Modern Work Weekly — Week of 2026-05-26

Top 5 This Week

Entra Connect Sync → Cloud Sync migration signal is live. Microsoft has formally announced the transition away from Entra Connect Sync toward cloud-native Entra Cloud Sync. This isn’t a hard cutoff yet, but the directional signal is clear — start your assessment now before it becomes a forced migration with a tight deadline.
Entra Agent ID is GA. AI agents in your enterprise now have a first-class identity framework built on OAuth 2.0, MCP, and A2A. If you’re standing up any agentic workloads, this is the governance foundation you should be building on — not ad-hoc service accounts.
Configurable Token Lifetime Policies are GA. You can now formally shorten access, ID, and SAML token lifetimes per application via policy. This is a meaningful Zero Trust lever — particularly for high-value apps where stale token exposure is a real risk.
CBA on iOS fully unblocked and promoted in system-preferred MFA. Certificate-based auth on iOS native apps previously had known issues that pushed it to last place in the system-preferred MFA list. Those issues are resolved — CBA now works as a second factor and can be prioritized. PIV/CAC shops on iOS should review their auth method rankings.
SAP SuccessFactors provisioning must move off basic auth by November 2026. SAP is deprecating basic auth for SuccessFactors APIs. Entra now supports workload identity-based auth as the replacement. If you run SuccessFactors inbound provisioning, this is an active deadline — start the migration planning now.

Identity

Entra Agent ID Platform [GA] — If you’re deploying AI agents that access enterprise resources, Agent ID is the governance model you’ve been waiting for. It provides identity, OAuth 2.0-based authorization, and auditing for agents using standard protocols including MCP and A2A — purpose-built for enterprise agentic workloads rather than bolted-on service principals.
Configurable Token Lifetime Policies [GA] — Admins can now formally customize access token, ID token, and SAML token lifetimes per application and service principal. Use this to shorten token lifetimes on high-sensitivity apps and reduce the blast radius of token theft — a concrete Zero Trust hardening action available today.
Entra CBA on iOS — fully GA as second factor and in system-preferred MFA list [GA] — Known iOS issues that previously forced CBA to last place in the system-preferred MFA list are resolved. CBA now works as a second factor in native iOS apps and can be ranked appropriately. If you operate a PIV/CAC environment, review your MFA method ranking policies.
Entra CBA Certificate Authority (CA) Scoping [GA] — Admins can now restrict which CAs are valid for specific user groups, preventing certificate sprawl from allowing unintended auth paths. Scope CAs to their intended populations and audit your current CBA trust configuration.
Entra CBA Issuer Hints [GA] — Reduces user confusion on multi-certificate devices by surfacing only certificates the tenant trusts during the selection prompt. Low-friction security improvement — no policy change required, but verify behavior in environments with complex cert stores.
Entra Connect Sync → Cloud Sync migration planned [Plan for Change] — Microsoft is formally beginning the transition from Entra Connect Sync to cloud-native Entra Cloud Sync. No hard deprecation date announced yet, but the strategic direction is clear — document your current sync topology, identify blockers to cloud sync adoption, and get this into your roadmap before it’s reactive.
SCIM provisioning apps must move to modern authentication [Plan for Change] — Older SCIM integrations using legacy auth patterns will be migrated to modern service-to-service auth over the coming months. Affected applications and customer deadlines will be published monthly via What’s New and Message Center — subscribe and watch.
SAP SuccessFactors provisioning — workload identity auth GA [GA] — Entra provisioning to SuccessFactors can now authenticate via workload identity and short-lived tokens instead of static username/password. SAP deprecates basic auth by November 2026 — migrate now, this is not optional.
Workday connector — termination lookahead GA [GA] — Resolves termination processing delays for workers in APAC and ANZ regions. Admins can enable termination lookahead to prefetch data and customize deprovisioning logic. If you run Workday provisioning in these regions, enable and test this setting.
Account Discovery for connected apps [Preview] — Entra ID Governance can now generate discovery reports showing all accounts in connected applications — including orphan accounts not assigned in Entra. Useful for identifying SaaS sprawl and unmanaged accounts during access reviews.
Entra External ID federation with workforce tenants [Preview] — Organizations can now let users authenticate to customer-facing External ID apps using their workforce Entra ID identity via standards-based federation. Reduces duplicate accounts for internal-to-external app scenarios.
App-based branding themes in Entra [Preview] — Beyond tenant-wide branding, you can now create per-application branding themes for distinct sign-in experiences. Useful for multibrand organizations or partner-facing applications requiring distinct visual identity.
PIM activation — Conditional Access reauthentication enforcement [GA] — You can now require MFA or other CA controls on every PIM role activation, not just at sign-in. This closes a meaningful gap where users could activate privileged roles on a stale session — enforce this for all privileged roles.
License Usage page in Entra admin center [GA] — Surfaces P1/P2/Suite license consumption alongside feature usage including Conditional Access and risk-based CA, with 6-month trends. Use this to rationalize license spend and identify underutilized premium features.
MIM 2016 Service Pack 3 [GA] — SP3 adds SQL Server, SharePoint, and Exchange compatibility updates plus Azure SQL Database with managed identity auth for the Sync Service. If you’re still running MIM in a hybrid identity scenario, this reduces operational risk — apply it.
macOS ADE + Platform SSO during enrollment [GA] — Macs enrolled via ADE can now complete Platform SSO registration during the enrollment flow itself, giving users immediate access to Entra ID resources at desktop. Reduces the post-enrollment SSO setup friction that previously required an extra authentication step.
Windows 365 Government — external identity support [GA] — Government tenants can now provision Cloud PCs for external identity users, with connectivity via the Windows App on Windows. External identity support for macOS and Android clients is in preview.
Entitlement Management — approver visibility in My Access [GA] — Requestors can now see the name and email of their approvers directly in My Access portal. Enabled by default for members (not guests), configurable per access package. Reduces help desk tickets asking “who do I contact about my request.”
Social Identity Providers in External ID Native Authentication [GA] — Google, Facebook, and Apple sign-in options are now GA in External ID native authentication flows via browser-delegated (web-view) SDKs. Relevant for customer-facing app teams integrating social login.

