Spring (Q2) 2026 Release Notes

Secret Server on Platform

TOTP Settings Now Replicate with Resilient Secrets (GA)

TOTP configurations are now included in Resilient Secrets replication. When failover occurs, users relying on TOTP as a second authentication factor can access their secrets immediately on the replica vault, with no manual reconfiguration required. For more information, see Setting Up Resilient Secrets.

Metadata Section and Field Management (GA)

Admins can now rename, edit, and disable metadata sections and fields. Rename fields to match evolving terminology, disable sections or fields no longer needed, and clean up the schema without affecting active data. Disabled items are preserved and stop appearing in dropdowns; changes apply globally across all secrets.

Changing field data types and permanent deletion are not included in this release.

For more information, see Object Metadata.

Platform Upgrade Center (GA)

The previous version of the Synchronize Data step has been renamed to “Advanced Mode”, and with Advanced Mode disabled the step will automatically select all groups for synchronization, streamlining the process in smaller environments. The Connect Domains step now lists engines available for a given domain that would act as suitable hosts for the AD connector, helping the user find appropriate servers for the Active Directory integration. Several performance and resilience improvements have been made to the batch processing, preventing timeouts and failures. For more information, see Platform Upgrade Center.

Analytics

Event-Driven Analytics (GA)

Detections have moved from scheduled scans to event-driven processing. Alerts now generate within seconds of suspicious activity, such as crown jewel access or brute force attempts, with immediate impact on user risk scores. Real-time authentication analysis evaluates location, user agent, and time of day at login. User activity baselines are now visible in the identity inventory for platform accounts. For more information, see Analytics.

IRIS Authorization

IRIS Authorization (Private Preview)

IRIS Authorization is an AI-powered approval agent that automates secret access request decisions. It operates in two modes: fully automated (decide) or human-in-the-loop (recommend). Default policy checks include user risk level, MFA verification, justification appropriateness, duration validation, and user intent verification via ITSM ticket correlation (ServiceNow, Zendesk, and Jira Service Management supported). Custom policy conditions can be defined in natural language. Every decision includes detailed reasoning, interim check results, evidence links, and timestamps for audit and compliance. For more information, see IRIS Authorization.

IRIS Auditing

IRIS Auditing Enhancements (GA)

Detection coverage now extends beyond SSH, RDP, and PowerShell to include native Windows applications, general applications, and browser activity. The session review UI displays discovered applications with drill-down capability and granular activity timelines, including registry key changes, security policy updates, and SSH connection specifics. All activity data streams to the Activities Inventory, and a new automated reporting feature supports individual or bulk session reports. For more information, see Session Review.

Privileged Remote Access (PRA) & Session Recording Service

Session Diagnostics (GA)

Users can now copy sanitized debug data directly from the browser when a remote session ends unexpectedly, for troubleshooting sluggish or unresponsive connections. This data is also accessible on demand via the D-menu during active sessions. For more information, see Using the Menu.

Native Recording Deletion (GA)

Secret Server native recordings can now be deleted directly from the Platform session recording UI. For more information, see Deleting Session Recordings.

Session Recording Improvements (GA)

Session recordings are now captured within the Platform rather than in the browser, eliminating continuous network and CPU overhead on the user’s machine and making in the cloud recordings tamper-proof.

Session Recording Downloads (now in GA)

Download remote session recordings from PRA or Audit Collector. Authorized users can request downloads asynchronously, with files available for 3 days before auto-expiring. For more information, see Downloading Session Recordings.

Privilege Control for Servers (PCS)

Secret Identity Mapping for Shared Accounts (Public Preview)

Shared accounts such as service accounts and break-glass admin accounts can now satisfy PCS MFA requirements without workarounds. When a user checks out a shared secret from Secret Server and logs into an MFA-protected endpoint, the system detects the checkout and prompts the actual user with their own MFA challenge. The login proceeds as the shared account while the audit trail captures who checked it out, when they authenticated, and when access ended. For more information, see MFA Redirection for Shared Secrets.

Platform Engine

Support Portal (GA)

Platform Engine status and logs can now be shared with support during a case to streamline troubleshooting. This will reduce the feedback loop to assist with any engine or workload log collection. Customer consent and approval are required within the platform tenant to permit Delinea support visibility when needed. For more information, see Managing Engine Sites.

Identity

Federation Console User Mapping Details (GA)

The Federation Console now displays user mapping information for each federated login event. Admins can see the external identity from the identity provider, the Platform user it mapped to, and the associated directory source, enabling faster, self-service resolution of federated login issues. For more information, see Debugging.

AD Short Name Login Configuration (GA)

Customers using the Delinea AD Connector can now control whether users may log in with their AD short name (Windows account name) in addition to their UPN. For more information, see Global Security Settings.

