MS is tightening the default behavior of federatedTokenValidationPolicy to block a risky scenario that many tenants may not even realize exists today: cross-domain federated sign-ins caused by overly permissive or misconfigured federation trust relationships.
From mid-August 2026, Microsoft Entra will automatically block federated sign-ins when the internalDomainFederation does not match the userβs UPN domain.
If a mismatch happens, users will start seeing:
πππππππππππππ: ππ’π π§-π’π§ ππ₯π¨ππ€ππ ππ² π
ππππ«ππππ ππ¨π€ππ§ πππ₯π’ππππ’π¨π§ π©π¨π₯π’ππ²
This affects:
- Organizations using federated authentication (AD FS or third-party IdPs)
- Federated domains configured before December 2025
- Tenants that may currently allow cross-domain federated sign-ins without realizing it
Whatβs interesting is that Microsoft already started enforcing this behavior for newly federated domains added after December 2025. Now theyβre just extending the same protection to older federation setups as well.
If your environment relies on cross-domain federation flows for business or legacy integrations, this is probably the right time to review your federation trust relationships and authentication design.
Microsoft does allow overriding the behavior through a custom federatedTokenValidationPolicy via Microsoft Graph, but they strongly discourage doing that because of the security risks involved.
This can indirectly affect Conditional Access evaluations since authentication enforcement behavior is changing underneath the sign-in flow.