This article summarizes the key product updates, security improvements, and change announcements published by the Microsoft Entra team in September 2025. It’s a concise roundup aimed at administrators and security engineers who need to know what changed and what actions (if any) are required.

Highlights

  • Microsoft Entra continues to embed AI into identity and access security, notably with Security Copilot integrations and a Conditional Access Optimization Agent that analyzes and recommends policy improvements.
  • Important change announcements affect sign-in security (Content Security Policy) and hybrid sync (Entra Connect). Several retirements and deprecations have dates you should note.
  • Usability and platform reach continue to expand with Platform SSO for macOS, QR+PIN for frontline workers, and new SDKs and templates for developers.

AI for security

Microsoft added deeper AI-driven capabilities to Entra to help reduce manual effort and improve detection and policy tuning:

  • Security Copilot in Microsoft Entra now provides AI-generated insights and recommendations to improve access governance and incident triage.
  • Conditional Access Optimization Agent continuously evaluates policies and suggests adjustments to keep controls effective while reducing unnecessary friction.

Action: Review Security Copilot guidance and evaluate the Optimization Agent in a test tenant before broad rollout.

Microsoft Entra ID — New releases and platform updates

Notable releases and platform improvements:

  • Platform SSO for macOS — a native SSO option for macOS devices.
  • QR + PIN Simple Auth method for frontline workers — easier sign-in flows for non-traditional devices.
  • Bicep templates for Microsoft Graph resources — infrastructure-as-code patterns to deploy Graph resources.
  • Conditional Access What If API — programmatic checks for conditional access outcomes.
  • Enterprise App SSO improvements and Restricted Management Administrative Units for better delegation.

Action: If you manage macOS fleets, plan testing for Platform SSO. Review Bicep templates for automatable deployments where applicable.

Change announcements (admin attention may be required)

  • Content Security Policy (CSP) enforcement for the Entra sign-in experience will prevent unauthorized script injection. The rollout is staged and may require avoiding tools that inject code into the sign-in page.

- Rollout phases start in 2026 (tenant groups in mid/late April and October 2026 depending on impact).

- Action: Switch away from any tooling that injects scripts into login.microsoftonline.com flows.

  • Entra Connect will rely on a first-party application (Microsoft Entra AD Synchronization Service). Upgrade to Entra Connect version 2.5.79.0 or later by September 30, 2026.

- Action: Schedule Entra Connect upgrades; enable auto-upgrade where appropriate.

  • Enable Browser Access (EBA) will be enabled by default for Android users (rolling automatic changes starting March 2026). Mobile MDM providers should review guidance for device registration.
  • ADAL to MSAL Recommendations API retirement on December 15, 2025. Transition monitoring and queries to Microsoft Graph where needed.
  • Deprecation of the "Automatically capture sign-in fields" option — use the newer Capture sign-in fields UX and extensions where required.

Action: Review the specific change links in the official post and map required changes to your support and admin teams.

Entra ID Protection & Governance

  • Improvements to detection quality in Entra ID Protection.
  • Governance features including cross-tenant synchronization, application-based authentication on Entra Connect, lifecycle workflows (including refresh token revocation), and auditing of admin events in Entra Connect Sync.

Action: Review detection tuning and governance settings; add cross-tenant sync to your planning if you operate multi-tenant environments.

Entra External ID & developer tooling

  • Native authentication JavaScript SDK for sign-in/sign-up experiences in External ID (improves SPA and native app flows).
  • Custom third-party email OTP provider support for External ID.

Action: Developers should evaluate the new SDK and OTP customization options when planning customer identity experiences.

Other updates worth noting

  • New end user homepage in My Account that surfaces pending actions (helps users manage access and MFA tasks).
  • Entra ID Free subscription rollout to help track tenant ownership via billing accounts.
  • UI and UX improvements such as refreshed credential enrollment and updated License Usage blades.

Recommended next steps for admins

1. Read the original Microsoft post and linked docs for full details and timelines: https://techcommunity.microsoft.com/blog/microsoft-entra-blog/what%E2%80%99s-new-in-microsoft-entra-%E2%80%93-september-2025/4352576

2. Inventory any tooling that injects scripts into Entra sign-in flows and plan replacements before CSP enforcement begins.

3. Schedule Entra Connect upgrades to 2.5.79.0+ and confirm auto-upgrade settings if desired.

4. Pilot Security Copilot and the Conditional Access Optimization Agent in a non-production tenant.

5. Communicate date-sensitive retirements (e.g., ADAL Recommendations API) to your dev and operations teams.

---

Source: Microsoft Entra blog (September 16, 2025) — summarised and adapted for CloudPartner readers.

You can do this

Archives