Microsoft Entra ID: What Changed
Microsoft Entra
16. Juli 2026 22:19

Microsoft Entra ID: What Changed

von HubSite 365 über Andy Malone [MVP]

Microsoft 365 Expert, Author, YouTuber, Speaker & Senior Technology Instructor (MCT)

Microsoft expert: Entra ID updates with auth changes, passkeys default, SSPR and backup for three sixty five admins

Key insights

  • Entra ID update summary: Microsoft rolled out three critical Entra ID security changes starting July 6, 2026.
    These changes tighten how authentication and registration flows work and aim to close enforcement gaps attackers used during credential setup.
  • Conditional Access now applies during registration: Policies that target the "Register security information" action are enforced when users set up Windows Hello for Business and macOS Platform SSO.
    If a policy requires MFA or device compliance, users must meet it before the credential is created.
  • Authentication Method Registration requirement: Users must explicitly register authentication methods (phone, email, authenticator app, passkeys) before those methods can be used for verification.
    Microsoft will run a registration campaign beginning July 6, 2026 to prompt users to complete this step.
  • Self-Service Password Reset (SSPR) change: Starting September 7, 2026, SSPR will accept only methods that are formally registered; directory-stored phone numbers or emails will no longer serve as fallbacks.
    This removes a common bypass attackers used during password resets.
  • External MFA replaces Custom controls: Microsoft deprecates legacy "Custom controls" and introduces a standards-based External MFA model for third-party providers.
    Admins should test and reconfigure third-party MFA integrations to work with Conditional Access under the new standard.
  • Admin actions and checklist: Review Conditional Access policies that target registration, run the user registration campaign, update documentation and user guidance, and test Windows Hello/macOS and third-party MFA flows.
    Also verify backup and recovery settings and confirm new admin roles or permissions as needed.

Introduction

In a recent YouTube video, Andy Malone [MVP] explained a set of important security updates that Microsoft rolled out for Entra ID. The presentation focused on changes to authentication registration, self-service password reset behavior, and third-party multi-factor authentication integration. For administrators of Microsoft 365 and Entra ID, these updates represent a shift in how identity protections are applied at critical moments like credential registration and password recovery. Consequently, the new rules affect both policy design and day-to-day account management.


What Changed: Core Updates Explained

First, Microsoft now requires that authentication methods be explicitly registered before they can be used for verification, which eliminates directory-based fallbacks that previously accepted attributes like a phone number stored in a user profile. Second, Conditional Access policies are evaluated during the provisioning of Windows Hello for Business and macOS Platform SSO, so registration flows must satisfy tenant-defined controls before credentials are created. Third, legacy "Custom controls" for third-party MFA have been replaced by a standards-driven option called External MFA, which aims to unify integrations for external providers.


These changes went into effect on July 6, 2026, and Microsoft also announced an explicit registration campaign that begins at the same time. Importantly, unregistered methods that are only present as directory attributes will no longer be accepted for SSPR starting on September 7, 2026. Therefore, organizations must prompt users to formally register authentication methods to avoid service disruption and ensure recovery processes remain functional.


Why This Matters to Administrators

From an operational perspective, the updates close enforcement gaps that attackers historically exploited during initial setup and recovery flows. By requiring explicit registration, administrators can ensure that verification relies only on trusted, user-confirmed channels, which reduces the risk of identity-based attacks. Moreover, enforcing Conditional Access during registration prevents attackers from provisioning credentials without meeting tenant security requirements, improving the overall integrity of identity lifecycle events.


At the same time, these protections introduce new administrative responsibilities. For example, IT teams must design registration campaigns, monitor adoption rates, and communicate changes to end users clearly. If organizations delay outreach, users with unregistered recovery attributes may encounter sign-in and reset failures, which could increase helpdesk burden in the short term.


Tradeoffs and Practical Challenges

Stronger enforcement improves security but can also increase friction for users. On one hand, removing directory fallbacks and requiring explicit registration reduces attack surfaces and helps meet compliance goals. On the other hand, these changes demand more user action up front and a more active enrollment process, which some teams may find burdensome to coordinate, especially in large or globally distributed environments.


Integrating third-party MFA via External MFA offers a standards-based path forward, yet it carries tradeoffs as well. While a unified approach simplifies Conditional Access management and supports FIDO2-style integrations, implementing and validating third-party connectors can require engineering time, testing, and vendor coordination. Consequently, organizations must balance the desire for consistent policy enforcement against the cost and complexity of integration work.


Implementation Guidance and Timeline

Andy Malone emphasized practical steps administrators should take now, starting with auditing which users rely on directory-stored attributes for recovery and identifying those who have not registered any authentication methods. Next, teams should plan a registration campaign that includes clear instructions and fallback support for users who need help during enrollment. In addition, administrators should review Conditional Access policies that target the "Register security information" action to verify they behave as intended during Windows Hello for Business and macOS SSO provisioning.


Moreover, organizations should evaluate their third-party MFA strategy and begin testing External MFA connectors if they rely on non-Microsoft providers. Testing in a controlled environment will help reveal policy gaps or device compatibility issues before widespread rollout. Finally, administrators should watch the phased enforcement dates closely and prepare helpdesk processes for the expected surge in enrollment and support requests.


Conclusion

In summary, the YouTube briefing by Andy Malone [MVP] highlights a clear security-first shift in how Microsoft enforces identity protections within Entra ID. These updates strengthen defenses by closing registration and recovery loopholes, but they also require proactive planning, user engagement, and potentially significant integration work. Therefore, while security posture will improve, administrators should weigh immediate operational costs against long-term risk reduction and prioritize a phased, well-communicated implementation to minimize disruption.


Microsoft Entra - Microsoft Entra ID: What Changed

Keywords

Microsoft Entra ID update, Entra ID changes 2026, Microsoft Entra ID rebrand, Azure AD to Entra ID migration, Entra ID new features, Entra ID security updates, Entra ID announcement, How to use Entra ID