April 2026 delivered one of the largest single-month General Availability releases in Microsoft Entra ID history. Eleven new features reached GA, spanning passwordless authentication, network security, identity governance, and platform infrastructure. For enterprise IT teams managing Microsoft Entra environments, this release wave contains several changes that demand attention โ€” and action.

Here is what changed, what it means, and what your organization should do.

The Big Picture: Three Themes Driving This Release

Before diving into individual announcements, it is worth stepping back to see the narrative. These 11 GA releases cluster around three strategic themes:

  1. Phishing-resistant authentication is no longer optional. Microsoft is investing heavily in Certificate-Based Authentication (CBA) โ€” three of the eleven announcements directly expand CBA capabilities. This aligns with the broad industry push toward FIDO2, passkeys, and certificate-based MFA as organizations move away from SMS and TOTP.

  2. Security Service Edge (SSE) is becoming real. Global Secure Access (GSA) reached new maturity with cloud firewall, iOS client, and network content filtering reaching GA. Microsoft is positioning Entra Internet Access and Private Access as core SSE pillars alongside Defender for Cloud Apps.

  3. Governance controls are tightening. PIM activation can now require Conditional Access re-authentication. License usage visibility means better cost management. Approver transparency in My Access improves the audit trail. These are small changes with big implications for compliance and operational security.

Authentication: Three CBA Announcements Double Down on Passwordless

Entra CBA as Third Option in System-Preferred MFA Methods

The most operationally significant authentication change is CBA moving to the third position in the system-preferred MFA method order on iOS. Microsoft resolved the iOS platform issues that previously relegated CBA to the lowest priority. Native iOS sign-ins with certificates now avoid unnecessary password and MFA prompts.

Why this matters: Organizations that deployed CBA certificates but found users still being pushed toward app-based MFA or SMS will see a material improvement in the sign-in experience. Users with valid certificates will be prompted to use them first, reducing friction and improving adoption rates for phishing-resistant methods.

Entra CBA Certificate Authority (CA) Scoping

Admins can now restrict specific certificate authorities to defined user groups. This means an organization can issue CBA certificates from different CAs for executives, contractors, and standard users โ€” and enforce which certificates can authenticate whom.

Security impact: CA scoping limits blast radius. If a CA is compromised, only the user group assigned to that CA is affected. This is a defense-in-depth improvement that enterprises with multiple PKI hierarchies should prioritize.

Issuer Hints for Microsoft Entra CBA

When users have multiple certificates on their device, issuer hints ensure they are prompted to select only certificates trusted by their organization. This reduces sign-in errors and confusion, especially on devices with personal and corporate certificates.

Practical take: This is a quality-of-life improvement, but quality-of-life matters for security adoption. The fewer roadblocks users face when authenticating with certificates, the fewer helpdesk calls and workarounds your team will handle.

Network Security: Global Secure Access Hits GA Milestones

GSA iOS Client (GA)

The Global Secure Access client for iOS and iPadOS is now generally available. Critically, it requires no new agent installation โ€” it leverages the existing Microsoft Defender for Endpoint (MDE) agent to route traffic through Microsoft SSE.

Why this is a big deal: If your organization already deploys MDE on iOS devices โ€” and most security-conscious organizations do โ€” enabling GSA is a configuration change, not a deployment project. This dramatically lowers the barrier to SSE adoption for mobile workforces.

GSA Cloud Firewall for Remote Networks (GA)

Remote networks (branch offices connected via GSA) can now use a cloud-based firewall with 5-tuple filtering (source IP, destination IP, protocol, source port, destination port). This is applied to all internet traffic acquired from branch offices.

Architecture note: This allows organizations to replace or augment on-premises firewall appliances for branch offices with cloud-native filtering through Microsoft’s SSE. For organizations with dozens or hundreds of small branch locations, this is a meaningful cost and complexity reduction opportunity.

Network Content Filtering Based on File Types (GA)

Admins can now monitor and control file transfers across the network to GenAI and SaaS applications based on file type. This targets the emerging risk of data exfiltration through AI tools โ€” employees uploading sensitive documents to ChatGPT, Gemini, or other LLM platforms.

Urgency level: High. Shadow AI usage is one of the fastest-growing data loss vectors in enterprise environments. This capability gives network-layer control where endpoint controls may be insufficient.

