Microsoft's March 2026 Entra update promotes passkey authentication to general availability, introduces a built-in tenant backup feature in public preview, and announces a breaking security change for hybrid environments, taking effect June 1, 2026. Additional changes enforce TLS 1.2 for Entra Connect Health agents and bring several multi-tenant governance capabilities into preview. This article covers changes relevant to administrators managing Microsoft 365 tenants and hybrid Active Directory environments.

Source

Starting April 2026, Microsoft Registration Campaigns in Entra ID will support Passkeys (FIDO2) as an authentication method, enabling organizations to deploy phishing-resistant credentials. The update introduces significant configuration changes, particularly for tenants using the Microsoft-managed state, where several campaign settings become non-configurable. This rollout is part of Microsoft's broader strategy to eliminate passwords and aligns with the introduction of Windows Hello passkey support for Entra accounts.

Source

Microsoft will improve how Conditional Access policies are enforced in Microsoft Entra ID starting March 27, 2026. This change addresses a security loophole in which policies targeting all resources with specific exclusions could be bypassed in certain authentication scenarios. The rollout continues through June 2026 and forms part of Microsoft's Secure Future Initiative. Because these sign-ins will no longer bypass Conditional Access, users may now be required to complete MFA, meet device compliance requirements, or satisfy other configured Conditional Access controls, such as approved apps, app protection policies, or authentication strength, before accessing the resource.

Source

Starting March 2026, Microsoft Entra ID will introduce passkey profiles and synced passkeys to general availability, enabling group-based authentication configurations with granular control over device-bound and synced passkeys. Microsoft will automatically enable passkey profiles for tenants that don't opt in during the initial rollout, with existing settings preserved to maintain their current security posture.

Source

Microsoft will enforce multi-factor authentication (MFA) for all users signing in to the Microsoft 365 admin center starting February 9, 2026. This critical security measure aims to prevent unauthorized access to administrative accounts that manage tenant configurations, user provisioning, and compliance settings.

Source