App Instance Lock enabled by default for new applications

This article details Microsoft's upcoming change to Microsoft Entra ID, where App Instance Lock will be enabled by default for all newly created applications starting June 2026. The feature aims to harden the identity perimeter by preventing sensitive properties, such as service principal credentials, from being modified outside the application's home tenant. It explains the security risks of unauthorized credential injection and privilege escalation, the deployment timeline, and the technical impact on administrators and developers managing multi-tenant environments or automation scripts. Existing applications remain unaffected, but new workflows may require explicitly disabling the lock to allow cross-tenant updates.