πŸ“‹ Microsoft Entra Documentation Changes

Daily summary for changes since November 6th 2025, 7:09 PM PST

Report generated on November 7th 2025, 7:09 PM PST

πŸ“Š Summary

37
Total Commits
0
New Files
9
Modified Files
0
Deleted Files
14
Contributors

πŸ“ Modified Documentation Files

MODIFIED docs/global-secure-access/how-to-configure-domain-controllers.md
Modified by shahzad-khalid on Nov 7, 2025 3:19 AM
πŸ“– View on learn.microsoft.com
+9 / -9 lines changed
Commit: Update SPN configuration instructions in documentation
Changes:
Before
After
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com).
1. Go to **Global Secure Access** > **Applications** > **Quick Access** > and **Application segment** then select **Add Quick Access application segment**. Use port `88` and select **TCP**.
1. Go to **Service principal name** and then select **Add Service principal name** to add the SPNs for the resources you want to secure. The system automatically delivers these SPNs to the Private Access Sensors installed on your domain controllers.
 
![Diagram showing Quick Access settings when configuring Microsoft Entra Private Access integration with Active Directory Domain Controllers.](media/how-to-configure-domain-controllers/quick-access-settings.png)
 
 
### 7. Configure Private Access Sensor policy files
 
Installing the sensor creates two JSON policy files (`cloudpolicy` and `localpolicy`) at the sensor installation path.
 
1. Confirm that the SPNs configured earlier are present in the `cloudpolicy` file.
1. In the `localpolicy` file, add the private connector IPs to the `SourceIPAllowList` and save. Only Kerberos requests from these connector IPs are allowed; others are blocked.
 
## Exclusions and inclusions for SPNs
 
When configuring Service Principal Names (SPNs) in the Private Access Sensor policy, you may have users or machines in your environment that do not have the Global Secure Access client installed. To allow these users or machines to access the specified SPNs after the Private Access Sensor is deployed, you can configure exclusions or inclusions for each SPN in the `localpolicy` file.
 
> [!NOTE]
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com).
1. Go to **Global Secure Access** > **Applications** > **Quick Access** > and **Application segment** then select **Add Quick Access application segment**. Use port `88` and select **TCP**.
1. Next go to **Service principal name** and then select **Add Service principal name** to add the SPNs for the resources you want to secure. The system automatically delivers these SPNs to the Private Access Sensors installed on your domain controllers.
 
![Diagram showing Quick Access settings when configuring Microsoft Entra Private Access integration with Active Directory Domain Controllers.](media/how-to-configure-domain-controllers/quick-access-settings.png)
 
 
### 7. Configure Private Access Sensor policy files
 
Installing the sensor creates two JSON policy files (`cloudpolicy` and `localpolicy`) at the sensor installation path. Do not modify the `cloudpolicy` file.
 
1. Confirm that the SPNs configured earlier are present in the `cloudpolicy` file.
1. In the `localpolicy` file, add the private connector IPs to the `SourceIPAllowList` and save. Only Kerberos requests from these connector IPs are allowed; others are blocked.
 
## Exclusions and inclusions for SPNs
 
When configuring Service Principal Names (SPNs) in the Private Access Sensor policy, you may have users or machines in your environment that do not have the Global Secure Access client installed. To allow these users or machines to access the specified SPNs after the Private Access Sensor is deployed, you can configure exclusions or inclusions for each SPN from the Microsoft Entra Admin Center or in the `localpolicy` file. Any exlcusions or inclusions configured from the Admin Center will be present in the the `cloudpolicy` file.
 
> [!NOTE]
MODIFIED docs/global-secure-access/concept-transport-layer-security.md
Modified by Teresa Yao on Nov 7, 2025 5:13 PM
πŸ“– View on learn.microsoft.com
+9 / -4 lines changed
Commit: update TLS policy limit
Changes:
Before
After
|AES256-SHA |
## Known limitations
TLS inspection has the following known limitations:
- When a TLS inspection rule is enabled, all categories except Education, Government, Finance, and Health and Medicine are decrypted by default. Additionally, Global Secure Access manages a system bypass list that includes common destinations known to be incompatible with TLS inspection. If a request matches the system bypass, the TLS action is logged as Bypassed. Work is underway to support custom TLS rules for intercepting or bypassing specific destinations or categories. In the meantime, use the custom bypass feature in the Internet Access forwarding profile to exclude destinations that TLS inspection affects.
- Make sure each certificate signing request (CSR) you generate has a unique certificate name and isn't reused. The signed certificate must stay valid for at least one year.
- You can use only one active certificate at a time.
- TLS inspection doesn't support Application-Layer Protocol Negotiation (ALPN) version 2. If a destination site requires HTTP/2, the upstream TLS handshake fails, and the site isn't accessible when TLS inspection is enabled.
- TLS inspection doesn't follow Authority Information Access (AIA) and Online Certificate Status Protocol (OCSP) links when validating destination certificates.
## Mobile platform
- Many mobile applications implement certificate pinning, which prevents successful TLS inspection and can lead to app failures. As a result, there is limited support for TLS inspection on mobile platforms. At this time, we recommend enabling TLS inspection for the Windows platform only
 
