MC1300584: Microsoft Entra: App Instance Lock enabled by default for new applications
Microsoft Entra ID will enable App Instance Lock by default for new applications starting June 2026, protecting sensitive properties from unauthorized changes outside the home tenant. Existing apps are unaffected. Admins can disable the lock if needed. Review and update automation or scripts acco...
[Introduction]
To improve application security, Microsoft Entra ID will enable App Instance Lock by default for newly created applications. This change prevents sensitive application properties from being modified outside the application’s home tenant, reducing the risk of unauthorized changes that can lead to application compromise. Based on our data analysis, we do not expect this change to cause customer impact. App owners or administrators in the application home tenant can still disable App Instance Lock for specific applications if their scenario requires updates to protected properties in other tenants.
[When this will happen]
General Availability (Worldwide): We will begin rolling out in early June 2026 and expect to complete by late June 2026.
[How this affects your organization]
Who is affected
- Microsoft Entra administrators
- Developers who manage Microsoft Entra applications
- Organizations using automation or scripts to update application credentials or security settings after app creation
What will happen?
- App Instance Lock will be enabled by default for all newly created applications.
- Sensitive service principal properties will be protected by default.
- Attempts to modify these protected properties will be blocked unless App Instance Lock is explicitly disabled.
- Blocked update attempts will return a 400 Bad Request error, and the update will not be applied.
- Existing applications are not affected by this change.
Example Microsoft Graph error returned when attempting to update passwordCredentials on a locked application:
[What you can do to prepare]
- Review automation, scripts, or provisioning workflows that modify service principal credentials or related settings.
- Validate that existing workflows do not depend on App Instance Lock being disabled and update them to avoid modifying protected properties unless the lock is intentionally disabled.
- Disable App Instance Lock for specific applications if post‑creation updates are required.
- Test application provisioning and credential management flows prior to rollout in mid-May.
[Compliance considerations]
| Question | Answer |
| Does the change include an admin control? | Yes. Admins can disable App Instance Lock per application when required. |