Microsoft shipped eleven Entra ID updates in June 2026, and the pattern is clear: Microsoft is building resilience into the identity platform itself, extending Zero Trust to AI agents, and closing security gaps that have existed for years.
Here’s what landed, why it matters, and what your organization should do about it.
1. Entra Backup and Recovery Is Now Available (GA)
This is the headline. Microsoft Entra Backup and Recovery is a built-in solution that automatically backs up critical directory objects and lets admins restore them to a previously known good state. It is always on by default.
What gets backed up: Users, groups, applications, service principals, managed identities, Conditional Access policies, named locations, agent IDs, and authentication and authorization policies.
How it works: The system takes one daily backup and retains it for 7 days (requires Entra ID P1 or P2). Admins can view available snapshots, generate difference reports to understand what changed, and run recovery jobs to restore individual objects or sets of objects.
Why it matters: Entra ID has had recycle-bin-style recovery for individual users and groups for years, but there was no native way to snapshot and restore Conditional Access policies, authentication method configurations, or application registrations. If an admin accidentally (or maliciously) modified a CA policy that broke sign-in for the entire org, recovery meant manual reconstruction from audit logs. This closes that gap.
What to do: Verify your P1/P2 licensing covers the retention you need. Review the backup and recovery blade in the Entra admin center. Build restore procedures into your incident response runbooks.
2. Conditional Access Protections for AI Agent User Accounts (Public Preview)
Conditional Access now provides broader controls to secure AI agents that have a user account. Administrators can target agent user accounts with greater precision using Custom Security Attributes, apply policies based on Agent Risk, require compliant devices (including Windows 365 for Agents), and enforce device platform and network conditions.
Why it matters: AI agents are proliferating in enterprise environments, and most IAM platforms treat them as generic service principals. Microsoft is making agents first-class identities in Entra ID with purpose-built controls: attribute-based targeting, risk-based policy enforcement, and device compliance requirements designed for cloud-hosted agent workloads.
What to do: Inventory the AI agents running in your tenant. Tag them with Custom Security Attributes (agent type, environment, sponsoring team). Build a pilot CA policy scoped to a test group of agents to evaluate the controls before broad rollout.
3. BYOD Support for Windows Client Using Entra Registration (GA)
Bring Your Own Device support for Windows clients using Entra-registered devices is now generally available. Users and partners can access corporate resources from their own devices. Administrators can assign the Private Application traffic profile to users with internal accounts, including internal guest users.
Why it matters: This removes the previous requirement for Windows devices to be domain-joined to access corporate resources through Global Secure Access. Personal Windows devices can now register with Entra ID and get controlled access through GSA traffic profiles without full device management. It is a meaningful expansion of Zero Trust network access tied directly to Entra identity.
What to do: Review your BYOD policies. Determine which traffic profile (SaaS, M365, or Private Access) is appropriate for BYOD users. Update device compliance and CA policies to account for the registered-device state.
4. Jailbreak/Root Detection in Microsoft Authenticator (GA)
Microsoft Authenticator now includes jailbreak/root detection for work or school accounts. Users with rooted or jailbroken devices are blocked from adding or using work or school accounts in the Authenticator app. The capability is secure by default and requires no admin configuration.
Why it matters: Compromised devices have been a weak link in MFA for years. By blocking Authenticator on jailbroken devices, Microsoft eliminates a real-world attack vector where attackers root a device to intercept MFA approvals or extract authentication tokens.
What to do: Communicate this change to your helpdesk. Some users in regions where rooted devices are common may need support transitioning to compliant devices. Monitor support ticket trends after rollout.
5. SOC Identity Responder Role (Public Preview)
Starting June 8, Microsoft introduced a new built-in role: SOC Identity Responder. This role lets SOC analysts perform identity containment actions — disabling users, revoking sessions, and forcing password resets — without granting broad directory administrative privileges. It supports role-assignable groups and PIM integration for just-in-time activation.
Why it matters: Previously, SOC analysts either needed multiple high-privilege Entra roles or had to depend on identity administrators during active investigations, creating delays. This role gives SOC teams dedicated, scoped response capability with full audit trails, directly integrated with Microsoft Defender.
What to do: Add the SOC Identity Responder role to your PIM eligibility model. Define which SOC team members should be eligible. Update your incident response playbook to use this role for identity containment actions.
6. Domainless SAML IdP Federation for Workforce Tenants (GA)
Domainless SAML federation allows external users to authenticate using their IdP-managed credentials regardless of their email domain. It removes the need for domain matching between the user’s email and preconfigured IdP domains during sign-in or invitation redemption.
