April 2026 was a significant month for Microsoft Entra ID, with eleven features reaching General Availability across three strategic pillars: Certificate-Based Authentication, Global Secure Access, and Identity Governance. This isn’t just a routine update — it’s a coordinated set of releases that signal where Microsoft is taking the identity and security platform over the next 12-18 months.

Here’s what changed, what it means, and what your organization should do about it.

Three Strategic Pillars

These eleven releases cluster around three clear areas of focus:

1. Certificate-Based Authentication — Passwordless Gets Real

Microsoft made three CBA moves in April that collectively transform it from a niche capability into a mainstream authentication strategy:

  • CBA as Third System-Preferred MFA Option on iOS — CBA now ranks third in the system-preferred MFA methods list on iOS, behind biometrics and hardware tokens but ahead of passwords. This means users with CBA certificates get a streamlined, password- and MFA-prompt-free experience.
  • Certificate Authority Scoping — Tenant admins can now restrict specific CAs to defined user groups. This enables fine-grained policy enforcement: clinical staff get certificates from the internal CA, contractors use external issuers.
  • Issuer Hints — Users are prompted to select only certificates that are trusted and valid for their organization, reducing sign-in confusion and certificate selection errors.

Impact: CBA has crossed the maturity threshold for enterprise deployment at scale. If your organization has been piloting or considering CBA, April 2026 removes the last meaningful blockers — better mobile support, CA-level granularity, and improved UX.

2. Global Secure Access — SSE Platform Maturation

Three GSA features reached GA, confirming that Microsoft is serious about competing in the Secure Service Edge (SSE) market:

  • GSA iOS Client — Now GA, leveraging existing Microsoft Defender for Endpoint (MDE) to route traffic through Microsoft SSE for Microsoft 365, internet, and private access. No new agent required.
  • Network Content Filtering by File Types — Monitor and control file transfers to GenAI and SaaS apps, preventing unauthorized data exfiltration at the network level.
  • GSA Cloud Firewall for Remote Networks — 5-tuple filtering (source IP, destination IP, protocol, source port, destination port) for all internet traffic from branch offices via GSA remote networks.

Impact: GSA is becoming a genuine alternative to standalone SSE solutions like Zscaler and Netskope. The iOS client removes the last major endpoint gap, and the network-layer controls address the GenAI data leakage concern that keeps security teams up at night.

3. Identity Governance — Visibility, Enforcement, and Transparency

Four releases strengthen Microsoft’s identity governance story:

  • My Access Approver Visibility — Requestors can now see approver names and email addresses in the My Access portal, eliminating the “who approved this?” ambiguity in entitlement management workflows.
  • Conditional Access on Every PIM Activation — Enforcing CA policies (like MFA) on PIM role activations is now GA. This closes the gap where the most sensitive access grants could bypass routine authentication requirements.
  • License Usage Page — A new dashboard showing feature usage mapped to license types (P1, P2, Suite), helping organizations understand exactly which features they’re using and whether they’re over-licensed.
  • Configurable Token Lifetime Policies — Customize access token, ID token, and SAML token lifetimes at the application or service principal level.

Impact: These are operational efficiency wins with compliance implications. The PIM + CA enforcement is particularly important — in regulated industries, every privileged access grant should pass through the same authentication controls as any other login.

4. Bonus: Social Identity Providers + Entra External ID

The addition of Google, Facebook, and Apple as social identity providers via Native Authentication SDKs in Entra External ID rounds out the customer-facing identity story. For B2C and B2B customer portals, this eliminates the friction of account creation.

What Organizations Should Do

Immediate Actions (This Month)

  1. Enable My Access Approver Visibility — It’s on by default for members. No action needed for the rollout, but audit your access package configurations if you want to disable it for guest scenarios.
  2. Review CBA Readiness — If you have a PKI and devices that support certificates, start planning a CBA pilot. The CA scoping feature means you can deploy CBA to specific user groups without organization-wide commitment.
  3. Test GSA iOS Client — If you use MDE and have iOS users accessing corporate resources, validate the GSA iOS client in a test group.

Strategic (This Quarter)

  1. Enforce CA on PIM Activations — This is the highest-impact governance change. Configure Conditional Access policies for PIM activation roles — start with Tier 0 (Global Admin) roles and expand.
  2. Evaluate Token Lifetime Policies — Review your current token lifetime defaults against security requirements. Configurable policies let you tighten access tokens for sensitive apps while keeping user experience smooth for low-risk workloads.
  3. Audit License Usage — Use the new License Usage page to identify underutilized Entra ID P2 or Suite licenses and rightsize your tenant.

Long-Term (Next 6-12 Months)

  1. Develop Your CBA Rollout Strategy — With CA scoping, issuer hints, and iOS support all GA, CBA is production-ready. Plan a phased rollout aligned with your hardware certificate infrastructure.
  2. Assess GSA as SSE Replacement — If you’re evaluating SSE vendors at renewal, include GSA in your bake-off. The tight integration with MDE and native Entra ID Conditional Access is a meaningful architectural advantage.

What Has NOT Changed

  • Basic authentication retirement timelines remain unchanged (November 2026 for SAP SuccessFactors).
  • Entra Connect Sync end-of-life planning is still in early notification phase (July 2026+).
  • Existing CBA deployment patterns continue to work — no breaking changes.

The Bigger Picture

Looking across these eleven releases, a clear pattern emerges: Microsoft is building an integrated identity + network + governance platform, not separate products. CBA connects the authentication layer. GSA connects the network layer. PIM + CA enforcement connects the governance layer. The Token Lifetime and License Usage features connect the operational layer.

This is the architectural vision behind Entra ID as a platform, not just a directory service. For organizations already invested in the Microsoft ecosystem, the consolidation benefit is significant — fewer point products, tighter integration, and a single control plane for identity security.

Need Help Navigating Microsoft Entra ID Changes?

Big Hat Group helps organizations design, deploy, and manage Microsoft Entra ID environments. Whether you’re planning a CBA rollout, evaluating Global Secure Access, or optimizing your Entra ID licensing, we can help.

Contact us →

Big Hat Group is a Microsoft partner specializing in identity security, Microsoft Entra ID, and modern endpoint management.