There will be some incoming changes to Microsoft’s identity and access platform, Microsoft Entra ID, retiring custom controls in favour of external multi-factor authentication. 

Standardising policy enforcement across all environments, moving to external MFA will provide consistent conditional access enforcement and integrate with EntraID. It also offers seamless integration of third-party MFA providers into Conditional Access and removing legacy architecture.  

“Together, these changes help ensure that your security policies are applied uniformly and backed by strong, user-verified signals,” Krishnamurthy noted. 

The incoming updates target three vectors, including implementing third-party MFA integrations, credential registration, and tightening self-service password reset. 

Custom controls retire September 30, 2026, and reach end of life in May 2027. 

Previously, Conditional Access rules targeting the Register security information user action protected registrations in My Security Info and Microsoft Authenticator, but left a blind spot during initial device setup. Starting the week of July 6, these security policies will strictly apply to Windows Hello for Business provisioning and macOS Platform Single Sign-on registration, closing a long-standing loophole exploited by attackers during onboarding.