MODIFIED docs/fundamentals/whats-new.md

Modified by Ortagus Winfrey on Mar 12, 2026 12:04 PM
📖 View on learn.microsoft.com

+34 / -23 lines changed

Commit: Microsoft Entra Connect security hardening updated release notes

Changes:

Before

After

**Service category:** Entra Connect  
**Product capability:** Access Control  
 
As part of ongoing security hardening, Microsoft has implemented new safeguards to block account takeover attempts via hard match abuse in Microsoft Entra Connect (known as SyncJacking). Enforcement of this change begins in March 2026. 
 
What’s Changing: 
 
- Enforcement logic now checks OnPremisesObjectIdentifier to detect and block remapping attempts. 
    
- Audit logs have been enhanced to capture changes to OnPremisesObjectIdentifier and DirSyncEnabled. 
    
- Admin capability added to clear OnPremisesObjectIdentifier for legitimate recovery scenarios. 
 
Customer Action Required: 
 
- Upgrade to the latest Microsoft Entra Connect version. 
    
- Review updated hardening guidance and enable recommended flags:  
    
- Disable [hard match takeover](/powershell/module/microsoft.entra.directorymanagement/set-entradirsyncfeature?view=entra-powershell&preserve-view=true)

**Service category:** Entra Connect  
**Product capability:** Access Control  
 
When Microsoft Entra Connect adds new objects from Active Directory, the Microsoft Entra ID service tries to match the incoming object with an Entra object by looking up the incoming object’s [sourceAnchor value against the OnPremisesImmutableId attribute](../identity/hybrid/connect/how-to-connect-install-existing-tenant?source=recommendations.md#hard-match-vs-soft-match) of existing cloud managed objects in Microsoft Entra ID. If there's a match, Microsoft Entra Connect Sync takes over the source or authority (SoA) of that object and updates it with the properties of the incoming Active Directory object in what is known as "hard-match."
 
As part of ongoing security hardening, Microsoft is going to introduce enforcement changes in Microsoft Entra Connect to mitigate the risk of account takeover via hard match abuse. Enforcement of this change will begin on **July 1, 2026**. 
 
**What’s Changing:**
 
- Microsoft Entra will block attempts by Entra Connect to modify the OnPremisesObjectIdentifier attribute after it has already been set on a synced user object. This prevents re‑mapping an existing Entra ID user to a different on‑premises identity.
- [Audit logs](../identity/monitoring-health/reference-audit-activities.md#core-directory) have been enhanced to capture changes to OnPremisesObjectIdentifier and DirSyncEnabled, enabling better visibility into synchronization behavior.
- To support [legitimate](../identity/hybrid/connect/how-to-connect-migrate-groups.md) scenarios where an existing hard match must be corrected, Microsoft has introduced a Microsoft Graph API that allows controlled recovery actions, without re‑enabling hard‑match abuse or unauthorized re‑mapping.
 
**What's Not Changing:**
 
- This enforcement applies only to scenarios where OnPremisesObjectIdentifier is being modified after it has already been set. Hard match functionality using [onPremisesImmutableId](../identity/hybrid/connect/plan-connect-design-concepts.md#sourceanchor) remains supported and unchanged. Customers can continue to perform initial hard matches as before.
 
**Customer Action Required:**

MODIFIED docs/identity-platform/concept-native-authentication.md

Modified by Kenga Derdus on Mar 12, 2026 2:59 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Learn Editor: Update concept-native-authentication.md

Changes:

Before

After

 
The following table shows the availability of features for browser-delegated and native authentication. 
 
|   | Browser-delegated authentication | Native authentication | 
| ---- | --- |  --- |
| **Sign up and sign in with email one-time passcode (OTP)** | :heavy_check_mark:  | :heavy_check_mark:  |
| **Sign up and sign in with email and password** | :heavy_check_mark:  | :heavy_check_mark:  |
| **Sign in with email and password can use username and password** | :heavy_check_mark:  | :heavy_check_mark:  |
| **Self-service password reset (SSPR)**  | :heavy_check_mark:  | :heavy_check_mark:  |
| **Custom claims provider** | :heavy_check_mark:  | :heavy_check_mark:  |
| **Multifactor authentication with email one-time passcode (OTP)**| :heavy_check_mark:  | :heavy_check_mark:  |

 
The following table shows the availability of features for browser-delegated and native authentication. 
 
