πŸ“‹ Microsoft Entra Documentation Changes

Daily summary for changes since July 28th 2025, 8:47 PM PDT

Report generated on July 29th 2025, 8:47 PM PDT

πŸ“Š Summary

37
Total Commits
0
New Files
11
Modified Files
0
Deleted Files
16
Contributors

πŸ“ Modified Documentation Files

MODIFIED docs/identity/authentication/concept-mandatory-multifactor-authentication.md
Modified by Justinha on Jul 29, 2025 3:26 PM
πŸ“– View on learn.microsoft.com
+13 / -9 lines changed
Commit: added how to prepare for phase 2 and changed Sept 1 to Sept 15
Changes:
Before
After
ms.service: entra-id
ms.subservice: authentication
ms.topic: conceptual
ms.date: 07/07/2025
ms.author: justinha
author: justinha
manager: dougeby
### Enforcement phases
 
> [!NOTE]
> The date of enforcement for Phase 2 has changed to September 1, 2025.
 
The enforcement of MFA for applications rolls out in two phases.
 
 
#### Applications that enforce MFA in phase 2
 
Starting September 1, 2025, MFA enforcement will gradually begin for accounts that sign in to Azure CLI, Azure PowerShell, Azure mobile app, IaC tools, and REST API endpoints to perform any Create, Update, or Delete operation. Read operations won't require MFA.
 
Some customers may use a user account in Microsoft Entra ID as a service account. It's recommended to migrate these user-based service accounts to [secure cloud based service accounts](/entra/architecture/secure-service-accounts) with [workload identities](~/workload-id/workload-identities-overview.md).
ms.service: entra-id
ms.subservice: authentication
ms.topic: conceptual
ms.date: 07/29/2025
ms.author: justinha
author: justinha
manager: dougeby
### Enforcement phases
 
> [!NOTE]
> The date of enforcement for Phase 2 has changed to September 15, 2025.
 
The enforcement of MFA for applications rolls out in two phases.
 
 
#### Applications that enforce MFA in phase 2
 
Starting September 15, 2025, MFA enforcement will gradually begin for accounts that sign in to Azure CLI, Azure PowerShell, Azure mobile app, IaC tools, and REST API endpoints to perform any Create, Update, or Delete operation. Read operations won't require MFA.
 
Some customers may use a user account in Microsoft Entra ID as a service account. It's recommended to migrate these user-based service accounts to [secure cloud based service accounts](/entra/architecture/secure-service-accounts) with [workload identities](~/workload-id/workload-identities-overview.md).
MODIFIED docs/identity/conditional-access/agent-optimization-phased-rollout.md
Modified by shlipsey3 on Jul 29, 2025 4:37 PM
πŸ“– View on learn.microsoft.com
+15 / -4 lines changed
Commit: images-steps-improvement
Changes:
Before
After
manager: pmwongera
 
ms.reviewer: lhuangnorth
ms.date: 07/25/2025
 
ms.service: entra-id
ms.subservice: conditional-access
 
### Administrator reviews and accepts the rollout plan
 
Administrators can accept the plan or modify details of the plan, such as the group assignments or the time between phases.
 
To adjust the groups included in a phase:
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Security Administrator](../role-based-access-control/permissions-reference.md#security-administrator).
1. Browse to **Conditional Access Optimization Agent** and select the **Review suggestions** button for a policy suggestion that includes a phased rollout.
 
:::image type="content" source="media/agent-optimization-phased-rollout/phased-rollout-suggestions.png" alt-text="Screenshot of the agent suggestions with a phased rollout type highlighted." lightbox="media/agent-optimization-phased-rollout/phased-rollout-suggestions-expanded.png":::
 
1. Select {SOMETHING} to edit the groups included in the phase.
manager: pmwongera
 
ms.reviewer: lhuangnorth
ms.date: 07/29/2025
 
ms.service: entra-id
ms.subservice: conditional-access
 
### Administrator reviews and accepts the rollout plan
 
Administrators review the details of the plan and can accept it or modify the group assignments or the time between phases.
 
