Microsoft Entra March 2026: Key Identity Updates

Introduction

Microsoft Entra’s March 2026 roundup brings a broad set of identity, governance, and access updates across Entra ID, ID Governance, External ID, Agent ID, and Global Secure Access. For IT administrators, the biggest takeaway is that several security-related changes have rollout dates in Q2 2026 and may require policy reviews before they affect users.

What’s new in Microsoft Entra

Microsoft Entra ID

Key new releases include:

• Synced passkeys in Microsoft Entra ID
• Passkey profiles for better passkey management
• Microsoft Single Sign-On for Linux with phish-resistant MFA credential support
• Improved readability for Authentication Methods Policy update audit logs
• External MFA is now generally available
• Service principal creation audit logs for alerting and monitoring
• Better enforcement for All resources policies with resource exclusions

Conditional Access change for registration flows

Starting May 25, 2026, and completing by June 3, 2026, Conditional Access policies scoped to Register security information will also apply to:

• Windows Hello for Business setup
• macOS Platform SSO credential registration

This can introduce new prompts during device setup. Microsoft notes that Windows Hello for Business uses the Device Registration Client, which is classified as Other clients in Conditional Access. If your policy blocks Other clients, provisioning may fail.

Authenticator jailbreak detection

Microsoft Authenticator on Android now introduces jailbreak/root detection for Entra credentials, moving through warning, blocking, and wipe modes. Users on compromised devices will need to move to compliant devices.

Agent 365 consolidation

The Agent registry and Agent collections blades in Entra admin center will retire on May 1, 2026. Agent inventory remains available in the All agents view in the Microsoft 365 admin center. A new Agent 365-powered API will replace the current registry Graph API, and existing registered agents will eventually need re-registration.

ID Governance and sync updates

Notable additions include:

• SCIM 2.0 APIs
• Tenant configuration management APIs
• Expanded Lifecycle Workflows capabilities
• Windows Server 2025 support for Entra Connect Sync
• Ability to convert synced on-premises AD users to cloud users

A major security change arrives June 1, 2026: Entra ID will block hard match attempts for new AD users targeting existing cloud-managed users with Entra roles. This helps prevent takeover of privileged accounts.

Impact on IT administrators

Admins should expect more scrutiny on Conditional Access design, identity sync processes, and mobile device trust. Helpdesk teams may also see increased calls when users encounter new prompts during device registration or Authenticator restrictions.

Next steps

• Review Conditional Access policies targeting Register security information
• Check for policies blocking Other clients and test in report-only mode
• Update helpdesk guidance for Windows Hello for Business and macOS Platform SSO prompts
• Prepare for Agent 365 management changes and API transition
• Review Entra Connect and Cloud Sync processes before the June 1, 2026 hard match restriction