check before: 2026-08-11
Product:
eDiscovery, Entra, Microsoft 365 Apps, Microsoft Graph, Purview Communication Compliance, Purview Data Loss Prevention, Purview Information Protection
Platform:
Developer, Online, US Instances, World tenant
Status:
Change type:
Admin impact
Links:
Details:
Summary:
Microsoft Entra will enforce stricter federatedTokenValidationPolicy by default starting mid-August 2026, blocking federated sign-ins when internalDomainFederation doesn't match the user's UPN domain. This affects tenants with federated domains configured before December 2025 and aims to enhance security against cross-domain sign-in risks.
Details:
[Introduction]
To strengthen security for federated authentication, Microsoft Entra will update the default behavior of federatedTokenValidationPolicy. This policy governs how Microsoft Entra validates federated authentication tokens and determines whether sign-ins are allowed when the internalDomainFederation does not match the user's UPN domain. Previously, enforcing this behavior required explicit tenant configuration, but it will now be applied by default to reduce the risk of unintended cross-domain sign-ins caused by misconfigured or overly permissive federation trust relationships.
[When this will happen]
General Availability (Worldwide, GCC, GCCH, and DoD): We will begin rolling out in mid-August 2026 and expect to complete by mid-August 2026.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2026-05-08
updated:
2026-05-08
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Federated Sign-in Failures
Federated sign-ins will be blocked if the internalDomainFederation does not match the user's UPN domain, leading to failed sign-ins for users relying on cross-domain authentication.
- roles: Security Administrators, Helpdesk Support
- references: https://learn.microsoft.com/graph/api/federatedtokenvalidationpolicy-get?view=graph-rest-beta&tabs=http
Impact on Conditional Access Policies
Changes in authentication enforcement behavior may affect how Conditional Access policies evaluate federated sign-ins, potentially leading to unintended access denials.
- roles: IT Administrators, Compliance Officers
- references: https://learn.microsoft.com/graph/api/internaldomainfederation-get?view=graph-rest-1.0&tabs=http
Increased Support Escalations
The change may lead to increased support requests from users experiencing sign-in issues, necessitating better communication and preparation from helpdesk teams.
- roles: Helpdesk Support, IT Administrators
- references: https://learn.microsoft.com/graph/api/resources/validatingdomains?view=graph-rest-beta
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
XXXXXXX ... free basic plan only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
Last updated 1 month ago ago