To adjust the groups included in a phase:
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Security Administrator](../role-based-access-control/permissions-reference.md#security-administrator).
 
1. Browse to **Conditional Access Optimization Agent** and select the **Review suggestions** button for a policy suggestion that includes a phased rollout.
 
:::image type="content" source="media/agent-optimization-phased-rollout/phased-rollout-suggestions.png" alt-text="Screenshot of the agent suggestions with a phased rollout type highlighted." lightbox="media/agent-optimization-phased-rollout/phased-rollout-suggestions-expanded.png":::
 
MODIFIED docs/identity/conditional-access/agent-optimization.md
Modified by shlipsey3 on Jul 29, 2025 4:37 PM
πŸ“– View on learn.microsoft.com
+15 / -3 lines changed
Commit: images-steps-improvement
Changes:
Before
After
author: MicrosoftGuyJFlo
manager: dougeby
ms.reviewer: lhuangnorth
ms.date: 07/24/2025
 
ms.service: entra-id
ms.subservice: conditional-access
 
:::image type="content" source="media/agent-optimization/trigger-setting.png" alt-text="Screenshot of the trigger option in the Conditional Access Optimization agent settings." lightbox="media/agent-optimization/trigger-setting.png":::
 
### Objects
 
Use the checkboxes under **Objects** to specify what the agent should monitor when making policy recommendations. By default the agent looks for both new users and applications in your tenant over the previous 24 hour period.
 
### Identity and permissions
 
 
 
 
 
author: MicrosoftGuyJFlo
manager: dougeby
ms.reviewer: lhuangnorth
ms.date: 07/29/2025
 
ms.service: entra-id
ms.subservice: conditional-access
 
:::image type="content" source="media/agent-optimization/trigger-setting.png" alt-text="Screenshot of the trigger option in the Conditional Access Optimization agent settings." lightbox="media/agent-optimization/trigger-setting.png":::
 
### Microsoft Entra objects to monitor
 
Use the checkboxes under **Microsoft Entra objects to monitor** to specify what the agent should monitor when making policy recommendations. By default the agent looks for both new users and applications in your tenant over the previous 24 hour period.
 
## Agent capabilities
 
By default, the Conditional Access optimization agent can create new policies in report-only mode. You can change this setting so that an administrator must approve the new policy before it's created. The policy is still created in report-only mode, but only after admin approval. After reviewing the policy impact, you can turn on the policy directly from the agent experience or from Conditional Access.
 
## Phased rollout (preview)
 
MODIFIED docs/includes/secure-recommendations/21797.md
Modified by John Flores on Jul 29, 2025 8:55 PM
πŸ“– View on learn.microsoft.com
+7 / -3 lines changed
Commit: [Zero Trust] Doc bug fix
Changes:
Before
After
manager: pmwongera
ms.service: entra-id
ms.topic: include
ms.date: 03/05/2025
ms.custom: Identity-Secure-Recommendation
# sfipillar: Accelerate response and remediation
# category: Access control
# userimpact: High
# implementationcost: Medium
---
Assume any users at high risk are compromised by threat actors. Without investigation and remediation, threat actors can execute scripts, deploy malicious applications, or manipulate API calls to establish persistence, based on the potentially compromised user's permissions. Threat actors can then exploit misconfigurations or abuse OAuth tokens to move laterally across workloads like documents, SaaS applications, or Azure resources. Threat actors can gain access to sensitive files, customer records, or proprietary code and exfiltrate it to external repositories while maintaining stealth through legitimate cloud services. Finally, threat actors might disrupt operations by modifying configurations, encrypting data for ransom, or using the stolen information for further attacks, resulting in financial, reputational, and regulatory consequences.
 
**Remediation action**
 
- Create a Conditional Access policy to [require a secure password change for elevated user risk](/entra/identity/conditional-access/policy-risk-based-user).
- Use Microsoft Entra ID Protection to [further investigate risk](/entra/id-protection/howto-identity-protection-investigate-risk).
 
