June 23, 2026 Stories worth reading. Perspectives worth sharing.
Entra ID’s New Security Features: Real-World Zero Trust Improvements for Identity Protection
Zero Trust

Entra ID’s New Security Features: Real-World Zero Trust Improvements for Identity Protection

Mo Wasay June 23, 2026 5 min read
Entra ID’s New Security Features: Real-World Zero Trust Improvements for Identity Protection

Last week, Microsoft quietly released a new set of security and compliance features in Entra ID—features that, for many organizations, could be the difference between a successful phishing campaign and a blocked attack. With targeted identity threats rising and compliance requirements tightening, these updates aren’t just incremental; they reshape how you approach Zero Trust and identity governance in 2024.

WHAT’S NEW RIGHT NOW: Fresh Features That Change the Game

Three rapid-fire releases in Entra ID are making headlines among identity pros:

1. Conditional Access Authentication Strengths

Conditional Access policies now support granular Authentication Strengths, letting you require phishing-resistant authentication methods (like FIDO2 or Certificate-based Authentication) for specific scenarios. Previously, you could only enforce MFA generically, often settling for SMS or app-based codes. Now, you can mandate stronger methods for privileged accounts or sensitive apps.

Example: To require only FIDO2 tokens for admins accessing the Microsoft Graph API, configure a CA policy with Authentication strength: Phishing-resistant MFA and scope it to the Admin role and the Graph API application.

2. Identity Protection Risk Remediation Automation

Entra ID Identity Protection now supports Automated Risk Remediation for high-risk users—moving beyond alerting to direct enforcement. You can set your risk policies to automatically block sign-in or force password resets, with configuration accessible at Entra admin portal > Protect > Identity Protection > User risk policy.

CLI integration is available: az ad user risk-policy update --auto-remediate true

3. Privileged Identity Management (PIM) for Groups

Previously, PIM only covered roles and resource access. Now, PIM for Groups lets you enforce just-in-time access for security groups controlling app or resource permissions. This closes a longstanding gap for organizations using group-based access models.

Enable PIM for a group: Entra admin portal > Identity > Groups > Select group > Privileged access

These features are live in GA or public preview—and yes, licensing matters: Authentication Strengths and PIM for Groups require Entra ID P2.

WHAT’S COMING: Roadmap Announcements and Previews

Microsoft has announced two major roadmap items for Entra ID:

1. Continuous Access Evaluation (CAE) for More Apps

CAE, which lets token sessions react instantly to security changes (like user suspension or device state), is expanding support from Microsoft 365 to third-party and custom apps via Microsoft Graph. Expect public preview by Q3 2024, with endpoints at /security/continuousAccessEvaluation.

2. Enhanced Identity Governance

Automated entitlement reviews for guest users and cross-tenant access policies will enter preview soon. This helps meet compliance needs for hybrid and multi-org scenarios, especially in regulated industries. Watch for announcements at the official Microsoft Security blog.

WHY THIS APPROACH IS BETTER: Concrete Improvements Over Previous Iterations

Here’s where the new Entra ID features stand out:

Targeted, Granular Controls

Conditional Access used to be broad-brush—”require MFA” or “block access”. Now, you can differentiate between authentication methods, enforce FIDO2 only where needed, and reduce user friction elsewhere. This aligns with Zero Trust’s “never trust, always verify” without an all-or-nothing user experience.

Automated, Actionable Identity Protection

Risk detection previously required manual review and remediation. Automated risk policies let you act immediately, reducing dwell time and minimizing manual workload. For high-risk scenarios, this is a game-changer.

PIM for Groups—Closing a Real-World Gap

Many organizations use security groups for app access, but lacked JIT controls on those groups. With PIM for Groups, you can enforce least privilege, require approval workflows, and log activation events—no more sprawling static group memberships.

Implementation Guide: Step-by-Step Setup for the New Features

Conditional Access Authentication Strengths

# Requires Entra ID P2
Connect-AzAccount
$policy = New-AzADConditionalAccessPolicy -DisplayName "Admin FIDO2 Only" \
    -GrantControls @("Require Authentication Strength: Phishing-resistant MFA") \
    -UserGroups @("Admin") -CloudApps @("Microsoft Graph")

Alternatively, via portal:

Entra admin portal > Protect > Conditional Access > New policy > Grant > Authentication Strength > Select “Phishing-resistant MFA”

Automated Identity Protection Risk Remediation

Set-AzureADUserRiskPolicy -AutoRemediate $true -RiskLevel "High" -Action "BlockSignIn"

Portal navigation:

Entra admin portal > Protect > Identity Protection > User risk policy > Configure remediation

PIM for Groups

# Requires Entra ID P2
Enable-AzureADGroupPIM -GroupObjectId "group-guid"

Portal navigation:

Entra admin portal > Identity > Groups > Select group > Privileged access > Enable

Before/After Comparison: What Changes for Practitioners?

Prior to these updates, enforcing strong authentication and risk remediation meant cobbling together scripts, manual reviews, and custom workflows. Now, you can:

  • Enforce FIDO2 for admins without affecting all users
  • Automatically block risky sign-ins, not just flag them
  • Apply JIT access to groups—no more static memberships

These changes reduce manual overhead, improve security outcomes, and help address compliance requirements.

Top Mistakes to Avoid

1. Assuming All MFA Is Equal: Conditional Access now distinguishes authentication strength. Don’t rely on generic MFA; configure policies for phishing-resistant methods.

2. Overlooking Licensing: The new features require Entra ID P2. Verify your licensing before rollout to avoid unexpected errors.

3. Neglecting User Experience: Forcing high-strength authentication everywhere can frustrate users. Scope policies carefully—target admins, privilege users, and high-value apps.

4. Failing to Review Automated Remediation: Automated actions on high-risk users are powerful, but can disrupt business processes if misconfigured. Start with test groups, monitor, and adjust policies iteratively.

Practical Takeaway: What Should You Do Next?

Microsoft Entra ID’s latest features give you more control, more automation, and better alignment with Zero Trust principles. Review your Conditional Access and Identity Protection policies now—adapt them to use authentication strengths and automated remediation, and start piloting PIM for Groups. Monitor the Microsoft Security blog for roadmap updates, and plan your licensing and rollout strategy to maximize impact. The threat landscape isn’t waiting, and neither should you.