AzureFeeds

Microsoft has introduced Microsoft Entra Agent ID, a new capability that brings identity and access management to AI agents, enabling organizations to govern how these agents interact with data, systems, and users. Agent ID provides each AI agent with a unique identifier and a consistent identity that can be used across tools and environments, supporting core identity functions such as authentication, authorization, and lifecycle management. By extending Entra’s identity protections to AI agents, organizations can apply Conditional Access policies, enforce least privilege access, and monitor agent activity—just as they would with human users. This ensures safer deployment of AI while maintaining visibility and control. Click here to learn more. 

And, today, we’re sharing security improvements and innovations across Microsoft Entra from April 2025 to June 2025, organized by product for easier navigation.  

Microsoft Entra ID 

New releases 

• Use managed identities as credentials in Microsoft Entra apps 

Change announcements 

Security improvements 

Upcoming changes to support passkey profiles in the authentication methods policy (preview) 

[Action may be required] 

What is changing? 

In November 2025, we will expand the passkey (FIDO2) authentication methods policy in Microsoft Entra ID to support passkey profiles in public preview. This update will enable granular, group-based control over passkey configurations and introduce new API schema changes. After this rollout, you’ll be able to apply different passkey configurations per user group. For example, you will be able to:  

• Allow the use of specific FIDO2 security key models for user group A  


• Allow the use of passkeys in Microsoft Authenticator for user group B    

If your organization modifies the passkey policy via the Microsoft Azure portal or Microsoft Entra admin center during preview, the new schema will take effect. If you continue using Graph API or third-party tools to modify the policy, the schema will not change until General Availability.   

As part of this update in November 2025, we will start accepting any WebAuthn-compliant security key or passkey provider when “Enforce attestation” is disabled. This will allow a wider range of security keys and passkey providers to be accepted for registration and authentication in Microsoft Entra ID. To compare this upcoming update with the current behavior, see Microsoft Entra ID attestation for FIDO2 security key vendors.  

Migrate Sign-in risk policy and User risk policy and from Entra ID Protection to Conditional Access  

[Action may be required] 

What is changing? 

As announced in October 2023, if you currently have User Risk Policy or Sign-in Risk Policy enabled in Entra ID Protection (formerly Identity Protection), please migrate them to Conditional Access to take advantage of enhanced capabilities. You can follow these steps to complete the migration and explore the benefits.  

Please note the following key dates:  

• Starting July 31, 2025: The User Risk Policy and Sign-in Risk Policy pages in Entra ID Protection will become read-only. You will no longer be able to create or modify these policies in Entra ID Protection. Migrate them to Conditional Access and manage them there.  


• By October 1, 2026: The user interface for these two risk policies in Entra ID Protection will be retired.  

Start migrating today and learn more about risk-based policies at Azure AD Identity Protection risk-based access policies – Microsoft Entra | Microsoft Learn. 

Improved Backup and Restore Experience for the Authenticator App on iOS  

[No action is required]  

What is changing?  

Starting September 2025, users will be able to securely back up account names for all accounts in the Authenticator app—including work or school accounts, Microsoft personal accounts, and non-Microsoft accounts such as Amazon or Google—using iCloud and iCloud Keychain.  

With this update:   

• The existing in-app backup feature that requires a Microsoft personal account will be removed.  


• Users can enable backup through iCloud and iCloud Keychain to securely store account names and third-party TOTP (Time-based One-Time Password) credentials with end-to-end encryption. No other credentials will be included in the backup. If preferred, users can disable backup for the Authenticator app through their iCloud device settings at any time.  


• Users who already have iCloud and iCloud Keychain backup enabled for the Authenticator app will automatically benefit from this improved experience.  

When users set up a new IOS device, their account names will automatically appear in the Authenticator app, and they can sign in to each account to complete setup—without needing a Microsoft account. This change simplifies the backup and restore process, eliminates the dependency on Microsoft personal accounts, and offers a more seamless experience when switching devices.  

Note: This update applies to iOS devices only. Android support will follow. We will start private preview for this IOS feature in August 2025 followed by GA in Sep 2025.   

Learn more about the changes to backup and restore in Authenticator app.   