## Related content
 
* [Configure Transport Layer Security](how-to-transport-layer-security.md)
* [Frequently asked questions for Transport Layer Security inspection](faq-transport-layer-security.yml)
 
 
 
 
 
|AES256-SHA |
## Known limitations
TLS inspection has the following known limitations:
- TLS inspection supports up to 100 policies, 1000 rules and 8000 destinations
- Make sure each certificate signing request (CSR) you generate has a unique certificate name and isn't reused. The signed certificate must stay valid for at least 6 months.
- You can use only one active certificate at a time.
- TLS inspection doesn't support Application-Layer Protocol Negotiation (ALPN) version 2. If a destination site requires HTTP/2, the upstream TLS handshake fails, and the site isn't accessible when TLS inspection is enabled.
- TLS inspection doesn't follow Authority Information Access (AIA) and Online Certificate Status Protocol (OCSP) links when validating destination certificates.
## Mobile platform
- Many mobile applications implement certificate pinning, which prevents successful TLS inspection, resulting in handshake failures or loss of functionality. To reduce risk, enable TLS inspection in a test environment first and validate that critical applications are compatible. For apps that rely on certificate pinning, configure TLS inspection custom rules to bypass these destinations using domain-based or category-based rules.
 
## Related content
 
* [Configure Transport Layer Security Policies](how-to-transport-layer-security.md)
 
* [Configure TLS settings](how-to-configure-tls-settings.md)
 
* [Frequently asked questions for Transport Layer Security inspection](faq-transport-layer-security.yml)
 
* [Troubleshooting guide for Transport Layer Security inspection](troubleshoot-transport-layer-security.md)
MODIFIED docs/verified-id/idv-partners.md
Modified by Barclay Neira on Nov 7, 2025 7:21 PM
πŸ“– View on learn.microsoft.com
+4 / -4 lines changed
Commit: Update IDV partner documentation links
Changes:
Before
After
author: barclayn
manager: pmwongera
ms.topic: how-to
ms.date: 10/14/2025
ms.author: barclayn
---
 
 
| Partner | Partner documentation | Description |
|---------|----------------------|-------------|
| 1Kosmos | [1Kosmos deployment guide](https://aka.ms/1kosmosvidguide) | 1Kosmos and Microsoft Entra Verified ID unite to deliver trusted, privacy-preserving identity verification that empowers secure, passwordless access across ecosystems. |
| Au10tix | [Au10tix documentation](https://www.au10tix.com/solutions/verifiable-credentials/) | AU10TIX improves Verifiability While Protecting Privacy For Businesses, Employees, Contractors, Vendors, And Customers. |
| Clear | [Clear documentation](https://ir.clearme.com/news-events/press-releases/detail/25/clear-collaborates-with-microsoft-to-create-more-secure) | Clear Collaborates with Microsoft to Create More Secure Digital Experience Through Verification Credential. |
| ID Dataweb | [ID Dataweb deployment guide](https://aka.ms/iddatawebguide) | ID Dataweb offers secure and low friction identity verification processes to ensure the validity of your Microsoft Entra Verified ID credential. Easy to integrate, easy for your users, secure for your enterprise. |
| Idemia | [Idemia documentation](https://na.idemia.com/identity/verifiable-credentials/) | Idemia Integration with Microsoft Entra Verified ID enables "Verify once, use everywhere" functionality. |
| Jumio | [Jumio deployment guide](https://www.jumio.com/microsoft-verifiable-credentials/) | Jumio is helping to support a new form of digital identity by Microsoft based on verifiable credentials and decentralized identifiers standards to let consumers verify once and use everywhere. |
| LexisNexis | [LexisNexis documentation](https://solutions.risk.lexisnexis.com/did-microsoft) | LexisNexis risk solutions Verifiable credentials enable faster onboarding for employees, students, citizens, or others to access services. |
| Persona | [Persona deployment guide](https://help.withpersona.com/articles/2sjBNj9gDT6ea7kShXVb5q/) | Persona integrates with Microsoft Entra Verified ID to unlock identity verification processes, enabling trusted user-owned credentials and frictionless onboarding. |
| Transmit Security | [Transmit Security deployment guide](https://aka.ms/transmitsecurityguide) | Mosaic by Transmit Security integrates with Microsoft Entra Verified ID to deliver seamless, secure, and accurate identity verification through verifiable credentials. |
| Vu | [Vu documentation](https://www.vusecurity.com/es/products/digital-identity) | Vu verifiable credentials with just a selfie and your ID. |
author: barclayn
manager: pmwongera
ms.topic: how-to
ms.date: 11/07/2025
ms.author: barclayn
---
 