SCIM Cloud Connector for Entra ID (Private Preview)

The Delinea Platform now supports SCIM 2.0 integration with Microsoft Entra ID for automated user provisioning. The connector is fully cloud-native, with no on-premises installation or firewall configuration required. Capabilities include user and group provisioning, updates, deprovisioning, folder management, and secret-to-folder associations. For more information, see SCIM Provisioning Integration.

External Directory Service Users (now in GA)

Use existing directory-based accounts (for example, Active Directory) for programmatic API access instead of creating separate local service users. For more information, see Service Users.

Identity Threat Protection (ITP) and Privilege Control for Cloud Entitlements (PCCE)

Least Privilege for AWS (GA)

Identify and remediate excessive permissions in AWS by analyzing actual usage versus assigned permissions. The platform surfaces right-sizing recommendations at the user, group, and role level, showing which permissions were used and generating a narrowed policy scope. Supports AWS local accounts and AWS Identity Center (federated access). For more information, see AWS Privileges.

Identity Protection Dashboard (GA)

A unified dashboard summarizing discovery, posture findings, and top recommendations. View posture score, discovered accounts (human, non-human, AI models), assets, connected applications, and privileged account statistics. Key widgets link directly to relevant inventory views, and top failing checks are highlighted to guide remediation priorities.

Access Explorer UX Improvements (GA)

The Access Explorer now opens with a simplified view showing the selected identity and connected accounts. Users can progressively expand to explore group memberships, permissions, and access paths. Clicking any access policy or membership in the inventory opens a side panel displaying the full access path via the identity graph. Available for access policies and memberships. For more information, see Access Explorer.

Expanded Active Directory Posture Checks (GA)

Twelve new checks bring the total to 60 for Active Directory. New checks cover Kerberos credential theft (delegation rights, ghost SPNs, user impersonation), lateral movement risks (excessive local admins, print spooler on domain controllers, obsolete operating systems), hybrid identity risks (accounts with admin rights in both AD and Entra), and stealthy persistence (SID history containing sensitive administrative rights). For more information, see ITP-PCCE Checks.

Marketplace and Integrations

Marketplace Entitlement Awareness and Saved Views (GA)

The Marketplace now shows which products are subscribed, configured, or pending setup, with direct navigation to configuration pages. The Integration tab supports dynamic filters and saved views: create custom filtered views, save and pin them as quick filters, and set a default view. Admins can control integration visibility to enforce alignment with internal policies. For more information, see Integrations and Marketplace.

New and Updated Integrations

Microsoft Sentinel DCR Integration via Platform Webhooks: Send Delinea Platform audit and session events directly to Microsoft Sentinel using Data Collection Rules (DCR) and platform webhooks. Includes a ready-to-deploy ARM template that provisions the DCR, Log Analytics workspace mappings, and endpoint configuration. For more information, see Configuring Microsoft Sentinel.

Jenkins v2.1.1: Maintenance release with bug fixes, dependency updates, and compatibility improvements for current Jenkins LTS versions. For more information, see the Jenkins Release Notes.

JDBC v4.1.0: Expanded database support, improved connection reliability, and updated libraries for brokering secrets to Java applications. For more information, see the JDBC Release Notes.

Jira Integration with IRIS Authorization Agent: Jira-based approval workflows powered by the IRIS Authorization Agent, allowing approvers to act on Delinea access requests directly from Jira issues. For more information, see Integrating Jira.

Jira Cloud Platform Integration via Webhooks: Webhook-based integration enabling automatic Jira issue creation and updates triggered by platform events. For more information, see Integrating Jira Cloud.

CrowdStrike Falcon Next-Gen SIEM Webhook Integration: Webhook-based connector that forwards Delinea Platform events to CrowdStrike Falcon Next-Gen SIEM for ingestion into threat detection and investigation workflows. For more information, see Integrating CrowdStrike Falcon.

Delinea Credential Manager

DCM Mobile v3.3.5 (GA)

DCM Mobile v3.3.5 supports choosing which credentials to auto-fill into local applications, streamlining application access. When logging into a mobile app, invoke Credential Manager through the system auto-fill prompt, authenticate yourself, and select the appropriate credential. DCM will automatically fill your choice. For more information, see the Release Notes.

DCM Extension Updates v1.3.1–1.3.3 (GA)

Various bug fixes and improvements. For more information, see the Release Notes.

Other Updates

Programmatic Network Requirements (GA)

Network and firewall requirements are now published as a live JSON endpoint at setup.delinea.app/network-requirements (also accessible from any tenant URL). The open-source delinea-netconfig CLI converts this data into Terraform, Ansible, AWS Security Groups, Cisco ACL, PAN-OS XML, CSV, and YAML. For more information, see Network Requirements.