Microsoft Entra ID Update Version April 2026

April 2026 Microsoft Entra updates include GA for Agent ID, Workday termination lookahead, iOS CBA improvements, Global Secure Access features, MIM 2016 SP3, and configurable token lifetime policies. It also introduces previews for account discovery, sign-ins API $count filtering, and Entra ID federation with External ID.

• Microsoft Entra Agent ID platform provides enterprise-grade authentication, authorization, and governance for AI agents using standards such as OAuth 2.0, MCP, and A2A.
• Microsoft Entra ID federation with External ID (EEID) lets customer-facing apps trust workforce Entra ID identities through standards-based federation, reducing duplicate accounts and extending consistent security controls.
• SCIM provisioning apps using OAuth 2.0 Authorization Code will move to modern authentication such as OAuth 2.0 Client Credentials and workload identity federation to strengthen provisioning security.
• SAP SuccessFactors provisioning will support workload identity-based authentication with short-lived tokens instead of static credentials.
• Microsoft Entra Certificate-Based Authentication (CBA) on iOS now supports second-factor use and system-preferred MFA prioritization.
• Entra CBA Certificate Authority scoping restricts specific certificate authorities to defined user groups.
• Enforce Conditional Access policies on every PIM activation adds reauthentication controls for privileged role activation.
• Configurable token lifetime policies let admins shorten or extend access, ID, and SAML token lifetimes for security-sensitive scenarios.

• Workday termination lookahead prefetches termination data to resolve processing delays for workers in APAC and ANZ regions.
• Microsoft Identity Manager 2016 SP3 adds stability and supportability improvements, including updated compatibility with SQL Server 2022, SharePoint SE, Exchange SE, and SCSM DW 2022.
• Issuer Hints for Microsoft Entra CBA reduces sign-in errors by prompting users to select only trusted and valid certificates.
• GSA iOS client GA uses Microsoft Defender for Endpoint to route traffic without requiring a new agent installation.

• Microsoft Entra Agent ID platform is generally available for AI agent identity and authorization management.
• Account Discovery preview shows all accounts in connected applications, including orphan accounts, from the provisioning experience.
• App-based branding themes let tenants apply different branding experiences to specific applications.
• Microsoft Entra ID federation with External ID is available in public preview for customer-facing sign-in scenarios.
• Public preview of $count filtering in sign-ins API enables count computations directly in requests.
• Microsoft Entra CBA on iOS is generally available as a supported second factor.
• Microsoft Identity Manager 2016 SP3 adds Azure SQL Database support with managed identity authentication.
• Microsoft Identity Manager 2016 SP3 adds AD FS claims-based SSO support.
• Requestors can see approver names and email addresses for pending access package requests when allowed.
• Global Secure Access iOS client is generally available.
• Network content filtering based on file types is generally available for GenAI and SaaS traffic.
• GSA cloud firewall for remote networks is generally available with 5-tuple filtering.
• Social identity providers are supported in Entra External ID native authentication via browser-delegated SDK flows.
• License Usage insights are generally available in the Entra admin center.
• Configurable token lifetime policies are generally available.

• Beginning in July 2026, Microsoft will notify customers about their Entra Connect Sync to Entra Cloud Sync transition timelines through Message Center, Entra Connect Health, and targeted emails.
• Existing SCIM provisioning jobs using OAuth 2.0 Authorization Code will not switch automatically and must be updated after modern authentication becomes available.
• SAP SuccessFactors basic authentication must be migrated to workload identity-based authentication before November 2026.
• The SAP SuccessFactors workload identity option becomes available starting May 2026.
• Entra Cloud Sync migration guidance, comparison, and scenario documentation are referenced for planning the transition from Connect Sync.
• Source of Authority capabilities can be used to shift user and group management to the cloud while continuing hybrid coexistence.
• MIM 2016 SP3 introduces a new upgrade process and documented upgrade steps from SP2 to SP3.
• Approver visibility for access package requests is enabled by default for members at the tenant level and can be overridden in access package policy settings.
• CBA issuer hints improve certificate selection without changing certificate issuance or management.
• Configurable token lifetime policies are assigned to applications and service principals.

• Account discovery documentation
  https://aka.ms/accountDiscoveryDocumentation
• Workday termination lookahead documentation
  https://aka.ms/WorkdayTerminationLookaheadDoc
• SOA planning guidance
  https://aka.ms/SOAITArchitectsGuidance

Product Information

Vendor: Microsoft

Product: Entra ID

Version: April 2026

Release date: Apr 1, 2026