Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreiakmxhal3x22lcs2orihgg3m4it5axokn3eogppgifmdqmlhn6zhu",
    "uri": "at://did:plc:xxrzfynfiasdpbxteqxi4jgq/app.bsky.feed.post/3mlcgel74nsg2"
  },
  "description": "Microsoft Entra will enforce stricter federatedTokenValidationPolicy by default starting mid-August 2026, blocking federated sign-ins when internalDomainFederation doesn't match the user's UPN domain. This affects tenants with federated domains configured before December 2025 and aims to enhance ...",
  "path": "/m365-message-center/message/mc1303719/",
  "publishedAt": "2026-05-08T00:00:06.000Z",
  "site": "https://blog.tophhie.cloud",
  "tags": [
    "internalDomainFederation",
    "federatedTokenValidationPolicy",
    "rootDomains",
    "Get federatedTokenValidationPolicy | Microsoft Graph | Microsoft Learn",
    "Get internalDomainFederation | Microsoft Graph | Microsoft Learn",
    "Use Graph Explorer to try Microsoft Graph APIs | Microsoft Graph | Microsoft Learn",
    "validatingDomains resource type | Microsoft Graph | Microsoft Learn"
  ],
  "textContent": "**[Introduction]**\n\nTo strengthen security for federated authentication, Microsoft Entra will update the default behavior of**federatedTokenValidationPolicy**. This policy governs how Microsoft Entra validates federated authentication tokens and determines whether sign-ins are allowed when the **internalDomainFederation** does not match the user’s UPN domain. Previously, enforcing this behavior required explicit tenant configuration, but it will now be applied by default to reduce the risk of unintended cross-domain sign-ins caused by misconfigured or overly permissive federation trust relationships.\n\n**[When this will happen]**\n\n**General Availability (Worldwide, GCC, GCCH, and DoD):** We will begin rolling out in **mid-August 2026** and expect to complete by **mid-August 2026**.\n\n**[How this affects your organization]**\n\n_Who is affected_\n\n  * Microsoft 365 tenants using **federated authentication** in _Microsoft Entra_\n  * Admins managing federated domains that were configured **before December 2025**\n  * Applies only to federated domains that have an**internalDomainFederation** object\n\n\n\n _What will happen_\n\n  * By default, federated sign-ins will be **blocked** when the**internalDomainFederation** does not match the user’s UPN domain.\n  * The**internalDomainFederation** object is typically created automatically during federation setup with Active Directory Federation Services (AD FS) or other identity providers (IdPs).\n  * This **stricter default behavior** of the **federatedTokenValidationPolicy is already enforced** for federated domains added **since December 2025**.\n  * After this change, the same behavior will apply to **all existing federated domains** with an internalDomainFederation object.\n  * Impacted sign-ins will fail with the error:\n\n\n\n**AADSTS5000820: Sign-in blocked by Federated Token Validation policy. Contact your administrator for details.**\n\n  * There is **no change to the user experience** unless cross-domain federated sign-ins are currently occurring.\n\n\n\n**[What you can do to prepare]**\n\n  * No action is required for most organizations.\n  * Cross-domain federated sign-ins will be blocked automatically as part of this security improvement.\n  * Organizations that rely on cross-domain federated sign-ins should review their existing federation configurations before rollout.\n  * (**Strongly discouraged**) If required for business continuity, Security Administrators, Hybrid Identity Administrators, or External Identity Provider Administrators can use **Microsoft Graph** to create a custom federatedTokenValidationPolicy with rootDomains**= none** to allow cross-domain sign-ins.\n  * Communicate this change to identity and helpdesk teams to reduce support escalations.\n\n\n\n**Learn more:**\n\n  * Get federatedTokenValidationPolicy | Microsoft Graph | Microsoft Learn\n  * Get internalDomainFederation | Microsoft Graph | Microsoft Learn\n  * Use Graph Explorer to try Microsoft Graph APIs | Microsoft Graph | Microsoft Learn\n  * validatingDomains resource type | Microsoft Graph | Microsoft Learn\n\n\n\n**[Compliance considerations]**\n\n**Question**| **Answer**\n---|---\nDoes the change include an admin control, and can it be controlled through Microsoft Entra ID group membership?| Yes. Administrators can configure a custom **federatedTokenValidationPolicy** using Microsoft Graph to override the default behavior, although this is strongly discouraged due to security risks.\nDoes the change modify, interrupt, or disable Purview capabilities such as Data Loss Prevention, Information Protection, Conditional Access, audit logging, eDiscovery, encryption, or retention policies?| Yes. This change affects authentication enforcement behavior in Microsoft Entra, which may indirectly influence how Conditional Access policies evaluate federated sign-ins.",
  "title": "MC1303719: Microsoft Entra: Upcoming changes to federatedTokenValidationPolicy default settings",
  "updatedAt": "2026-05-08T00:00:06.786Z"
}