|   | Browser-delegated authentication | Native authentication |
| ---- | --- |  --- |
| **Sign up and sign in with email one-time passcode (OTP)** | :heavy_check_mark:  | :heavy_check_mark:  |
| **Sign up and sign in with email and password** | :heavy_check_mark:  | :heavy_check_mark:  |
| **Sign in with email and password can use username (alias) and password** | :heavy_check_mark:  | :heavy_check_mark:  |
| **Self-service password reset (SSPR)**  | :heavy_check_mark:  | :heavy_check_mark:  |
| **Custom claims provider** | :heavy_check_mark:  | :heavy_check_mark:  |
| **Multifactor authentication with email one-time passcode (OTP)**| :heavy_check_mark:  | :heavy_check_mark:  |

MODIFIED docs/identity/saas-apps/github-enterprise-managed-user-oidc-provisioning-tutorial.md

Modified by Carolyn McSharry on Mar 12, 2026 10:10 AM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Update github-enterprise-managed-user-oidc-provisioning-tutorial.md

Changes:

Before

After

This article describes the steps you need to perform in both GitHub Enterprise Managed User (OIDC) and Microsoft Entra ID to configure automatic user provisioning. When configured, Microsoft Entra ID automatically provisions and de-provisions users and groups to GitHub Enterprise Managed User (OIDC) using the Microsoft Entra provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Microsoft Entra ID](~/identity/app-provisioning/user-provisioning.md).
 
> [!NOTE]
> [GitHub Enterprise Managed User (EMU)](https://docs.github.com/enterprise-cloud@latest/admin/authentication/managing-your-enterprise-users-with-your-identity-provider/about-enterprise-managed-users) is a different type of [GitHub Enterprise Account](https://docs.github.com/enterprise-cloud@latest/admin/overview/about-enterprise-accounts). If you haven't specifically requested EMU instance, you have a standard GitHub Enterprise Account. In that case, please refer to [the documentation](./github-provisioning-tutorial.md) to configure user provisioning in your non-EMU organisation. User provisioning isn't supported for [standard GitHub Enterprise Accounts](https://docs.github.com/enterprise-cloud@latest/admin/overview/about-enterprise-accounts), but is supported for organisations under standard GitHub Enterprise Account.
 
## Capabilities Supported
> [!div class="checklist"]

This article describes the steps you need to perform in both GitHub Enterprise Managed User (OIDC) and Microsoft Entra ID to configure automatic user provisioning. When configured, Microsoft Entra ID automatically provisions and de-provisions users and groups to GitHub Enterprise Managed User (OIDC) using the Microsoft Entra provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Microsoft Entra ID](~/identity/app-provisioning/user-provisioning.md).
 
> [!NOTE]
> [GitHub Enterprise Managed User (EMU)](https://docs.github.com/enterprise-cloud@latest/admin/authentication/managing-your-enterprise-users-with-your-identity-provider/about-enterprise-managed-users) is a different type of [GitHub Enterprise Account](https://docs.github.com/enterprise-cloud@latest/admin/overview/about-enterprise-accounts). If you haven't specifically requested EMU instance, you have a standard GitHub Enterprise Account. In that case, please refer to [the documentation](./github-provisioning-tutorial.md) to configure user provisioning in your non-EMU organization. User provisioning isn't supported for [standard GitHub Enterprise Accounts](https://docs.github.com/enterprise-cloud@latest/admin/overview/about-enterprise-accounts), but is supported for organizations under standard GitHub Enterprise Account.
 
## Capabilities Supported
> [!div class="checklist"]

MODIFIED docs/identity/saas-apps/g-suite-provisioning-tutorial.md

Modified by Carolyn McSharry on Mar 12, 2026 10:00 AM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Fix typo in G Suite provisioning tutorial

Changes:

Before

After

 
To configure scoping filters, refer to the following instructions provided in the [Scoping filter article](~/identity/app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
 
Use [on-demand provisioning](~/identity/app-provisioning/provision-on-demand.md) to validate sync witha few users before deploying more broadly in your organization.  
 
When you're ready to provision, select **Start Provisioning** from the **Overview** page.

 
To configure scoping filters, refer to the following instructions provided in the [Scoping filter article](~/identity/app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
 
Use [on-demand provisioning](~/identity/app-provisioning/provision-on-demand.md) to validate sync with a few users before deploying more broadly in your organization.  
 
When you're ready to provision, select **Start Provisioning** from the **Overview** page.

📋 Microsoft Entra Documentation Changes

📊 Summary

📝 Modified Documentation Files