Governance: Enforcement and Transparency Improvements

Enforce Conditional Access Policies on Every PIM Activation (GA)

PIM can now require Conditional Access re-authentication (including MFA) on every role activation. This closes a longstanding gap where PIM activations could bypass CA policies if the user’s session was still valid.

Compliance impact: For organizations subject to SOX, PCI-DSS, or FedRAMP, this is a significant control improvement. Every privileged elevation now goes through full authentication assurance, not just the initial session.

My Access Approver Visibility (GA)

Requestors can see who their approvers are for pending access package requests in the My Access portal. This is enabled by default for members.

Governance benefit: Reduces the “who needs to approve this?” confusion that creates bottlenecks in entitlement management. Improves the audit trail by making approval chains transparent.

License Usage Page (GA)

The new License Usage page in the Entra admin center provides visibility into how many P1, P2, and Entra Suite licenses are owned versus used, mapped to feature adoption (Conditional Access, risk-based policies, etc.) with six-month trends.

Cost optimization: Many organizations over-license Entra ID. This page gives procurement teams the data needed to right-size. It also surfaces under-utilization โ€” expensive P2 features that nobody is actually using.

Platform: Configurable Token Lifetime Policies (GA)

Token lifetime policies for access tokens, ID tokens, and SAML tokens are now generally available. Admins can create policies and assign them to applications and service principals.

Security trade-off: Shorter token lifetimes improve security posture but may break applications with long-running operations. Longer lifetimes reduce re-authentication frequency but increase token theft risk. The GA release of this feature means Microsoft considers it production-ready, and organizations should develop their token lifetime strategy accordingly.

Recommended approach: Start with shorter lifetimes for high-risk applications and longer lifetimes for trusted first-party apps. Monitor sign-in logs for token-related failures during rollout.

What Organizations Should Do

  1. Enable CBA CA scoping if you maintain multiple PKI hierarchies. This is a quick configuration improvement with meaningful security ROI.

  2. Review system-preferred MFA method order. With CBA now at position 3 on iOS, verify your authentication methods policy reflects your desired prioritization.

  3. Evaluate GSA cloud firewall for branch offices. If you have small to mid-sized remote sites, this could reduce hardware costs and operational complexity.

  4. Enable network content filtering for GenAI file uploads. This is the easiest quick win in this release โ€” configure it before the next security audit.

  5. Review PIM activation settings. Enabling Conditional Access re-authentication on PIM activation should be a high priority for privileged role management.

  6. Audit your Entra ID licensing. Use the new License Usage page to identify over-licensed or under-utilized subscriptions before renewal.

  7. Develop a token lifetime policy strategy. Document which applications need custom token lifetimes and test the new policies in a non-production environment first.

What Has NOT Changed

Several important things remain the same:

  • Entra Connect Sync โ†’ Cloud Sync migration timelines remain as announced: notifications begin July 2026, phased rollout.
  • SCIM modern authentication is still a plan-for-change, not enforcement. Deadlines will be communicated through M365 Message Center.
  • SAP SuccessFactors workload identity migration is available starting May 2026, not yet required. SAP’s basic auth deprecation deadline is November 2026.
  • MIM 2016 SP3 remains supported but is not a path forward โ€” Microsoft’s long-term direction remains cloud-native identity management.

The Bigger Picture

This April GA wave tells us something important about Microsoft’s Entra ID strategy: Microsoft is converging its identity and network access stacks into a unified security platform.

The CBA announcements ensure that authentication โ€” the foundation layer โ€” is as phishing-resistant as possible. The GSA announcements build the network layer on top of that identity foundation. The governance announcements ensure that both layers are auditable and enforceable.

This is the logical conclusion of the Zero Trust model: verify every authentication, enforce every access decision, and audit every change. Microsoft is delivering the infrastructure to make that vision operational.

For organizations that have been “going passwordless” in theory but not in practice, this wave provides the tools to move forward. For organizations investing in SSE/SASE architecture, Entra’s GA milestones make Microsoft a more credible provider in that space.

Need Help Navigating Microsoft Entra ID Changes?

Big Hat Group helps organizations design, deploy, and manage Microsoft Entra ID environments โ€” from authentication strategy to governance automation to SSE architecture. If your team needs guidance on any of these April announcements, we can help.

Contact Big Hat Group for a consultation on your Entra ID roadmap.

Big Hat Group is a Microsoft partner specializing in identity security, Microsoft Entra ID, and modern endpoint management.