check before: 2026-05-28
Product:
Entra, Microsoft Graph
Platform:
Developer, Online, World tenant
Status:
Change type:
New feature, User impact, Admin impact
Links:
Details:
Summary:
Microsoft Entra ID will enable App Instance Lock by default for new applications starting June 2026, protecting sensitive properties from unauthorized changes outside the home tenant. Existing apps are unaffected. Admins can disable the lock if needed. Review and update automation or scripts accordingly before rollout.
Details:
[Introduction]
To improve application security, Microsoft Entra ID will enable App Instance Lock by default for newly created applications. This change prevents sensitive application properties from being modified outside the application's home tenant, reducing the risk of unauthorized changes that can lead to application compromise. Based on our data analysis, we do not expect this change to cause customer impact. App owners or administrators in the application home tenant can still disable App Instance Lock for specific applications if their scenario requires updates to protected properties in other tenants.
[When this will happen]
General Availability (Worldwide): We will begin rolling out in early June 2026 and expect to complete by late June 2026.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2026-05-05
updated:
2026-05-05
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
Pictures
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
App Instance Lock Implementation
Enabling App Instance Lock by default may disrupt existing automation scripts that modify application properties, leading to failed updates and potential service disruptions.
- roles: Microsoft Entra Administrators, Developers
- references: https://learn.microsoft.com/entra/identity-platform/howto-configure-app-instance-property-locks
Error Handling
Blocked attempts to modify protected properties will return a 400 Bad Request error, which may confuse users and developers who are unaware of the new default settings.
- roles: Developers, End Users
- references: https://learn.microsoft.com/entra/identity-platform/howto-configure-app-instance-property-locks
Testing and Validation
Without proper testing of application provisioning and credential management flows, organizations may face unexpected downtime or security issues due to unhandled errors from the App Instance Lock.
- roles: Microsoft Entra Administrators, Developers
- references: https://learn.microsoft.com/entra/identity-platform/howto-configure-app-instance-property-locks
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
XXXXXXX ... free basic plan only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
Last updated 3 days ago ago
