RM566869 - Microsoft Entra: Upcoming changes to federatedTokenValidationPolicy default settings

Microsoft 365 Roadmap

Summary

The federatedTokenValidationPolicy is a resource type in Microsoft Graph (beta) that governs the validation of federated authentication tokens and allows customers to configure a rule to block logins where internalDomainFederation does not match UPN domain. The feature by default requires manual configuration in the tenant to prohibit cross-domain logins. To strengthen security with cross-domain sign-in we will change the default rule for federatedTokenValidationPolicy to block logins where internalDomainFederation does not match UPN domain. This internalDomainFederation object is typically created automatically during federation setup with AD federation server or other IdPs.

Published

Jul 1, 2026

Status

In development

Release

General Availability

Platforms

Android
Desktop
iOS
Mac
Web

Service

Microsoft Entra

Tag

In development
General Availability
Worldwide (Standard Multi-Tenant)
GCC
GCC High
DoD

Cloud

DoD
GCC
GCC High
Worldwide (Standard Multi-Tenant)

Description

The federatedTokenValidationPolicy is a resource type in Microsoft Graph (beta) that governs the validation of federated authentication tokens and allows customers to configure a rule to block logins where internalDomainFederation does not match UPN domain. The feature by default requires manual configuration in the tenant to prohibit cross-domain logins. To strengthen security with cross-domain sign-in we will change the default rule for federatedTokenValidationPolicy to block logins where internalDomainFederation does not match UPN domain. This internalDomainFederation object is typically created automatically during federation setup with AD federation server or other IdPs.

GA date: August CY2026