The pace of Microsoft Entra ID releases shows no signs of slowing. Three new announcements landed in the May 2026 what’s-new feed that deserve your attention โ not because they’re flashy, but because each one quietly addresses a real operational pain point or security gap in enterprise identity infrastructure.
Here’s what changed, why it matters, and what your organization should do about it.
1. Entra Connect Sync Gets Interactive Admin Authorization
The change: Microsoft is introducing interactive admin authentication for all Entra Connect Sync configuration changes. Whether you’re using the setup wizard or PowerShell, any modification to sync settings will now require a verified cloud administrator to sign in and explicitly approve the change.
Why it matters: Previously, anyone with local administrative access to the Entra Connect server could modify synchronization configuration โ including disabling sync features, changing directory extension attributes, or even orchestrating a full uninstall โ without ever authenticating to Entra ID. That’s a significant attack surface in a product that sits at the center of your hybrid identity infrastructure.
The new model changes this fundamentally:
- Sync configuration becomes a cloud-authorized action. The Entra Connect wizard uses delegated admin tokens. PowerShell cmdlets prompt for interactive sign-in. Uninstall requires cloud admin authentication before modifying tenant settings.
- The cloud becomes the source of truth for feature state. Configuration decisions made by cloud administrators are consistently respected, eliminating drift between what’s configured on-premises and what’s enforced in the cloud.
- Every configuration change leaves a cloud audit trail. Because changes now require interactive Entra ID authentication, each modification is tied to a specific admin identity.
What’s not changing: Synchronization functionality itself. The actual sync engine, scheduled sync cycles, and end-user experience remain completely unchanged. This is purely an authorization model upgrade โ you authenticate more, but once configured, everything works the same.
What organizations should do:
- Audit who has local admin access to your Entra Connect servers. The new auth model doesn’t eliminate the need to control on-premises access, but it does add a second layer of defense.
- Review any automation or scripts that modify sync configuration. CI/CD pipelines or scheduled tasks that change sync settings will need to be redesigned to support interactive authentication.
- Ensure break-glass admin accounts have the necessary cloud roles to authorize sync changes in emergency scenarios.
- Download the updated .msi from the Microsoft Entra admin center when available.
2. SAP SuccessFactors Provisioning Moves to Workload Identity (Public Preview)
The change: Microsoft Entra provisioning can now authenticate to SAP SuccessFactors using workload identity and short-lived OIDC tokens instead of static username/password credentials.
Why it matters: SAP has announced that basic authentication for SuccessFactors APIs will be deprecated by November 2026. If your organization uses SuccessFactors as an HR source of truth for identity provisioning โ whether syncing to Active Directory, Entra ID, or writing back attributes โ this migration is mandatory, not optional.
The shift to workload identity-based authentication brings three tangible security improvements:
- No more stored passwords. Long-lived provisioning credentials are replaced with short-lived tokens issued through SAP Cloud Identity Services. No password rotation schedules to manage, no credential exposure risk.
- Standards-based, federated auth. The connection uses OpenID Connect and workload identity federation โ the same model Microsoft is extending across its entire provisioning connector ecosystem.
- Seamless migration. Existing provisioning configurations can be switched without recreating or restarting the provisioning job. The change happens through the connectivity settings within the existing provisioning experience.
This applies to all three SuccessFactors provisioning scenarios: SuccessFactors to Active Directory, SuccessFactors to Entra ID, and Entra to SuccessFactors writeback.
What organizations should do:
- Immediately identify all SAP SuccessFactors provisioning configurations in your tenant. Document which scenarios are in use (AD provisioning, cloud-only, writeback).
- Review the detailed configuration guide at https://aka.ms/EntraSAPSFConnectivityGuide.
- Set up the SAP Cloud Identity Services integration required for workload identity federation.
- Test the migration in a non-production environment with a copy of your provisioning configuration before touching production.
- Schedule production migration well before the November 2026 deadline. Early migration reduces risk and gives you time to address any issues.
3. Connect Health NetBIOS Test Now Informational Only
The change: The “NetBIOS Name Sysvol Connectivity resolution” test in Entra Connect Health has been reclassified from an alerting test to informational-only.
Why it matters: If your Connect Health dashboard has been lighting up with NetBIOS alerts that you’ve been ignoring or investigating fruitlessly, this change is for you. Microsoft’s rationale is straightforward: NetBIOS is a legacy protocol that most modern Active Directory environments don’t depend on for SYSVOL access. DNS-based name resolution handles this today.
The reclassification reduces alert noise and lets administrators focus on issues that genuinely impact hybrid identity infrastructure.
What organizations should do:
- Verify that your domain controllers have proper DNS-based name resolution configured as the primary path for SYSVOL access.
- Review and update any custom monitoring dashboards, notification rules, or SOAR playbooks that reference this specific test.
- Remove any custom alerting rules you may have created around this test.
- Document the change in your identity operations runbooks.
This is not a signal that Microsoft is deprecating NetBIOS monitoring entirely โ it’s a signal that the test was producing more noise than signal, and that the default should be to not alert on non-critical legacy conditions.
What Has NOT Changed
- Sync engine behavior. The actual synchronization of identities between on-premises Active Directory and Entra ID works exactly as before.
- End-user authentication flows. These announcements affect administration and provisioning, not end-user sign-in.
- Entra Connect Sync end-of-life timeline. The April announcement about the transition to Cloud Sync remains in effect. This admin auth change applies to the existing Connect Sync product.
- Licensing requirements. No new licenses are required for any of these changes. The SAP SuccessFactors provisioning feature requires the same Entra ID Governance or Entra Suite licensing that was already in place.
The Bigger Picture
Look at these three announcements together and a pattern emerges:
Microsoft is systematically eliminating standing credentials and implicit trust from the identity infrastructure management plane.
The Entra Connect Sync change removes the assumption that local server access equals sync configuration authority. The SAP change removes long-lived provisioning credentials. The NetBIOS test change removes the assumption that legacy protocol health should trigger alerts by default.
This is consistent with Microsoft’s broader Entra strategy: move authorization to the cloud, eliminate static credentials, and reduce operational noise so administrators can focus on the alerts that actually matter. It’s not a flashy shift, but it’s the kind of infrastructure-level hardening that makes enterprise identity more resilient over time.
Need Help Navigating Microsoft Entra ID Changes?
Big Hat Group helps organizations design, deploy, and manage Microsoft Entra ID environments โ from hybrid identity modernization to identity governance and security hardening. If these changes raise questions about your current Entra ID deployment, contact us.
Big Hat Group is a Microsoft partner specializing in identity security, Microsoft Entra ID, and modern endpoint management.