Microsoft Announces Updates to Entra IAM

Microsoft has released a detailed roundup of all the new features and enhancements introduced in Microsoft Entra from April to June 2025. A key highlight is the new Entra Agent ID feature, which allows organizations to better control how agents interact with data, systems, and users

Security improvements

In November, Microsoft will add support for passkey profiles to the passkey (FIDO2) authentication methods policy in Microsoft Entra ID. Passkey profiles allow organizations to define different authentication settings for different user groups. This release will enable granular, group-based control over passkey configurations and introduce new API schema changes. Administrators will be able to apply different passkey configurations per user group.

Microsoft is reminding customers that the User Risk Policy and Sign-in Risk Policy pages in Entra ID Protection will become read-only on July 31. This change will prevent IT admins from creating/modifying these policies in Entra ID Protection. Microsoft recommends migrating them from Entra ID Protection to Conditional Access.

In September, Microsoft plans to improve the backup and restore experience for the Authenticator App on iOS devices. Users can enable backup via iCloud and iCloud Keychain to securely store account names and third-party TOTP (Time-based One-Time Password) credentials. This feature will begin rolling out in private preview to iOS devices in August, with Android support to follow later this year.

Identity modernization

Microsoft has completed the first phase of the deprecation of the Azure AD Graph API service. In September, applications that are configured for extended access won’t be able to use the Microsft prodycs Graph APIs. Microsoft urges organizations to review the applications that depend on Azure AD Graph API access and migrate them to Microsoft Graph before September.

Additionally, Microsoft plans to retire the AzureAD and AzureAD-Preview PowerShell modules in mid-October. Administrators must migrate any scripts, tools, or automations that use AzureAD PowerShell to Microsoft Graph PowerShell SDK or Microsoft Entra PowerShell.  

Later this month, Microsoft will update the guest user sign-in experience for Entra ID B2B collaboration. Guest users will now begin sign-in on their organization’s branded page, then be redirected to their home organization to enter credentials. This change should help to improve clarity and reduce confusion during cross-tenant authentication.

Starting this week, Microsoft will begin retiring the “Automatically capture sign-in fields” feature for Password-Based SSO setup in non-gallery apps. Going forward, admins must use the manual capture method with the MyApps Secure Sign-In Extension for new configurations. However, existing apps using the automatic method will continue to work. It’s recommended to use the “Manually capture sign-in fields for an app” option in the Admin Portal and install the MyApps Secure Sign-In Extension (Microsoft Edge or Chrome) to capture login fields.

Microsoft Teams Web will begin supporting sign-in with Apple and Google accounts for consumer users with Microsoft accounts in mid-August. This feature will appear for a limited group of users on the Teams web sign-in page.

Microsoft Entra ID Protection

Microsoft has announced plans to retire the Conditional Access Overview Monitoring Tab in the Entra Admin Center. This change will begin rolling out on July 18, and it’s expected to be complete by August 1. Microsoft advises customers to transition to Conditional Access Per-Policy Reporting and the Insights and Reporting Dashboard.

Other changes

Microsoft Entra ID Access Reviews will retain review history for only one year starting in September. It’s recommended that organizations that need longer retention should export and archive review data proactively.

Last but not least, Microsoft Entra will make access packages scoped to “Specific users and groups” visible to all members (excluding guests) in the My Access portal on September 30. Customers who don’t want these packages to be visible to everyone must manually hide them before that date. Moreover, a new tenant-wide setting will roll out by mid-October 2025 to let administrators control whether users can see the resource roles (like group and app names) within those packages.