Microsoft Entra: Upcoming changes to federatedTokenValidationPolicy default settings

Microsoft Entra will enforce stricter federatedTokenValidationPolicy by default starting mid-August 2026, blocking federated sign-ins when internalDomainFederation doesn’t match the user’s UPN domain. This affects tenants with federated domains configured before December 2025 and aims to enhance security against cross-domain sign-in risks. To strengthen security for federated authentication, Microsoft Entra will update the default behavior of federatedTokenValidationPolicy. This policy governs how Microsoft Entra validates federated authentication tokens and determines whether sign-ins are allowed when the internalDomainFederation does not match the user’s UPN domain. Previously, enforcing this behavior required explicit tenant configuration, but it will now be applied by default to reduce the risk of unintended cross-domain sign-ins caused by misconfigured or overly permissive federation trust relationships. When this will happen General Availability (Worldwide, GCC, GCCH, and DoD): We will begin rolling out in mid-August 2026 and expect to complete by mid-August 2026. How this affects your organization Who is affected Microsoft 365 tenants using federated authentication in Microsoft Entra Admins managing federated domains that were configured before December 2025 Applies only to federated domains that have an internalDomainFederation object What will happen By default, federated sign-ins will be blocked when the internalDomainFederation does not match the user’s UPN domain. The internalDomainFederation object is typically created automatically during federation setup with Active Directory Federation Services (AD FS) or other identity providers (IdPs). This stricter default behavior of the federatedTokenValidationPolicy is already enforced for federated domains added since December 2025. After this change, the same behavior will apply to all existing federated domains with an internalDomainFederation object. Impacted sign-ins will fail with the error: AADSTS5000820: Sign-in blocked by Federated Token Validation policy. Contact your administrator for details. There is no change to the user experience unless cross-domain federated sign-ins are currently occurring. What you can do to prepare No action is required for most organizations. Cross-domain federated sign-ins will be blocked automatically as part of this security improvement. Organizations that rely on cross-domain federated sign-ins should review their existing federation configurations before rollout. (Strongly discouraged) If required for business continuity, Security Administrators, Hybrid Identity Administrators, or External Identity Provider Administrators can use Microsoft Graph […]

The post Microsoft Entra: Upcoming changes to federatedTokenValidationPolicy default settings appeared first on M365 Admin.