync now supports Windows Server 2025
Type: New feature
Service category: Entra Connect
Product capability: Entra Connect

Microsoft Entra Connect Sync now officially supports Windows Server 2025. This means you can confidently install and run Microsoft Entra Connect Sync on servers running Windows Server 2025, enabling your hybrid identity environment to take full advantage of the latest Windows Server enhancements.

What this means for you: With this update, organizations can upgrade their identity synchronization servers to Windows Server 2025 without hesitation. Windows Server 2025 brings advanced features that improve security, performance, and flexibility, and our engineering team has thoroughly validated Microsoft Entra Connect Sync on this platform. Many customers have been eager to adopt Windows Server 2025 to leverage its enhanced security, better performance, and improved management capabilities. Now, with official support in place, you can benefit from these improvements while maintaining a reliable, fully supported hybrid identity solution.

The Microsoft Entra Connect Sync .msi installation file is exclusively available on Microsoft Entra admin center under Microsoft Entra Connect. Check our version history page for more details on available versions.

Consider moving to Cloud Sync: Microsoft Entra Cloud Sync is a sync client that works from the cloud and allows customers to set up and manage their sync preferences online. We recommend that you use Cloud Sync because we're introducing new features that improve the sync experiences through Cloud Sync. You can avoid future migrations by choosing Cloud Sync if that's the right option for you.

Public Preview - New end user homepage in My Account
Type: New feature
Service category: My Profile/Account
Product capability: End User Experiences

The homepage at https://myaccount.microsoft.com has been updated to provide a more task-focused experience. Users will see pending actions like renewing expiring groups, approving access package requests, and setting up MFA directly on the homepage. Quick links to apps, groups, access packages, and sign-in details will be easier to find and use. This change is designed to streamline account management and help users stay on top of access and security tasks.

General Availability - Microsoft Entra Provisioning Service available in Microsoft Azure operated by 21Vianet
Type: New feature
Service category: Provisioning
Product capability: Outbound to SaaS Applications

The Microsoft Entra provisioning service can be used in the 21Vianet / China cloud for the following scenarios: API-driven provisioning, Cloud Sync, Cross-tenant sync between China tenants, SCIM provisioning for the non-gallery / custom application, and on-premises app provisioning (ECMA). Specific gallery connectors such as Workday, SuccessFactors, and AWS aren't onboarded to the environment.

General Availability - Revoke previously approved access package assignments in My Access
Type: New feature
Service category: Entitlement Management
Product capability: Identity Governance

By end of March Microsoft Entra ID Governance approvers can now revoke access to an access package after an approval has already been granted. This gives approvers greater control to respond to changes, mistakes, or updated business needs. With this update, an approver can undo a prior approval decision, immediately removing the requestor’s access to the access package. Only the approver who originally approved the request can revoke it, even if multiple approvers belong to the same approver group.