 
 
 
manager: pmwongera
ms.service: entra-id
ms.topic: include
ms.date: 07/29/2025
ms.custom: Identity-Secure-Recommendation
# sfipillar: Accelerate response and remediation
# category: Access control
# userimpact: High
# implementationcost: Medium
---
Assume high risk are compromised by threat actors. Without investigation and remediation, threat actors can execute scripts, deploy malicious applications, or manipulate API calls to establish persistence, based on the potentially compromised user's permissions. Threat actors can then exploit misconfigurations or abuse OAuth tokens to move laterally across workloads like documents, SaaS applications, or Azure resources. Threat actors can gain access to sensitive files, customer records, or proprietary code and exfiltrate it to external repositories while maintaining stealth through legitimate cloud services. Finally, threat actors might disrupt operations by modifying configurations, encrypting data for ransom, or using the stolen information for further attacks, resulting in financial, reputational, and regulatory consequences.
 
Organizations using passwords can rely on password reset to automatically remediate risky users.
 
Organizations using passwordless credentials already mitigate most risk events that accrue to user risk levels, thus the volume of risky users should be considerably lower. Risky users in an organization that uses passwordless credentials must be blocked from access until the user risk is investigated and remediated.
 
**Remediation action**
 
- Create a Conditional Access policy to [require a secure password change for elevated user risk](/entra/identity/conditional-access/policy-risk-based-user).
- Use Microsoft Entra ID Protection to [investigate risk further](/entra/id-protection/howto-identity-protection-investigate-risk).
MODIFIED docs/identity/app-provisioning/isv-automatic-provisioning-multi-tenant-apps.md
Modified by Tracey Torble on Jul 29, 2025 9:45 AM
πŸ“– View on learn.microsoft.com
+2 / -2 lines changed
Commit: Update isv-automatic-provisioning-multi-tenant-apps.md
Changes:
Before
After
---
title: Enable automatic user provisioning for multi-tenant applications in Microsoft Entra ID
description: A guide for independent software vendors for enabling automated provisioning in Microsoft Entra ID
 
author: kenwith
ai-usage: ai-assisted
---
 
# Enable automatic user provisioning for your multi-tenant application in Microsoft Entra ID
 
Automatic user provisioning is the process of automating the creation, maintenance, and removal of user identities in target systems like your software-as-a-service applications.
 
---
title: Enable automatic user provisioning for multitenant applications in Microsoft Entra ID
description: A guide for independent software vendors for enabling automated provisioning in Microsoft Entra ID
 
author: kenwith
ai-usage: ai-assisted
---
 
# Enable automatic user provisioning for your multitenant application in Microsoft Entra ID
 
Automatic user provisioning is the process of automating the creation, maintenance, and removal of user identities in target systems like your software-as-a-service applications.
 
MODIFIED docs/external-id/customers/how-to-add-enterprise-application.md
Modified by Tracey Torble on Jul 29, 2025 9:42 AM
πŸ“– View on learn.microsoft.com
+2 / -2 lines changed
Commit: Apply suggestions from code review
Changes:
Before
After
---
title: Add an enterprise application
description: Learn how to add enterprise applications to to your Microsoft Entra external tenant using the admin center. Discover gallery apps, configuration steps, and deployment tips.
ms.author: cmulligan
author: csmulligan
manager: dougeby
1. Select **New application** > **Create your own application**.
1. Start typing the name of the application you want to add. If the application is already in the gallery, it appears in the list. In this article we use **Microsoft Entra SAML Toolkit** as an example.
 
:::image type="content" source="media/how-to-add-enterprise-application/add-enterprise-app.png" alt-text="Add an enterprise application in the external tenant.":::
 
1. Select the application from the list, and then select **Create**.
1. Select **Create**, you're taken to the application that you registered.
---
title: Add an enterprise application
description: Learn how to add enterprise applications to your Microsoft Entra external tenant using the admin center. Discover gallery apps, configuration steps, and deployment tips.
ms.author: cmulligan
author: csmulligan
manager: dougeby
1. Select **New application** > **Create your own application**.
1. Start typing the name of the application you want to add. If the application is already in the gallery, it appears in the list. In this article we use **Microsoft Entra SAML Toolkit** as an example.
 
