Microsoft Entra November 2025 Identity Security Updates

Introduction: why this matters

Microsoft Entra’s November 2025 updates reinforce a clear theme: identity security must extend to AI agents, modern authentication, and safer sign-in surfaces. For IT admins, the month brings new previews to govern agents and protect GenAI apps, while also introducing security hardening and lifecycle/API changes that may impact existing workflows.

What’s new (highlights)

AI-era identity & agent governance

• Microsoft Entra Agent ID (Public Preview): New capabilities to manage, govern, and protect AI agents as part of the Agent 365 control plane.
• Security Copilot included in Microsoft 365 E5: Expands access to Copilot experiences in Entra and the new Entra agents, making advanced security assistance available to more administrators.
• Entra Suite Prompt Shield (Public Preview): Helps protect enterprise GenAI applications against prompt injection attacks.
• Synced passkeys + self-service account recovery (Public Preview): Improves adoption of phishing-resistant auth with broader recovery options across authentication methods.

Microsoft Entra ID: security and admin experience changes

• Block external script injection during Entra ID sign-in (Action may be required): Entra ID rolled out a stricter Content Security Policy (CSP) on login.microsoftonline.com to prevent unauthorized script execution and reduce XSS risk.
• Jailbreak/Root detection in Microsoft Authenticator (Action may be required): Starting February 2026, Authenticator will disable and wipe Entra credentials on jailbroken/rooted devices (iOS and Android). No admin configuration is required.
• Replace “Revoke MFA sessions” with “Revoke sessions” (Action may be required): Starting February 2026, the portal action will invalidate all user sessions (including MFA), aligning behavior across Conditional Access and per-user MFA.

Governance, External ID, and network access updates

Entra ID Governance

• New capabilities including external user conversion to internal members, SCIM 2.0 SAP CIS connector (with group provisioning), eligible group memberships/ownerships in Entitlement Management, and improvements to Lifecycle Workflows (reprocessing failures, sensitivity label support, triggers for inactive employees/guests).
• PIM API deprecation (Action may be required): The Iteration 2 (beta) PIM API will stop returning data on October 28, 2026. Migration to Iteration 3 (GA) APIs is recommended.

Entra External ID

• Regional expansion to Australia and Japan, plus simplified Azure Monitor/Sentinel setup for external tenants and additional fraud/WAF integrations.

Global Secure Access

• New integrations such as GSA + Netskope ATP/DLP and Internet Access TLS Inspection.

Impact for IT administrators

• Expect sign-in flow compatibility testing needs due to CSP tightening (especially if extensions or tools inject scripts).
• Plan for Authenticator behavior changes on compromised devices and potential support tickets when users are blocked.
• Update operational runbooks for session revocation to avoid misunderstanding the new “Revoke sessions” behavior.
• Start API modernization efforts if you rely on PIM iteration 2 endpoints.

Recommended next steps

1. Test sign-in flows across browsers and managed endpoints; remove/replace any tools that inject scripts into Entra sign-in pages.
2. Notify end users ahead of February 2026 about Authenticator jailbreak/root detection and required remediation.
3. Update helpdesk/admin documentation to use Revoke sessions and document its broader impact.
4. Begin PIM API migration planning now; stop new development on iteration 2 APIs and validate iteration 3 compatibility.
5. Evaluate previews (Agent ID, Prompt Shield, passkeys recovery) in a controlled pilot to assess governance and security fit.