Why it matters: Traditional SAML federation required the user’s email domain to match a configured IdP domain. This created friction in mergers and acquisitions, multi-brand organizations, and partnerships where contractors use identities from shared or unrelated IdPs. Domainless federation focuses trust on the SAML assertion itself, not the domain.
What to do: If you have B2B scenarios where domain matching has been a blocker, evaluate domainless federation. Map out partner IdPs that could benefit from this model.
7. SCIM 2.0 APIs in US Gov Cloud (GA)
SCIM 2.0 APIs are now generally available in the US Gov cloud, providing a standards-based option for managing users and groups in Microsoft Entra using the System for Cross-domain Identity Management specification.
Why it matters: US Gov tenants (GCC, GCC High, DoD) have historically lagged behind commercial Entra in API parity. SCIM 2.0 availability means Gov customers can now use the same standards-based provisioning integrations as commercial tenants, reducing custom development and improving compliance posture.
What to do: If you operate in Gov cloud, audit your current provisioning integrations. Replace any custom or legacy connectors with SCIM 2.0 where possible.
8. AD Group Enforcement in Entra Cloud Sync (Public Preview)
Admins can designate specific AD groups so that modifications can only be made through the Entra provisioning service. Changes made outside Entra are blocked, preventing drift between Entra ID and AD groups.
Why it matters: In hybrid environments, manual changes to AD groups often create configuration drift that breaks access control. By enforcing that designated groups can only be modified through Entra Cloud Sync, Microsoft ensures group membership integrity and reduces the risk of access drift.
What to do: Identify AD groups that should be Entra-authoritative. Configure them for enforcement. Communicate the change to any teams that currently modify these groups directly in AD.
9. External Users Directly Assigned to Access Packages (GA)
Entitlement Management admins can directly assign external users who are not in the directory to an access package using the user’s email. Users are invited as Guest users and governed by Entra ID Governance.
Why it matters: Previously, external users had to go through the full request flow to get an access package. Now admins can directly assign external users, which is particularly useful for onboarding contractors, partners, or consultants who need a known set of access from day one.
What to do: Update your external user onboarding procedures to use direct assignment where appropriate. Ensure governance guest billing meter compliance is understood.
10. Kerberos Key Rotation Reliability (GA)
Improved Kerberos key rotation reliability for incoming trust referral flows. The update enhances validation logic to attempt decryption with both primary and secondary Kerberos keys, reducing authentication disruption during rotation events.
Why it matters: Entra Kerberos enables cloud-only identities to access Azure File Share and Azure Virtual Desktop without traditional AD infrastructure. This update removes a real-world reliability issue where authentication could fail during key rotation if referral tickets were encrypted with a secondary key.
What to do: If you use Entra Kerberos, verify your key rotation schedules. This update is transparent — no configuration change required.
11. iOS Passkey Restore Improvements (Upcoming — August 2026)
Starting August 2026, users will see an improved restore experience for device-bound Authenticator app passkeys on iOS. Users with iCloud Keychain backup enabled will automatically benefit, and the restore flow on new iOS devices will be streamlined based on whether they have access to their old device.
Why it matters: Account lockout fear is one of the top barriers to passkey adoption. If users worry they will lose access when they get a new phone, they resist enrolling passkeys. A smooth restore experience is essential for large-scale passwordless rollouts.
What to do: If you are planning or running a passkey rollout, time your communications around the August update. Let users know the restore experience is improving. Android support will follow.
The Bigger Picture
The June 2026 wave reinforces three strategic directions for Entra ID:
Resilience as a platform feature. Backup and Recovery, AD group enforcement, and Kerberos key rotation improvements all reduce the risk of configuration drift, accidental changes, and operational disruption. Microsoft is building safety nets into the identity platform itself rather than leaving it to third-party tools.
AI agents as first-class identities. Conditional Access for agent user accounts, Agent Risk signals, and Windows 365 for Agents position Entra as the control plane for enterprise AI. This is a genuine differentiator — most IAM competitors are still figuring out basic agent identity, while Microsoft is shipping granular policy controls.
Security by default, not by configuration. Jailbreak detection in Authenticator is “secure by default and does not require any admin configuration.” Backup and Recovery is “always on by default.” Microsoft is shifting toward making the secure state the default state, which reduces the blast radius of misconfiguration.
If your organization is investing in Entra ID — and as a Microsoft partner, you should be — these are the updates to build into your roadmap now.