Devices

Intune Enhanced App Inventory [GA] — Faster and more detailed app visibility across managed Windows devices, with improved data freshness, richer metadata, and new controls to scope which devices are included in inventory collection. Use this to identify outdated or vulnerable software faster; additional platforms are coming.
EPM Support Approved Elevations from all device users [GA] — Endpoint Privilege Management now allows any device user (not just the primary user or enrolling user) to submit support-approved elevation requests. Critical for shared device scenarios — review your EPM policies to ensure this expanded scope aligns with your intended posture.
Android credential provider management for Enterprise devices [GA] — Admins can now control which apps act as system-level credential providers (password autofill, passkey storage) on Android Enterprise managed devices running Android 14+. Configure this under Apps → Android → Configuration → Managed Devices. Note: Google Password Manager cannot be a credential provider on corporate-owned work profile devices.
Android XR device management [GA] — Intune now supports Android XR devices via Android Enterprise dedicated and fully managed enrollment. Devices appear alongside standard Android in the admin center. For organizations piloting AR/VR hardware, this removes the management gap.
Apple Declarative Device Management (DDM) for required iOS/iPadOS LOB apps [GA] — Required LOB apps on iOS/iPadOS 18+ can now be deployed via Apple’s DDM framework, improving delivery efficiency and providing real-time app status. Opt in by changing the management type to DDM in the app’s App information.
Direct Android LOB app management without Managed Google Play [GA] — Upload APKs directly to Intune and deploy to COBO/COSU devices without going through Managed Google Play. Removes the dependency on the Play store approval pipeline for internal apps.
macOS Recovery OS password management [GA] — Admins can configure and rotate a recovery OS password to prevent users from booting into recovery mode and reinstalling macOS. View recovery lock passwords in the per-setting status report — requires the “Remote tasks/View macOS recovery lock password” permission.
Autopatch Update Risk Visibility report [GA] — The new report extends the security update status dashboard with per-device risk classification (Current, Exposed, Critical) and highlights which policies are contributing to risk. Prioritize your remediation queue using this data.
Microsoft Edge 139 Security Baseline [GA] — Latest Edge security baseline is available in Intune. Evaluate against your current baseline and plan the upgrade — staying on outdated baselines leaves known-misconfiguration risk on the table.
Ubuntu 26.04 LTS support in Intune [Preview] — Intune now supports Ubuntu 26.04 LTS for Linux device management. Ubuntu 22.04 support ends August 2026 — identify affected devices now and begin migration planning.
TeamViewer connector replacement in Intune [GA] — A new, redesigned TeamViewer connector replaces the existing one with simpler onboarding and improved reliability. If you use TeamViewer for remote assistance, migrate within 12 months. Start now rather than scrambling at the deadline.
Windows 365 Autopilot Device Preparation (DPP) for Reserve [Preview] — Autopilot Device Preparation is now available for Windows 365 Reserve provisioning in preview. Cloud PCs show “Preparing” status while apps and configurations install before the device is handed to the user.
Windows 365 Admin Insights [GA] — Expanded admin insights surface utilization, performance, and health signals for Cloud PC fleets directly in the Intune admin center. Use this to right-size Cloud PC SKUs and identify under- or over-provisioned pools before they become support tickets.

