Microsoft 365 Message Center item MC1286303
MC1286303 - Microsoft Entra staged rollout platform will migrate with non-breaking changes
Microsoft Entra ID is migrating the Staged Rollout service to the Microsoft Entra authentication platform by mid-May 2026, improving scalability and performance without breaking changes. Users newly added or removed post-migration need one extra interactive sign-in; existing users are unaffected. No action is required, but review configurations and inform support teams.
- Message Center ID
- MC1286303
- Category
- stay Informed
- Severity
- normal
- Services
- Microsoft Entra
- Tags
- New feature, User impact, Admin impact
- Published
- 2026-04-20
- Last updated
- 2026-04-20
- Expires
- 2026-06-15
[Introduction] We are migrating the Staged Rollout (SR) service in Microsoft Entra ID to use the Microsoft Entra authentication platform. This is an internal platform change that modernizes how Staged Rollout evaluates a user’s authentication path (managed versus federated) while preserving existing behavior.This migration improves long-term scalability, reliability, and platform sustainability, and reduces reliance on legacy components. There are no breaking changes to supported authentication scenarios, and there is no change to how Staged Rollout is configured or managed.[When this will happen] Worldwide: We will begin rolling out in late April 2026 and expect to complete by mid-May 2026. [How this affects your organization] Who is affectedMicrosoft Entra ID tenants in the public cloud using Staged RolloutWhat will happenUsers newly added to or removed from a Staged Rollout group after the migration will need to complete one additional interactive sign-in for their authentication path to update. After this one-time sign-in, authentication will follow the user’s current Staged Rollout configuration as expected. Existing Staged Rollout users are not impacted. Their authentication state is preserved during migration, and no additional sign-in is required. Previously, Staged Rollout relied on a dedicated tagging service that recalculated eligibility on every sign-in. After this migration, eligibility is no longer recalculated at every sign-in. Routing decisions are cached and refreshed on the next interactive sign-in, reducing authentication-time queries and improving sign-in performance. Supported scenarios (unchanged): Password hash synchronization (PHS) + Seamless SSO Pass-through authentication (PTA) + Seamless SSO Azure multi-factor authentication Certificate-based authentication User sign-in with an email address Not supported scenarios (unchanged): Combining Password hash synchronization, Pass-through authentication, and Seamless SSO Enabling Azure multi-factor authentication at the same time as Pass-through authentication or Password hash synchronization [What you can do to prepare] No action is required to maintain service continuity. We recommend the following: Review your current Staged Rollout configuration in the Microsoft Entra admin center to understand which users and groups are enrolled. Inform helpdesk and support teams that users newly added to or removed from Staged Rollout groups may need to complete one additional interactive sign-in. Ensure your federated identity provider, such as Active Directory Federation Services (AD FS), remains available and operational until domain cutover to managed authentication is complete.Review documentation for known behaviors and edge cases: User Authentication Behavior During Staged Rollout TransitionsIf a user’s authentication path does not reflect the expected state after sign-in, contact Microsoft Support for assistance.As outlined in our Migrate to cloud authentication using Staged Rollout guidelines, Staged Rollout should be temporary and paired with a federated identity provider as a fallback during testing. We recommend completing your migration to cloud-managed authentication as soon as possible. Learn more:Enable a Staged Rollout of a specific feature on your tenant - Migrate to cloud authentication using Staged Rollout | Hybrid | Microsoft Entra ID | Microsoft Entra | Microsoft LearnMigrate from federation to Microsoft Entra certificate-based authentication (CBA) | Authentication | Microsoft Entra ID | Microsoft Entra | Microsoft LearnMigrate to cloud authentication using Staged Rollout | Hybrid | Microsoft Entra ID | Microsoft Entra | Microsoft LearnSign-in to Microsoft Entra ID with email as an alternate login ID (Preview) | Authentication | Microsoft Entra ID | Microsoft Entra | Microsoft LearnUser Authentication Behavior During Staged Rollout Transitions - Migrate to cloud authentication using Staged Rollout | Authentication | Microsoft Entra ID | Microsoft Entra | Microsoft Learn [Compliance considerations] No compliance considerations identified. Review as appropriate for your organization.