Entra ID

Microsoft Entra November 2025 Identity Security Updates

3 min read

Summary

Microsoft’s November 2025 Entra updates focus on expanding identity security for AI agents and generative AI apps, including new preview features like Entra Agent ID, Prompt Shield for prompt injection protection, and improved passkey recovery. The release also matters for IT admins because it introduces important security hardening changes—such as stricter sign-in page content security policies and device integrity checks in Microsoft Authenticator—that may require action to avoid disruption.

Need help with Entra ID?Talk to an Expert

Introduction: why this matters

Microsoft Entra’s November 2025 updates reinforce a clear theme: identity security must extend to AI agents, modern authentication, and safer sign-in surfaces. For IT admins, the month brings new previews to govern agents and protect GenAI apps, while also introducing security hardening and lifecycle/API changes that may impact existing workflows.

What’s new (highlights)

AI-era identity & agent governance

  • Microsoft Entra Agent ID (Public Preview): New capabilities to manage, govern, and protect AI agents as part of the Agent 365 control plane.
  • Security Copilot included in Microsoft 365 E5: Expands access to Copilot experiences in Entra and the new Entra agents, making advanced security assistance available to more administrators.
  • Entra Suite Prompt Shield (Public Preview): Helps protect enterprise GenAI applications against prompt injection attacks.
  • Synced passkeys + self-service account recovery (Public Preview): Improves adoption of phishing-resistant auth with broader recovery options across authentication methods.

Microsoft Entra ID: security and admin experience changes

  • Block external script injection during Entra ID sign-in (Action may be required): Entra ID rolled out a stricter Content Security Policy (CSP) on login.microsoftonline.com to prevent unauthorized script execution and reduce XSS risk.
  • Jailbreak/Root detection in Microsoft Authenticator (Action may be required): Starting February 2026, Authenticator will disable and wipe Entra credentials on jailbroken/rooted devices (iOS and Android). No admin configuration is required.
  • Replace “Revoke MFA sessions” with “Revoke sessions” (Action may be required): Starting February 2026, the portal action will invalidate all user sessions (including MFA), aligning behavior across Conditional Access and per-user MFA.

Governance, External ID, and network access updates

Entra ID Governance

  • New capabilities including external user conversion to internal members, SCIM 2.0 SAP CIS connector (with group provisioning), eligible group memberships/ownerships in Entitlement Management, and improvements to Lifecycle Workflows (reprocessing failures, sensitivity label support, triggers for inactive employees/guests).
  • PIM API deprecation (Action may be required): The Iteration 2 (beta) PIM API will stop returning data on October 28, 2026. Migration to Iteration 3 (GA) APIs is recommended.

Entra External ID

  • Regional expansion to Australia and Japan, plus simplified Azure Monitor/Sentinel setup for external tenants and additional fraud/WAF integrations.

Global Secure Access

  • New integrations such as GSA + Netskope ATP/DLP and Internet Access TLS Inspection.

Impact for IT administrators

  • Expect sign-in flow compatibility testing needs due to CSP tightening (especially if extensions or tools inject scripts).
  • Plan for Authenticator behavior changes on compromised devices and potential support tickets when users are blocked.
  • Update operational runbooks for session revocation to avoid misunderstanding the new “Revoke sessions” behavior.
  • Start API modernization efforts if you rely on PIM iteration 2 endpoints.
  1. Test sign-in flows across browsers and managed endpoints; remove/replace any tools that inject scripts into Entra sign-in pages.
  2. Notify end users ahead of February 2026 about Authenticator jailbreak/root detection and required remediation.
  3. Update helpdesk/admin documentation to use Revoke sessions and document its broader impact.
  4. Begin PIM API migration planning now; stop new development on iteration 2 APIs and validate iteration 3 compatibility.
  5. Evaluate previews (Agent ID, Prompt Shield, passkeys recovery) in a controlled pilot to assess governance and security fit.

Need help with Entra ID?

Our experts can help you implement and optimize your Microsoft solutions.

Talk to an Expert

Stay updated on Microsoft technologies

Read the original article by ShobhitSahay
Microsoft EntraEntra IDConditional AccessAuthenticationIdentity Governance

Related Posts

Entra ID

Microsoft Entra Backup and Recovery Enters Preview

Microsoft has launched Microsoft Entra Backup and Recovery in public preview, giving organizations a Microsoft-managed way to restore critical identity objects and configurations to a known-good state. The service helps IT teams recover faster from accidental admin changes, provisioning errors, and malicious modifications that could otherwise disrupt access and security.

Entra ID

Microsoft Entra External MFA Now Generally Available

Microsoft has announced general availability of external MFA in Microsoft Entra ID, allowing organizations to integrate trusted third-party MFA providers using OpenID Connect. The feature lets IT teams keep Microsoft Entra ID as the central identity control plane while maintaining Conditional Access, risk evaluation, and unified authentication method management.

Entra ID

Microsoft Entra RSAC 2026 Identity Security Updates

At RSAC 2026, Microsoft announced major Microsoft Entra updates aimed at securing not only users and devices but also AI agents, workloads, and modern multi-tenant environments. The new capabilities—such as expanded Entra Agent ID governance, shadow AI detection, prompt injection protection, passkey enhancements, and adaptive risk-based access—matter because they strengthen Zero Trust identity security as organizations adopt AI and face more dynamic access risks.

Entra ID

Microsoft Entra Secure Access Report 2026 on AI Risk

Microsoft’s Entra Secure Access Report 2026 says AI adoption is significantly increasing identity and network access risk, with 97% of organizations reporting an access-related incident in the past year and 70% tying incidents to AI activity. The report argues that fragmented identity and network tools are making the problem worse, which matters because more organizations are now moving toward consolidated access platforms to better secure AI tools, agents, and machine identities.

Entra ID

Microsoft Entra Conditional Access All Resources Update

Microsoft is updating Entra Conditional Access so policies targeting "All resources" will be enforced consistently even when resource exclusions exist, closing a gap where some sign-ins requesting only OIDC or limited directory scopes could bypass policy checks. Beginning March 27, 2026 and rolling out through June 2026, affected tenants may see more users prompted for MFA, device compliance, or other controls—making this important for organizations to review impacted Conditional Access policies and prepare for changes in sign-in behavior.

Entra ID

Microsoft Entra Access Priorities Webinar Series

Microsoft is launching the four-part Microsoft Entra Access Priorities webinar series to help IT teams turn its identity-first security strategy into practical deployment steps, with guidance on phishing-resistant authentication, adaptive access, least privilege, and securing AI-related access. The series matters because it gives organizations concrete tools, demos, and checklists to strengthen Zero Trust and prepare for an emerging Access Fabric model that spans users, apps, devices, and AI agents.