Microsoft shipped a dense wave of updates to Entra ID in May 2026, and while none of them are the kind of “you must act now or break” changes that defined the early-year legacy auth deprecations, several represent quiet inflection points in Microsoft’s identity strategy. System-preferred authentication now reaches into first-factor sign-in — meaning users with passkeys may never see a password prompt again. Cross-tenant group synchronization went GA, sensitivity labels landed on security groups, and Azure role governance entered Entitlement Management. Here is what each change means, why it matters, and what your organization should do about it.
System-Preferred Authentication Expands to First-Factor: Passwordless Becomes the Path of Least Resistance
The biggest change in this release is largely invisible — and that is the point. System-preferred authentication, which Microsoft has been evolving since early 2025, now applies to both first-factor (primary sign-in) and second-factor (MFA) in the Microsoft-managed mode. The system evaluates which credentials a user has registered and silently selects the most secure method for each step.
The ranking: Temporary Access Pass > Passkey (FIDO2) > Certificate-based authentication > Microsoft Authenticator > External MFA > TOTP > Telephony > QR code > Password.
For users with a passkey or CBA registered, the password prompt disappears entirely. They are prompted with their phishing-resistant credential at first-factor sign-in. For users who only have a password, nothing visible changes — but the system is now waiting for them to register something stronger.
What makes this strategically significant: Microsoft is flipping the default. Previously, organizations had to actively configure passwordless. Now, the “Microsoft managed” state actively pushes users toward stronger credentials by not showing them the password screen at all. This is behavioral design at platform scale.
The rollout is currently in progress and will reach all Microsoft-managed tenants by the end of June 2026. If your organization has not yet deployed passkeys or CBA, you have roughly one month to prepare — or to switch from “Microsoft managed” to “Enabled” mode, which limits system-preferred logic to second-factor only.
What organizations should do: Audit your registered authentication methods. If you have users with CBA certificates registered but no reliable CBA experience on all their devices, those users will hit a sign-in wall when first-factor CBA fails — they can select “Sign in another way,” but the friction is real. Consider group-based exclusions for users who aren’t passkey/CBA-ready while you complete deployment.
Cross-Tenant Group Synchronization Is GA: Multi-Tenant Management Gets a Lot Easier
Cross-tenant group synchronization allows organizations to synchronize security groups across Microsoft Entra tenants. A source tenant manages group membership centrally, and target tenants consume those groups for access control without duplicating management overhead.
Why this matters: For organizations operating multiple tenants — through acquisition, subsidiary structures, or deliberate isolation strategies — managing groups across boundaries has been a manual, error-prone process. This feature extends the existing cross-tenant user synchronization to include groups, enabling consistent access control without the administrative tax of keeping groups in sync manually.
The license requirement is Microsoft Entra ID Governance, the same SKU that powers entitlement management, access reviews, and lifecycle workflows. This is consistent with Microsoft’s strategy of positioning governance as the premium identity tier.
What organizations should do: If your organization operates more than one Entra tenant, evaluate cross-tenant group sync immediately. Start with a pilot targeting a single security group used for shared application access across tenants. Plan for the entitlement management licensing cost as part of your multi-tenant strategy.
Sensitivity Labels for Security Groups: Purview and Entra Finally Converge
Microsoft Entra ID now supports applying Microsoft Purview sensitivity labels to cloud security groups in public preview. The same labels that govern document classification and Microsoft 365 group settings can now control security group behavior — including guest access policies.
This is bigger than it sounds. Sensitivity labels have been a powerful tool for information protection, but they operated in a separate plane from identity governance. With labels on security groups, organizations can enforce consistent policy: a “Confidential” label on a document can now correspond to a “Confidential” label on the security group that governs access to it. Labels become the connective tissue between data protection and access control.
What organizations should do: If you have a mature Microsoft Purview deployment, pilot sensitivity labels on security groups immediately. Map your existing label taxonomy to group governance policies. If you are still building your Purview practice, this feature is a compelling reason to accelerate that work — it unlocks a unified policy model that standalone identity or information protection cannot achieve.