:::image type="content" source="media/how-to-add-enterprise-application/add-enterprise-app.png" alt-text="Screenshot showing how to add an enterprise application in the external tenant.":::
 
1. Select the application from the list, and then select **Create**.
1. Select **Create**, you're taken to the application that you registered.
MODIFIED docs/identity/saas-apps/puzzel-provisioning-tutorial.md
Modified by Sudhakaran-S-micro on Jul 29, 2025 9:19 AM
πŸ“– View on learn.microsoft.com
+2 / -2 lines changed
Commit: Updated the test connection and added new image
Changes:
Before
After
 
![Screenshot of Provisioning tab automatic.](common/provisioning-automatic.png)
 
1. In the **Admin Credentials** section, enter the **Tenant Url** and then select Authorize, make sure that you enter your Puzzel account's Admin credentials. Select **Test Connection** to ensure Microsoft Entra ID can connect to Puzzel. If the connection fails, ensure your Puzzel account has Admin permissions and try again.
 
![Screenshot of Token.](media/puzzel-provisioning-tutorial/test-connection.png)
1. In the **Notification Email** field, enter the email address of a person who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.
 
![Screenshot of Notification Email.](common/provisioning-notification-email.png)
 
![Screenshot of Provisioning tab automatic.](common/provisioning-automatic.png)
 
1. Under the **Admin Credentials** section, input your Puzzel Tenant URL, Token Endpoint, Client Identifier and Client Secret. Select **Test Connection** to ensure Microsoft Entra ID can connect to Puzzel. If the connection fails, ensure your Puzzel account has Admin permissions and try again.
 
![Screenshot of Token.](media/puzzel-provisioning-tutorial/test-connection-new.png)
1. In the **Notification Email** field, enter the email address of a person who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.
 
![Screenshot of Notification Email.](common/provisioning-notification-email.png)
MODIFIED docs/global-secure-access/concept-traffic-dashboard.md
Modified by jayrusso on Jul 29, 2025 5:37 PM
πŸ“– View on learn.microsoft.com
+1 / -1 lines changed
Commit: July 29 ready for sign-off
Changes:
Before
After
ms.author: kenwith
manager: dougeby
ms.topic: conceptual
ms.date: 07/18/2025
ms.service: global-secure-access
ai-usage: ai-assisted
---
ms.author: kenwith
manager: dougeby
ms.topic: conceptual
ms.date: 07/29/2025
ms.service: global-secure-access
ai-usage: ai-assisted
---
MODIFIED docs/global-secure-access/overview-application-usage-analytics.md
Modified by jayrusso on Jul 29, 2025 5:37 PM
πŸ“– View on learn.microsoft.com
+1 / -1 lines changed
Commit: July 29 ready for sign-off
Changes:
Before
After
ms.author: jayrusso
ms.service: global-secure-access
ms.topic: overview
ms.date: 07/18/2025
manager: dougeby
ms.reviewer: kerenSemel
 
ms.author: jayrusso
ms.service: global-secure-access
ms.topic: overview
ms.date: 07/29/2025
manager: dougeby
ms.reviewer: kerenSemel
 
MODIFIED docs/id-governance/entitlement-management-verified-id-settings.md
Modified by Sri on Jul 29, 2025 5:32 PM
πŸ“– View on learn.microsoft.com
+1 / -1 lines changed
Commit: Update entitlement-management-verified-id-settings.md
Changes:
Before
After
1. Select **Add** to add the verified ID requirement to the access package policy.
1. If you want users to complete a Face Check, select **Require Face Check**. This will ask users requesting the access package to perform a real-time, privacy compliant selfie check against the photo that is stored on their Verified ID. Once you select the checkbox, it will ask you to select the claim name that maps to the photo on the ID. For more information on Face Check, see [Use Face Check with Microsoft Entra Verified ID](~/verified-id/using-facecheck.md).
 
