Entra ID

Microsoft Entra March 2026: Key Identity Updates

3 min read

Summary

Microsoft Entra’s Q1 2026 roundup introduces passkey enhancements, new governance APIs, External MFA general availability, and broader Conditional Access enforcement. The updates matter for IT teams because several changes require policy reviews, sync planning, and helpdesk preparation before enforcement deadlines in May and June 2026.

Need help with Entra ID?Talk to an Expert

Introduction

Microsoft Entra’s March 2026 roundup brings a broad set of identity, governance, and access updates across Entra ID, ID Governance, External ID, Agent ID, and Global Secure Access. For IT administrators, the biggest takeaway is that several security-related changes have rollout dates in Q2 2026 and may require policy reviews before they affect users.

What’s new in Microsoft Entra

Microsoft Entra ID

Key new releases include:

  • Synced passkeys in Microsoft Entra ID
  • Passkey profiles for better passkey management
  • Microsoft Single Sign-On for Linux with phish-resistant MFA credential support
  • Improved readability for Authentication Methods Policy update audit logs
  • External MFA is now generally available
  • Service principal creation audit logs for alerting and monitoring
  • Better enforcement for All resources policies with resource exclusions

Conditional Access change for registration flows

Starting May 25, 2026, and completing by June 3, 2026, Conditional Access policies scoped to Register security information will also apply to:

  • Windows Hello for Business setup
  • macOS Platform SSO credential registration

This can introduce new prompts during device setup. Microsoft notes that Windows Hello for Business uses the Device Registration Client, which is classified as Other clients in Conditional Access. If your policy blocks Other clients, provisioning may fail.

Authenticator jailbreak detection

Microsoft Authenticator on Android now introduces jailbreak/root detection for Entra credentials, moving through warning, blocking, and wipe modes. Users on compromised devices will need to move to compliant devices.

Agent 365 consolidation

The Agent registry and Agent collections blades in Entra admin center will retire on May 1, 2026. Agent inventory remains available in the All agents view in the Microsoft 365 admin center. A new Agent 365-powered API will replace the current registry Graph API, and existing registered agents will eventually need re-registration.

ID Governance and sync updates

Notable additions include:

  • SCIM 2.0 APIs
  • Tenant configuration management APIs
  • Expanded Lifecycle Workflows capabilities
  • Windows Server 2025 support for Entra Connect Sync
  • Ability to convert synced on-premises AD users to cloud users

A major security change arrives June 1, 2026: Entra ID will block hard match attempts for new AD users targeting existing cloud-managed users with Entra roles. This helps prevent takeover of privileged accounts.

Impact on IT administrators

Admins should expect more scrutiny on Conditional Access design, identity sync processes, and mobile device trust. Helpdesk teams may also see increased calls when users encounter new prompts during device registration or Authenticator restrictions.

Next steps

  • Review Conditional Access policies targeting Register security information
  • Check for policies blocking Other clients and test in report-only mode
  • Update helpdesk guidance for Windows Hello for Business and macOS Platform SSO prompts
  • Prepare for Agent 365 management changes and API transition
  • Review Entra Connect and Cloud Sync processes before the June 1, 2026 hard match restriction

Need help with Entra ID?

Our experts can help you implement and optimize your Microsoft solutions.

Talk to an Expert

Stay updated on Microsoft technologies

Microsoft EntraConditional AccesspasskeysEntra ID GovernanceAgent 365

Related Posts

Entra ID

Microsoft Entra Agent ID Adds AI Agent Governance

Microsoft has announced general availability of agent identity governance capabilities in Microsoft Entra as part of Microsoft Agent 365. The update helps organizations govern AI agents with dedicated identities, named sponsors, access packages, and lifecycle workflows to reduce overprivileged access and improve accountability.

Entra ID

Microsoft Purview and Entra Add Real-Time AI DLP

Microsoft has announced a public preview that extends data protection to the network layer using Microsoft Purview and Microsoft Entra. The integration helps organizations detect and block sensitive data moving to unmanaged SaaS, personal cloud storage, and generative AI apps in real time, reducing data leakage risk before exposure occurs.

Entra ID

Entra PIM Custom Extensions Preview for Role Activation

Microsoft has introduced preview support for custom extensions in Microsoft Entra Privileged Identity Management, allowing organizations to call a REST API during role activation to enforce business-specific rules. This helps IT teams automate checks such as ticket validation, HR status, compliance gates, and on-call logic while improving auditability and reducing manual approval gaps.

Entra ID

Microsoft Entra Backup and Recovery GA Now Available

Microsoft Entra Backup and Recovery is now generally available for customers with Entra ID P1 or P2, bringing built-in recovery for critical identity objects across workforce tenants. The release extends retention from 5 to 7 days and adds more flexibility for snapshots, difference reports, and recovery jobs, helping IT teams respond faster to accidental or malicious changes.

Entra ID

Microsoft Entra AI Security Webinar Series Announced

Microsoft has launched a three-part Microsoft Entra and Purview webinar series focused on securing AI at scale. The sessions cover identity, access, data protection, browser and network controls, and governance for AI agents, giving IT teams practical guidance for safer AI adoption.

Entra ID

Azure AD B2C Migration Tools Now Available

Microsoft has released generally available migration tools and guidance to help Azure AD B2C customers move to Microsoft Entra External ID. With Azure AD B2C no longer receiving new features, these new options give IT teams a clearer path to modernize customer identity while reducing migration risk.