Services
Summary
Microsoft Entra will enforce stricter federatedTokenValidationPolicy by default starting mid-August 2026, blocking federated sign-ins when internalDomainFederation doesn't match the user's UPN domain. This affects tenants with federated domains configured before December 2025 and aims to enhance security against cross-domain sign-in risks.
Details
Introduction
To strengthen security for federated authentication, Microsoft Entra will update the default behavior of federatedTokenValidationPolicy. This policy governs how Microsoft Entra validates federated authentication tokens and determines whether sign-ins are allowed when the internalDomainFederation does not match the user’s UPN domain. Previously, enforcing this behavior required explicit tenant configuration, but it will now be applied by default to reduce the risk of unintended cross-domain sign-ins caused by misconfigured or overly permissive federation trust relationships.
When this will happen
General Availability (Worldwide, GCC, GCCH, and DoD): We will begin rolling out in mid-August 2026 and expect to complete by mid-August 2026.
How this affects your organization
Who is affected
- Microsoft 365 tenants using federated authentication in Microsoft Entra
- Admins managing federated domains that were configured before December 2025
- Applies only to federated domains that have an internalDomainFederation object
What will happen
- By default, federated sign-ins will be blocked when the internalDomainFederation does not match the user’s UPN domain.
- The internalDomainFederation object is typically created automatically during federation setup with Active Directory Federation Services (AD FS) or other identity providers (IdPs).
- This stricter default behavior of the federatedTokenValidationPolicy is already enforced for federated domains added since December 2025.
- After this change, the same behavior will apply to all existing federated domains with an internalDomainFederation object.
- Impacted sign-ins will fail with the error:
AADSTS5000820: Sign-in blocked by Federated Token Validation policy. Contact your administrator for details.
- There is no change to the user experience unless cross-domain federated sign-ins are currently occurring.
What you can do to prepare
- No action is required for most organizations.
- Cross-domain federated sign-ins will be blocked automatically as part of this security improvement.
- Organizations that rely on cross-domain federated sign-ins should review their existing federation configurations before rollout.
- (Strongly discouraged) If required for business continuity, Security Administrators, Hybrid Identity Administrators, or External Identity Provider Administrators can use Microsoft Graph to create a custom federatedTokenValidationPolicy with rootDomains = none to allow cross-domain sign-ins.
- Communicate this change to identity and helpdesk teams to reduce support escalations.
Learn more:
- Get federatedTokenValidationPolicy | Microsoft Graph | Microsoft Learn
- Get internalDomainFederation | Microsoft Graph | Microsoft Learn
- Use Graph Explorer to try Microsoft Graph APIs | Microsoft Graph | Microsoft Learn
- validatingDomains resource type | Microsoft Graph | Microsoft Learn
Compliance considerations
| Question | Answer |
| Does the change include an admin control, and can it be controlled through Microsoft Entra ID group membership? | Yes. Administrators can configure a custom federatedTokenValidationPolicy using Microsoft Graph to override the default behavior, although this is strongly discouraged due to security risks. |
| Does the change modify, interrupt, or disable Purview capabilities such as Data Loss Prevention, Information Protection, Conditional Access, audit logging, eDiscovery, encryption, or retention policies? | Yes. This change affects authentication enforcement behavior in Microsoft Entra, which may indirectly influence how Conditional Access policies evaluate federated sign-ins. |