[German]At the end of March 2025, Microsoft announced that Microsoft Entra ID will no longer support service principal-less authentication from March 2026. Microsoft Entra ID will then block authentication for multi-tenant applications that do not have an enterprise application registration in the resource tenant.
I became aware of this issue the other day via the following post on BlueSky. Nathan McNulty writes that he thinks it's great that Microsoft is removing the ability for multi-tenant applications to authenticate to directories where a service principal has not been registered.
Microsoft itself has documented the issue as of March 26, 2025 in the support article Service principal-less authentication mitigation. It states that Microsoft Entra ID will no longer support service principal-less authentication from March 2026.
With service principal-less authentication, tokens are issued without authorizations and without an object identifier (object ID). Service principal-less authentication can be abused if the resource applications (i.e. APIs) perform incomplete validations.
As a preventative security measure, Microsoft Entra ID will then block authentication for all multi-tenant applications that do not have an enterprise application registration in the resource tenant from March 2026. This scenario is also known as service principal-less authentication, writes Microsoft.
According to Microsoft, this behavior has already been blocked for most resources. With this change in March 2026, some remaining exceptions will also be blocked. The support article describes how administrators should prepare for the elimination of service-less authentication.
By enforcing the requirement that applications must be registered in each tenant in which they authenticate, Microsoft is strengthening the tenant administrator's control over all access, including the ability to create conditional access policies for these applications. Tenant administrators will therefore need to verify access, create an enterprise application and verify tokens.
Administrators must act before March 31, 2026 to prevent application authentication from failing. Further details can be found in the support article Service principal-less authentication mitigation.
