MC1303719 – M365 Change Digest

One-line summary

Microsoft Entra will enforce stricter federated sign-in validation by default, blocking cross-domain sign-ins unless the internalDomainFederation matches the user’s UPN domain starting mid-August 2026.

Similar updates

Details

Summary

Microsoft Entra will enforce stricter federatedTokenValidationPolicy by default starting mid-August 2026, blocking federated sign-ins when internalDomainFederation doesn't match the user's UPN domain. This affects tenants with federated domains configured before December 2025 and aims to enhance security against cross-domain sign-in risks.

Body (from Message Center)

[Introduction]

To strengthen security for federated authentication, Microsoft Entra will update the default behavior of federatedTokenValidationPolicy. This policy governs how Microsoft Entra validates federated authentication tokens and determines whether sign-ins are allowed when the internalDomainFederation does not match the user’s UPN domain. Previously, enforcing this behavior required explicit tenant configuration, but it will now be applied by default to reduce the risk of unintended cross-domain sign-ins caused by misconfigured or overly permissive federation trust relationships.

[When this will happen]

General Availability (Worldwide, GCC, GCCH, and DoD): We will begin rolling out in mid-August 2026 and expect to complete by mid-August 2026.

[How this affects your organization]

Who is affected

Microsoft 365 tenants using federated authentication in Microsoft Entra
Admins managing federated domains that were configured before December 2025
Applies only to federated domains that have an internalDomainFederation object

What will happen

By default, federated sign-ins will be blocked when the internalDomainFederation does not match the user’s UPN domain.
The internalDomainFederation object is typically created automatically during federation setup with Active Directory Federation Services (AD FS) or other identity providers (IdPs).
This stricter default behavior of the federatedTokenValidationPolicy is already enforced for federated domains added since December 2025.
After this change, the same behavior will apply to all existing federated domains with an internalDomainFederation object.
Impacted sign-ins will fail with the error:

AADSTS5000820: Sign-in blocked by Federated Token Validation policy. Contact your administrator for details.

There is no change to the user experience unless cross-domain federated sign-ins are currently occurring.

[What you can do to prepare]

No action is required for most organizations.
Cross-domain federated sign-ins will be blocked automatically as part of this security improvement.
Organizations that rely on cross-domain federated sign-ins should review their existing federation configurations before rollout.
(Strongly discouraged) If required for business continuity, Security Administrators, Hybrid Identity Administrators, or External Identity Provider Administrators can use Microsoft Graph to create a custom federatedTokenValidationPolicy with rootDomains = none to allow cross-domain sign-ins.
Communicate this change to identity and helpdesk teams to reduce support escalations.

Learn more:

[Compliance considerations]

Question	Answer
Does the change include an admin control, and can it be controlled through Microsoft Entra ID group membership?	Yes. Administrators can configure a custom federatedTokenValidationPolicy using Microsoft Graph to override the default behavior, although this is strongly discouraged due to security risks.
Does the change modify, interrupt, or disable Purview capabilities such as Data Loss Prevention, Information Protection, Conditional Access, audit logging, eDiscovery, encryption, or retention policies?	Yes. This change affects authentication enforcement behavior in Microsoft Entra, which may indirectly influence how Conditional Access policies evaluate federated sign-ins.

Raw JSON (for debugging)

Expand/collapse the full payload below.

Show/hide raw

{
  "snapshot_item": {
    "action_required_by": "2026-08-11T07:00:00Z",
    "ai_action_required_by": null,
    "ai_actions": [
      "Review federation configurations if relying on cross-domain federated sign-ins",
      "Communicate change to identity/helpdesk teams",
      "Optionally modify federatedTokenValidationPolicy using Microsoft Graph (discouraged)"
    ],
    "ai_master_tags": [
      "Admin",
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "Microsoft Entra will enforce stricter federated sign-in validation by default, blocking cross-domain sign-ins unless the internalDomainFederation matches the user\u2019s UPN domain starting mid-August 2026.",
    "ai_topics": [
      "Entra"
    ],
    "category": "planForChange",
    "details_map": {
      "Summary": "Microsoft Entra will enforce stricter federatedTokenValidationPolicy by default starting mid-August 2026, blocking federated sign-ins when internalDomainFederation doesn\u0027t match the user\u0027s UPN domain. This affects tenants with federated domains configured before December 2025 and aims to enhance security against cross-domain sign-in risks."
    },
    "id": "MC1303719",
    "importance": 3,
    "is_major_change": false,
    "last_modified": "2026-05-07T22:39:10Z",
    "ms_products": [
      "Entra"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Microsoft Entra"
    ],
    "severity": "normal",
    "tags": [
      "Admin impact"
    ],
    "title": "Microsoft Entra: Upcoming changes to federatedTokenValidationPolicy default settings"
  }
}