1. If you want users to complete a Face Check, select **Require Face Check**. This will ask users requesting the access package to perform a real-time, privacy compliant selfie check against the photo that is stored on their Verified ID. Once you select the checkbox, it will ask you to select the claim name that maps to the photo on the ID. For more information on Face Check, see [Use Face Check with Microsoft Entra Verified ID](~/verified-id/using-facecheck.md).
:::image type="content" source="media/entitlement-management-verified-id-settings/require-face-check.png" alt-text="Screenshot of the require face check option.":::
1. Once you finish configuring the rest of the settings, you can review your selections on the **Review + create** tab. You can see all verified ID requirements for this access package policy in the **Verified IDs** section.
:::image type="content" source="media/entitlement-management-verified-id-settings/verified-ids-list.png" alt-text="Screenshot of a list of verified IDs.":::
 
1. Select **Add** to add the verified ID requirement to the access package policy.
1. If you want users to complete a Face Check, select **Require Face Check**. This will ask users requesting the access package to perform a real-time, privacy compliant selfie check against the photo that is stored on their Verified ID. Once you select the checkbox, it will ask you to select the claim name that maps to the photo on the ID. For more information on Face Check, see [Use Face Check with Microsoft Entra Verified ID](~/verified-id/using-facecheck.md).
 
:::image type="content" source="media/entitlement-management-verified-id-settings/require-face-check.png" alt-text="Screenshot of the require face check option.":::
1. Once you finish configuring the rest of the settings, you can review your selections on the **Review + create** tab. You can see all verified ID requirements for this access package policy in the **Verified IDs** section.
:::image type="content" source="media/entitlement-management-verified-id-settings/verified-ids-list.png" alt-text="Screenshot of a list of verified IDs.":::
 
MODIFIED docs/external-id/customers/concept-supported-features-customers.md
Modified by csmulligan on Jul 29, 2025 5:03 PM
πŸ“– View on learn.microsoft.com
+1 / -1 lines changed
Commit: IDP flow removed.
Changes:
Before
After
 
Feature |Workforce tenant | External tenant |
|---------|---------|---------|
| **Application gallery** | The [application gallery](/entra/identity/enterprise-apps/overview-application-gallery) contains thousands of applications that are preintegrated into Microsoft Entra ID. | Choose from a range of pre-integrated apps. To find a third-party app, use the search bar. The full application gallery catalog isn’t available yet. |
| **Register a custom enterprise application** | [Add an enterprise application.](/entra/identity/enterprise-apps/add-application-portal) | [Register a SAML app in your external tenant.](/entra/external-id/customers/how-to-register-saml-app) |
| **Self-service application assignment** | Let users [self-discover apps](/entra/identity/enterprise-apps/manage-self-service-access). | Self-service application assignment in the [My Apps portal](/entra/identity/enterprise-apps/myapps-overview) is not available. |
| **Application proxy** | [Microsoft Entra application proxy](/entra/identity/app-proxy/overview-what-is-app-proxy) provides secure remote access to on-premises web applications. | Not available. |
 
Feature |Workforce tenant | External tenant |
|---------|---------|---------|
| **Application gallery** | The [application gallery](/entra/identity/enterprise-apps/overview-application-gallery) contains thousands of applications that are preintegrated into Microsoft Entra ID. | Choose from a range of pre-integrated apps. To find a third-party app, use the search bar. The application gallery catalog isn’t available yet. |
| **Register a custom enterprise application** | [Add an enterprise application.](/entra/identity/enterprise-apps/add-application-portal) | [Register a SAML app in your external tenant.](/entra/external-id/customers/how-to-register-saml-app) |
| **Self-service application assignment** | Let users [self-discover apps](/entra/identity/enterprise-apps/manage-self-service-access). | Self-service application assignment in the [My Apps portal](/entra/identity/enterprise-apps/myapps-overview) is not available. |
| **Application proxy** | [Microsoft Entra application proxy](/entra/identity/app-proxy/overview-what-is-app-proxy) provides secure remote access to on-premises web applications. | Not available. |

πŸ€– This report was automatically generated by the Entra Docs Monitor

πŸ“§ Delivered to [email protected]

πŸ”— Visit Repository