Microsoft has just introduced Microsoft Entra Agent ID to extend its identity and access management services to AI agents. With Agent ID, organizations can decide how AI agents interact with data, systems, and users. Each agent receives a unique identifier and a consistent identity that can be used with different tools and environments - Microsoft said this helps with core identity functions such as authentication, authorization, and lifecycle management.
Like human users, Agent ID allows admins to create Conditional Access policies that enforce least privilege access and monitor the activity of the agents. Admins that use these tools can ensure the safer deployment of AI.
Aside from Agent ID, Microsoft announced that in November 2025, Microsoft Entra ID will support passkey profiles in public preview. This will allow administrators to have group-based control over passkey configurations.
After the update is rolled out, Microsoft says you’ll be able to allow different FIDO2 security key models or Microsoft Authenticator passkeys for specific user groups. Microsoft said it’ll also start accepting any WebAuthn-compliant security key or passkey provider when “Enforce attestation” is disabled.
These changes are a significant improvement for organizations wanting to implement more nuanced passkey strategies. It’s also great for those looking to move more towards passwordless authentication and reduce the risk of compromised passwords.
In its announcement, Microsoft also shared some critical migrations and deprecations that administrators need to act on right now. On July 31, 2025, the User Risk Policy and Sign-In Risk Policy pages in Entra ID Protection will become read-only, Microsoft says you need to migrate to Conditional Access to carry on managing them.
Starting in July and rolling out through the rest of the year are changes to guest authentication for B2B Collaboration in Microsoft Entra ID. Guest users will now sign in on the host tenant’s branded screen before redirection back to the organization where they can complete the sign-in process. Microsoft says this change helps prevent user confusion during cross-tenant sign-in.
Finally, between now and August 30, 2025, the “Automatically capture sign-in fields” for Password-Based single sign-on (SSO) will be removed. The new method for new configurations is manual capture with the MyApps Secure Sign-In Extension. Existing apps will continue to work just fine.
Several other dates were given that are important for people to be aware of. In September 2025, Microsoft will retire Azure AD Graph API and is asking users to migrate to Microsoft Graph urgently. Also in September, the Authenticator app on iOS will switch to iCloud/iCloud Keychain for backup, which removes the old in-app backup and personal Microsoft account dependency. The final change in September is that Microsoft Entra ID Access Review will only retain review history for the past year and older data won’t be retrievable - for longer retention, you need to export and archive the data.
In mid-October, AzureAD PowerShell modules will begin their retirement with outage tests to be conducted in September. Microsoft urges users to migrate to Microsoft Graph PowerShell SDK or Microsoft Entra PowerShell.