← Back
Microsoft Entra: App Instance Lock enabled by default for new applications
MC1300584 · build prod-20251231-200323
Category
planForChange
Severity
normal
Major change
False
Last modified
2026-05-04 15:35:57
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
2026-05-28 07:00:00
Action by (AI)
Services
Microsoft Entra
Tags
New feature, User impact, Admin impact
Master tags
Admin, Security
Roadmap IDs

One-line summary

App Instance Lock will be enabled by default in Entra for new apps from early June 2026, restricting modifications to sensitive properties outside the home tenant.

Similar updates

More like this
MC1191924 Microsoft Entra ID: Enhance protection of the authentication experience by blocking external script injection
Microsoft Entra ID: Enhance protection of the authentication experience by blocking external script injection Microsoft Entra ID sign-in will enforce a stricter Content Security Policy, blocking non-Microsoft scripts and injected code, starting rollout in October 2026 to enhance security against XSS threats. Introduction As part of Microsoft’s .
MC1180712 Microsoft Copilot Studio - Strengthen security of Copilot Studio agents with additional threat protection
Microsoft Copilot Studio - Strengthen security of Copilot Studio agents with additional threat protection Copilot Studio agents gain enhanced security with external threat detection, available December 10, 2025; admins can integrate Microsoft Defender or other providers via Entra and Power Platform. Admins can enable this feature using the.
MC1171846 Microsoft Teams: Agent and bot support for Entra authentication in group chats
Microsoft Teams: Agent and bot support for Entra authentication in group chats Agents and bots in Teams group chats can now request Entra authentication, prompting users to install Teams or grant consent as needed; feature enabled by default starting November 3, 2025. Agents and bots in Microsoft Teams group chats... Learn more:  Enable SSO for.
MC1097225 (Updated) Entra ID: Upcoming changes to support passkey profiles in the authentication methods policy (preview)
(Updated) Entra ID: Upcoming changes to support passkey profiles in the authentication methods policy (preview) Entra ID expands passkey policy in November 2025 public preview, enabling group-based passkey controls, new API schema, and broader attestation support for FIDO2/passkey providers. ...ed from early January 2026 to early February.
MC1179154 (Updated) Microsoft Authenticator app: Upcoming changes to jailbreak and root detection
(Updated) Microsoft Authenticator app: Upcoming changes to jailbreak and root detection Microsoft Authenticator will block and wipe Entra credentials from jailbroken/rooted iOS and Android devices, with phased rollout starting late February 2026 for Android and April for iOS. [Introduction] Starting end of February 2026, we will introduce .
MC1183299 Microsoft Entra: Soft deletion and restoration for cloud security groups
Microsoft Entra: Soft deletion and restoration for cloud security groups Microsoft Entra adds soft deletion for cloud security groups, allowing restoration within 30 days to recover settings, ownership, and membership, reducing rebuild needs after accidental or malicious deletion. To help organizations recover from accidental or malicious.

Details

Summary
Microsoft Entra ID will enable App Instance Lock by default for new applications starting June 2026, protecting sensitive properties from unauthorized changes outside the home tenant. Existing apps are unaffected. Admins can disable the lock if needed. Review and update automation or scripts accordingly before rollout.

Body (from Message Center)

[Introduction]

To improve application security, Microsoft Entra ID will enable App Instance Lock by default for newly created applications. This change prevents sensitive application properties from being modified outside the application’s home tenant, reducing the risk of unauthorized changes that can lead to application compromise. Based on our data analysis, we do not expect this change to cause customer impact. App owners or administrators in the application home tenant can still disable App Instance Lock for specific applications if their scenario requires updates to protected properties in other tenants.

[When this will happen]

General Availability (Worldwide): We will begin rolling out in early June 2026 and expect to complete by late June 2026.

[How this affects your organization]

Who is affected

  • Microsoft Entra administrators
  • Developers who manage Microsoft Entra applications
  • Organizations using automation or scripts to update application credentials or security settings after app creation

What will happen?

  • App Instance Lock will be enabled by default for all newly created applications.
  • Sensitive service principal properties will be protected by default.
  • Attempts to modify these protected properties will be blocked unless App Instance Lock is explicitly disabled.
  • Blocked update attempts will return a 400 Bad Request error, and the update will not be applied.
  • Existing applications are not affected by this change.

Example Microsoft Graph error returned when attempting to update passwordCredentials on a locked application:

user settings

[What you can do to prepare]

  • Review automation, scripts, or provisioning workflows that modify service principal credentials or related settings.
  • Validate that existing workflows do not depend on App Instance Lock being disabled and update them to avoid modifying protected properties unless the lock is intentionally disabled.
  • Disable App Instance Lock for specific applications if post‑creation updates are required.
  • Test application provisioning and credential management flows prior to rollout in mid-May.

Learn more: How to configure app instance property lock in your applications | Microsoft identity platform | Microsoft Entra | Microsoft Learn

[Compliance considerations]

QuestionAnswer
Does the change include an admin control?Yes. Admins can disable App Instance Lock per application when required.

Raw JSON (for debugging)

Expand/collapse the full payload below.
Show/hide raw 
{
  "snapshot_item": {
    "action_required_by": "2026-05-28T07:00:00Z",
    "ai_action_required_by": null,
    "ai_actions": [
      "Review automation/scripts for new Entra apps",
      "Update workflows to avoid modifying protected properties unless needed",
      "Test provisioning and credential flows before rollout"
    ],
    "ai_master_tags": [
      "Admin",
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "App Instance Lock will be enabled by default in Entra for new apps from early June 2026, restricting modifications to sensitive properties outside the home tenant.",
    "ai_topics": [
      "Entra"
    ],
    "category": "planForChange",
    "details_map": {
      "Summary": "Microsoft Entra ID will enable App Instance Lock by default for new applications starting June 2026, protecting sensitive properties from unauthorized changes outside the home tenant. Existing apps are unaffected. Admins can disable the lock if needed. Review and update automation or scripts accordingly before rollout."
    },
    "id": "MC1300584",
    "importance": 5,
    "is_major_change": false,
    "last_modified": "2026-05-04T15:35:57Z",
    "ms_products": [
      "Entra"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Microsoft Entra"
    ],
    "severity": "normal",
    "tags": [
      "New feature",
      "User impact",
      "Admin impact"
    ],
    "title": "Microsoft Entra: App Instance Lock enabled by default for new applications"
  }
}