Identity modernization 

Azure AD Graph retirement  

[Action may be required] 

What is changing? 

Retirement of the Azure AD Graph API service began in September 2024, and the first phase of this retirement is now complete. Any applications still using Azure AD Graph APIs now have been configured for an extension. Over the coming months, additional activity is planned as we incrementally retire this service. Some key dates to note are:  

• Applications that were configured for extended access that still depend on Azure AD Graph APIs will not be able to continue using these APIs starting in early September 2025.   


• You should expect one to two temporary outage tests of 8-24hrs in duration between late July and early September 2025.   


• If you have not already, it is now urgent to review the applications on your tenant to see which ones depend on Azure AD Graph API access and migrate these to Microsoft Graph before September 2025. Over the coming months, we will provide additional and more specific timelines for your tenant through additional notices. Please be sure to check M365 Message Center periodically as we will provide regular updates and more specific timelines. You can also learn more at https://aka.ms/AzureADGraphRetirement.   

AzureAD PowerShell retirement  

[Action may be required] 

What is changing? 

The AzureAD and AzureAD-Preview PowerShell modules were deprecated in March 2024 and will start retirement in October 2025. You must take action to avoid impact from this retirement by migrating any use of AzureAD PowerShell to Microsoft Graph PowerShell SDK or Microsoft Entra PowerShell.   

• The AzureAD and AzureAD-Preview PowerShell modules will be retired (and stop working) starting in mid-October 2025.  


• You can expect one or more temporary outage tests of 8-24hrs in duration in the month of September 2025.   

Please be sure to check M365 Message Center periodically as we will provide regular updates and more specific timelines. You can also learn more at https://aka.ms/AzureADPowerShellRetirement.  

Change in guest authentication experience for B2B Collaboration in Microsoft Entra ID 

[Action may be required] 

What is changing? 

Effective July 2025 we will start rolling out an update to the authentication experience for guest users signing in to your tenant for collaboration via Microsoft Entra ID B2B collaboration and this will continue rolling out to tenants through end of 2025.    With the updated experience, guest users will begin signing in on your branded sign-in screen. After entering their email and clicking “Next,” they will be redirected to their home organization’s sign-in page to enter their credentials. This ensures they see the branding and URL endpoint of their home tenant, making clearer whose credentials to use. After successful authentication, they will be redirected back to your organization to complete the sign-in process. This change enhances usability and reduces user confusion during cross-tenant sign-in.  

What you need to do to prepare: 
No administrative action is required prior to this rollout. We recommend you review your current B2B collaboration configuration to understand the potential impact and update any relevant documentation to guide users.  

Deprecation of Automatically capture sign-in fields for an app for Password-Based SSO in Microsoft Entra ID  

[Action may be required] 

What is changing? 

As part of our ongoing commitment to modern, secure authentication experiences, we’re retiring the Automatically capture sign-in fields for an app feature used in Password-Based SSO setup for non-gallery apps in Microsoft Entra ID.  Starting July 1, 2025, and completing by August 30, 2025, automatically capture sign-in fields for an app will be removed from the Admin Portal experience. Moving forward, customers should use the Manually capture sign-in fields for an app method with the MyApps Secure Sign-In Extension for configuring new Password SSO applications.  

What stays the same? 

Existing apps configured using Automatically capture sign-in fields for an app will continue to function. This change only affects new Password SSO app configurations.  

What you need to do:  

• Use the “Manually capture sign-in fields for an app” option in the Admin Portal  


• Install the MyApps Secure Sign-In Extension (Edge/Chrome) to capture login fields  


• Update any admin guidance and notify your teams  


• Consider transitioning to passwordless or federated authentication methods for long-term scalability and security  

Learn More  

• Manual Capture Guide: Manually Capture sign-in fields for an app Guide 


• Passwordless Authentication Overview: Microsoft Entra passwordless sign-in 

If you have questions or need help transitioning, contact your Microsoft account team or submit a support request. 

Sign in with Apple and Google Support for Consumers in Teams Web  

[No action is required] 

What is changing? 

A new sign-in experience will be introduced to Teams Web, providing consumers with the ability to sign in using Apple and Google credentials. This feature targets consumer users who utilize Microsoft accounts. The rollout of the private preview experience will commence with a limited number of Teams Web users in mid-August 2025, with plans to extend this capability to other Microsoft applications later in 2025 and beyond. 

