Most security discussions in Microsoft 365 focus on users.
But increasingly, applications are becoming the overlooked attack surface.
App registrations often have persistent permissions, access to sensitive APIs, and continue operating long after the original owner leaves.
That makes them a growing security target.
Microsoft seems to be responding to that shift by tightening default protections for new application identities.
𝐒𝐭𝐚𝐫𝐭𝐢𝐧𝐠 𝐉𝐮𝐧𝐞 2026, 𝐌𝐢𝐜𝐫𝐨𝐬𝐨𝐟𝐭 𝐄𝐧𝐭𝐫𝐚 𝐈𝐃 𝐰𝐢𝐥𝐥 𝐞𝐧𝐚𝐛𝐥𝐞 𝐀𝐩𝐩 𝐈𝐧𝐬𝐭𝐚𝐧𝐜𝐞 𝐋𝐨𝐜𝐤 𝐛𝐲 𝐝𝐞𝐟𝐚𝐮𝐥𝐭 𝐟𝐨𝐫 𝐧𝐞𝐰𝐥𝐲 𝐜𝐫𝐞𝐚𝐭𝐞𝐝 𝐚𝐩𝐩 𝐫𝐞𝐠𝐢𝐬𝐭𝐫𝐚𝐭𝐢𝐨𝐧𝐬.
Microsoft has also asked organizations to review affected workflows by May 28, ahead of the rollout.
👉 Existing registrations remain unchanged.
The next security cleanup for many tenants may not be user accounts; it may be app identities.
Message ID: MC1300584