Microsoft Entra boosts passkeys and identity security

Microsoft has rolled out a significant wave of updates across its Microsoft Entra product family over the past month, strengthening identity security and network access for organizations pursuing a zero trust strategy. These enhancements span general availability, public previews, and upcoming policy changes.

General availability updates focus heavily on authentication and identity management. Phishing-resistant MFA is now supported on Linux desktops via the Microsoft identity broker, covering Ubuntu 24.04 and 26.04, along with RHEL 8, 9, and 10. This brings Linux parity with Windows and macOS. For large-scale customers, High Scale Compatibility (HSC) mode helps Azure AD B2C users with roughly 5 million or more objects migrate to Microsoft Entra External ID without forcing password resets or re-registration. Martin Coetzer, Principal Product Manager at Microsoft, noted that the B2C Policy Analyzer can assess migration readiness, and eligible customers should engage the EEID migration team for guidance.

System-preferred authentication now covers both first- and second-factor methods in the Microsoft Managed state, automatically selecting the highest-ranked option for each user. The My Account portal has also been redesigned with updated Devices, Security Info, and Organizations pages, simplifying device management and security settings. Rollout for this redesign is expected to finish by the end of June 2026.

Registration Campaigns now support passkeys, including FIDO2 credentials, allowing administrators to prompt users to register during sign-in. Users can also register device-bound passkeys through Windows Hello for phishing-resistant sign-in using biometrics or a PIN, without requiring devices to be Microsoft Entra joined or registered. However, interactive Windows console sign-in is not supported.

On the governance side, organizations can now synchronize security groups and memberships between Microsoft Entra tenants, enabling centrally managed groups for access control across multiple tenants. Administrators can view all accounts within connected applications, including orphaned ones, using discovery reports to identify access gaps. This requires Microsoft Entra ID Governance or Microsoft Entra Suite. Agent identity human sponsorship can transfer automatically when a sponsor leaves, with Lifecycle Workflows notifying managers and co-sponsors about upcoming changes. App Deactivation lets admins disable applications without deleting them, blocking new access tokens and sign-ins while preserving configuration and metadata for later reactivation. Coetzer explained that this approach is useful for security investigations, temporary suspension of suspicious apps, or preserving configuration data.

Public preview features include Domain-less SAML federation on workforce tenants, allowing external users to sign in using their identity provider’s credentials without requiring email domain matching. Sensitivity labels for Entra security groups bring Microsoft Purview labels to cloud security groups, enabling consistent governance of group settings like guest access controls. Device Soft Delete adds a recoverable state for deleted devices, reducing accidental removal risk for Entra joined, registered, and hybrid joined devices.

SAP SuccessFactors provisioning now supports workload identity-based authentication, replacing long-lived usernames and passwords with Entra-managed credentials and short-lived tokens. This update applies to inbound provisioning for Active Directory and Entra ID, as well as writeback scenarios, and aligns with SAP’s plan to retire basic authentication for APIs by November 2026. Access packages can now govern Azure role assignments at management group, subscription, and resource group levels, using request, approval, and lifecycle controls for least-privilege, time-bound access. Lifecycle Workflows adds a User Attribute Updates task, automating updates to user attributes through a controlled, auditable process. The Entra Security Operator role expands SOC response actions in Microsoft Defender RBAC, allowing analysts to disable users, revoke sessions, mark accounts compromised, force password resets, and remove authentication methods for non-admin users during incident response.

Policy updates and enforcement changes are on the horizon. Starting July 6, 2026, Conditional Access policies assigned to the “Register security information” action will apply during registration for Windows Hello for Business and macOS Platform SSO, requiring MFA, network restrictions, or device compliance. Full enforcement begins July 13, 2026. Self-Service Password Reset will accept only registered authentication methods starting September 7, 2026, excluding contact details stored on the user object unless registered. This applies to all users, including administrators, in Public cloud, GCC, GCC High, and DoD environments. A registration campaign will prompt users without registered methods to enroll after sign-in starting July 6, 2026, so administrators should ensure users have at least one registered method before enforcement.

The passkey (FIDO2) authentication policy now has a dedicated 20 KB allocation within the authentication methods policy, separate from the shared limit. The number of passkey profiles per tenant increases from three to ten. Finally, a new operations guide for Global Secure Access covers post-deployment operations, including alerting, health checks, change management, metrics, and recovery procedures, with separate guidance for Private Access, Internet Access, Remote Networks, and Microsoft Traffic.