Data

Purview DLP policy sync SLA reduction [GA — June 2026] — Policy sync time drops from 2 hours to 30 minutes. Relevant for data protection teams managing DLP rollouts — your effective policy propagation window is shrinking, which is good operationally but tightens the window to catch misconfigured policies before they spread.

Network

Global Secure Access Windows client — latest release [GA] — Check the release history for the current client version and any resolved issues affecting tunnel stability or connector reliability. Keep clients current; GSA client updates often resolve connectivity edge cases that surface as intermittent user complaints.

Visibility & Automation

Storm-2949: compromised identity → cloud-wide breach [Threat Intel] — Microsoft’s analysis of Storm-2949 shows how a single compromised identity was leveraged to move laterally across cloud services and achieve broad resource access. Review your CA policies for privileged roles, validate PIM activation requirements, and ensure token lifetime policies are applied to high-value apps.
Multi-stage Linux intrusion via F5 and Confluence [Threat Intel] — Attackers chained F5 edge appliance compromise with Confluence exploitation to move from perimeter to enterprise. If you expose either product, patch posture and network segmentation between edge and internal services are your immediate review items.
Fox Tempest malware signing service exposed [Threat Intel] — Microsoft exposed a service that provides threat actors with validly signed malware, undermining code signing as a trust signal. Review your Defender for Endpoint and AppLocker/WDAC policies — don’t rely solely on signature-based allow-listing for high-sensitivity systems.
Compromised antv npm packages — CI/CD credential theft [Threat Intel] — Malicious antv npm packages were used to steal CI/CD pipeline credentials. If your pipelines consume npm packages, audit your dependency lock files and supply chain controls. Workload identity federation for pipelines eliminates the static credential exposure this attack class targets.
Rampart and Clarity — open-source agent safety tooling [New Tooling] — Microsoft released two open-source tools for AI agent safety: Rampart (runtime guardrails for agents) and Clarity (visibility into agent behavior during development). If your org is building or evaluating agentic workloads, these integrate with the Entra Agent ID governance model and are worth evaluating early.
What’s new in Microsoft Security — May 2026 [Summary] — Microsoft’s monthly security summary covers Defender XDR, Defender for Endpoint, and Defender for Office 365 updates. Review for any detection rule changes, new hunting tables, or connector updates that affect your SOC workflows.

Action Required

SAP SuccessFactors provisioning — migrate off basic auth — Deadline: November 2026. SAP is deprecating basic authentication for SuccessFactors APIs by November 2026. Entra now supports workload identity + short-lived tokens as the replacement. Begin migration planning immediately; this is a hard external deadline, not a Microsoft-controlled one.
Autopilot Intune Connector for Active Directory — old connector deprecated late June 2025 — Deadline: late June 2025. If you’re still running the legacy Intune Connector for AD for hybrid join flows, the old connector reaches end of life in late June 2025. The new low-privileged connector is available now — migrate before the cutoff.
TeamViewer connector migration — 12-month window — Deadline: 12 months from release. If you use the old TeamViewer connector in Intune for remote assistance, you must migrate to the new connector within 12 months of this release to maintain functionality. Put it on your project board now before it becomes urgent.
Ubuntu 22.04 LTS — support ends August 2026 — Deadline: August 2026. Intune now supports Ubuntu 26.04 LTS. Enrolled 22.04 devices stay enrolled but you should identify them (Devices → All Devices → filter Linux → add OS Version column) and notify users to upgrade before August.
Intune Data Warehouse Power BI beta connector v1 — retire your reports — Deadline: immediate — connector v1 is retired. The beta connector v1 for Power BI is retired. Reports created before November 2025 may still use it and need migration to connector v2 or the OData Feed connector. Audit your Power BI Intune reports now.
Purview DLP policy sync SLA reduction [GA: June 2026] — Effective: June 2026. Policy sync time drops from 2 hours to 30 minutes. No action required, but worth knowing for change management — your DLP policies will propagate significantly faster starting June.