Azure Role Governance via Entitlement Management: Least Privilege at Scale
Azure roles at Management Group, Subscription, and Resource Group levels can now be governed through access packages in Entitlement Management. This brings Azure RBAC into the same request, approval, and lifecycle governance model that organizations already use for application access, group membership, and SharePoint site permissions.
The practical impact: Instead of managing Azure role assignments through IAM blades and PowerShell scripts, organizations can now offer self-service access packages for Azure roles, with approval workflows, access reviews, and automatic expiration. This is a significant step toward operationalizing least privilege at Azure scale.
What organizations should do: Start with a pilot on a single non-production subscription. Create an access package for a commonly needed Azure role (e.g., Reader or Contributor), configure an approval workflow, and test the experience. Use this to build internal processes before expanding to management group and production scopes.
Device Soft-Delete: A Safety Net for Accidental Deletion
Device soft-delete, now in public preview, moves deleted device objects to a recoverable state instead of permanently removing them. It supports Entra joined, registered, and hybrid joined devices and preserves device identity and security artifacts during the retention period.
Why this matters separately: Accidental device deletions have caused real damage — lost device identities, broken Autopilot deployments, and security gaps from orphaned device records. This feature provides a recovery path that has been conspicuously absent. It is the device management equivalent of group soft-delete and user account recovery.
Passkey policy expansion also arrived in May: FIDO2 passkey policy now has a dedicated 20-KB allocation (separate from the shared auth methods pool), and the maximum number of passkey profiles per tenant jumped from 3 to 10. This directly supports the passwordless push — the old policy limits were a real constraint for organizations wanting granular passkey deployments.
What Has NOT Changed
It is worth noting what Microsoft did not announce this month. There were no new breaking changes or deprecation dates. The major enforcement deadlines from earlier in the year — legacy auth deprecation, mandatory MFA for Azure, Connect Sync security hardening (June 1), and Connect hardening for OnPremisesObjectIdentifier (July 1) — remain on track but were not escalated. The Connect-to-Cloud Sync migration timeline remains July 2026 for initial notifications, not enforcement. This is the first month in 2026 where the “What’s New” page is entirely additive — a welcome breather for IT teams still processing the year’s earlier disruption.
The Bigger Picture
The May 2026 updates reveal where Microsoft is taking Entra ID over the next twelve months:
Passwordless is the default, not the goal. System-preferred first-factor, passkey registration campaigns, expanded policy storage, and auto-enabled passkey profiles all point in one direction: Microsoft is done asking whether organizations want passwordless. The platform is being engineered to assume passwordless, and password-first authentication becomes the path of greatest resistance.
Governance is converging. Sensitivity labels on security groups and Azure roles in Entitlement Management are two fronts of the same strategic push: unify the governance model so that information protection, identity governance, and cloud resource management operate on a single policy plane. Microsoft is building toward a world where a single access package can govern group membership, Azure RBAC, and application access — with consistent approval, review, and expiration.
AI agent identity is infrastructure now. The Agent ID platform (GA in April), Conditional Access for agents, agent registry, and now sponsorship lifecycle management in Lifecycle Workflows mean Microsoft is treating AI agents as first-class identity principals with full lifecycle governance. If your organization is deploying AI agents — or planning to — the identity infrastructure to govern them is available now.
External ID is ready for primetime. HSC mode for large-scale migrations from Azure AD B2C, passkey support, and workforce identity federation all signal that Entra External ID has matured. Organizations with customer-facing identity platforms should begin migration planning.
Need Help Navigating Microsoft Entra ID Changes?
Big Hat Group helps organizations design, deploy, and manage Microsoft Entra ID environments — from passwordless authentication rollouts to multi-tenant governance, identity security, and AI agent identity strategy. Contact us to discuss how these changes affect your roadmap.
Big Hat Group is a Microsoft partner specializing in identity security, Microsoft Entra ID, and modern endpoint management.