Who will this affect? 

This new sign-in option will be accessible to a limited group of users who sign in through Teams on the web (at teams.microsoft.com or teams.com) and are redirected to https://login.microsoftonline.com/common. Users accessing login.microsoftonline.com via a custom URL will not see this feature. Additionally, these options will not appear for tenants employing a tenant hint. 

User Interface Change to Sign-in Experience 

Upon signing into Teams Web, certain users will observe two new options at the bottom of the sign-in screen: “Continue with Apple” and “Continue with Google.” Selecting either option will permit users to sign in or register for a personal Microsoft account using their Apple or Google credentials. Some users opting for these choices will encounter a screen prompting them to confirm whether they are utilizing a personal or work/school account. 

No action is required from you. You may continue to sign in as usual by entering your email or username at the top of the sign-in screen, or by selecting “Sign-in options” to log into a specific organization. 

Microsoft Entra ID Protection 

New releases 

• Analyze Conditional Access Policy impact 

Change announcements 

Upcoming Retirement of Conditional Access Overview Monitoring Tab 

[Action may be required] 

What is changing? 

The Conditional Access Overview Monitoring Tab in the Entra Admin Center will be retired between July 18th and August 1st. After this period, admins will no longer have access to it. This decision reflects our commitment to improving reporting capabilities. We encourage customers to transition to Conditional Access Per-Policy Reporting and the Insights and Reporting Dashboard—both of which are more reliable, offer greater accuracy, and have received significantly better feedback from customers.  

What you need to do to prepare: 

Please notify your users, update any internal documentation, and begin using the recommended reporting tools. 

Learn more: 

• https://learn.microsoft.com/en-us/entra/id/conditional-access/howto-conditional-access-policy-report 


• https://learn.microsoft.com/en-us/entra/id/conditional-access/reports-insights 

Microsoft Entra ID Governance 

New releases 

• Application Based Authentication on Microsoft Entra Connect Sync 


• Manage Lifecycle Workflows with Microsoft Security CoPilot in Entra 

Change announcements 

Access Reviews – Data Retention Policy Update 

[Action may be required] 

What is changing? 

Starting September 2025, Microsoft Entra ID Access Reviews will retain review history for only the past year. Data older than one year will not be stored or retrievable via Microsoft Graph APIs or any other method. 

What you need to do to prepare: 

Organizations needing longer retention should export and archive review data proactively. You can use solutions like Azure Data Explorer (ADX), with sample scripts and queries provided by Microsoft: Custom entitlement report with ADX and Entra ID. 

Upcoming change in Microsoft Entra Entitlement 

[Action may be required] 

What is changing? 

Starting September 30, 2025, access packages configured for “Specific users and groups” will be visible to all members (excluding guests) in the My Access portal. If you do not want these access packages visible to all members, you must hide the access package by this date.  

Coinciding with this change, we are also introducing a new tenant-wide setting that allows you to control the end-user visibility of the resource roles (e.g., group and app names) contained within access packages. We will begin rolling out late September 2025 and expect to complete by mid October 2025.  

Access packages that are scoped to “Specific users and groups” will be visible to all members (excluding guests) in the My Access portal. This means that some members may be able to see access packages that they cannot request.  

What you need to do to prepare: 

If you do not want these access packages visible to all members, you must hide the access package by this date. For detailed instructions on how to review your access packages and update these settings, please see the Learn article.  

Microsoft Entra External ID 

New releases 

• User authentication with SAML/WS-Fed Identity Providers 


• Pre/Post Attribute Collection Custom Extensions support 

Microsoft Entra Domain Services 

New releases 

• Two-Way Forest Trusts for Microsoft Entra Domain Services 

Best Regards, 

Shobhit Sahay 

Learn more about Microsoft Entra 

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds. 

• ⁠Microsoft Entra News and Insights | Microsoft Security Blog 


• ⁠⁠Microsoft Entra blog | Tech Community 


• ⁠Microsoft Entra documentation | Microsoft Learn 


• Microsoft Entra discussions | Microsoft Community