 
| Partner | Partner documentation | Description |
|---------|----------------------|-------------|
| 1Kosmos | [1Kosmos deployment guide](https://docs.1kosmos.com/productdocs/docs/verifiable-credentials/1Kosmos-entra-verified-id/) | 1Kosmos and Microsoft Entra Verified ID unite to deliver trusted, privacy-preserving identity verification that empowers secure, passwordless access across ecosystems. |
| Au10tix | [Au10tix documentation](https://www.au10tix.com/solutions/verifiable-credentials/) | AU10TIX improves Verifiability While Protecting Privacy For Businesses, Employees, Contractors, Vendors, And Customers. |
| Clear | [Clear documentation](https://ir.clearme.com/news-events/press-releases/detail/25/clear-collaborates-with-microsoft-to-create-more-secure) | Clear Collaborates with Microsoft to Create More Secure Digital Experience Through Verification Credential. |
| ID Dataweb | [ID Dataweb deployment guide](https://docs.iddataweb.com/docs/microsoft) | ID Dataweb offers secure and low friction identity verification processes to ensure the validity of your Microsoft Entra Verified ID credential. Easy to integrate, easy for your users, secure for your enterprise. |
| Idemia | [Idemia documentation](https://na.idemia.com/identity/verifiable-credentials/) | Idemia Integration with Microsoft Entra Verified ID enables "Verify once, use everywhere" functionality. |
| Jumio | [Jumio deployment guide](https://www.jumio.com/microsoft-verifiable-credentials/) | Jumio is helping to support a new form of digital identity by Microsoft based on verifiable credentials and decentralized identifiers standards to let consumers verify once and use everywhere. |
| LexisNexis | [LexisNexis documentation](https://solutions.risk.lexisnexis.com/did-microsoft) | LexisNexis risk solutions Verifiable credentials enable faster onboarding for employees, students, citizens, or others to access services. |
| Persona | [Persona deployment guide](https://help.withpersona.com/articles/2sjBNj9gDT6ea7kShXVb5q/) | Persona integrates with Microsoft Entra Verified ID to unlock identity verification processes, enabling trusted user-owned credentials and frictionless onboarding. |
| Transmit Security | [Transmit Security deployment guide](https://developer.transmitsecurity.com/guides/verify/integrate_idv_with_endtraid/) | Mosaic by Transmit Security integrates with Microsoft Entra Verified ID to deliver seamless, secure, and accurate identity verification through verifiable credentials. |
| Vu | [Vu documentation](https://www.vusecurity.com/es/products/digital-identity) | Vu verifiable credentials with just a selfie and your ID. |
MODIFIED docs/global-secure-access/enable-intelligent-local-access.md
Modified by jenniferf-skc on Nov 7, 2025 5:25 PM
πŸ“– View on learn.microsoft.com
+4 / -4 lines changed
Commit: PM edits
Changes:
Before
After
description: Learn how to enable the Intelligent Local Access (ILA) capability for Microsoft Entra Private Access, which optimizes traffic flow for clients accessing Entra apps via private networks.
ms.service: global-secure-access
ms.topic: how-to
ms.date: 11/18/2025
ms.author: jfields
author: jenniferf-skc
manager: dougeby
 
# Enable Intelligent Local Access (preview)
 
Intelligent Local Access capability can help optimize the traffic flow from Microsoft Entra clients to Microsoft Entra apps through private access when the client is on corporate/private network. This article explains how to enable the Intelligent Private Network for Microsoft Entra Private Access.
 
## Prerequisites
 
To configure a Global Secure Access Private Networks, you must have:
 
- [Global Secure Access Administrator](/entra/identity/role-based-access-control/permissions-reference#global-secure-access-administrator)Β role or theΒ [Privileged Role Administrator](/entra/identity/role-based-access-control/permissions-reference#privileged-role-administrator) role.
 
 
## Private Access overview
description: Learn how to enable the Intelligent Local Access (ILA) capability for Microsoft Entra Private Access, which optimizes traffic flow for clients accessing Entra apps via private networks.
ms.service: global-secure-access
ms.topic: how-to
ms.date: 11/07/2025
ms.author: jfields
author: jenniferf-skc
manager: dougeby
 
# Enable Intelligent Local Access (preview)
 
Intelligent Local Access capability can help optimize the traffic flow from Microsoft Entra clients to Microsoft Entra Private Access apps when the client is on a corporate/private network. This article explains how to enable the Intelligent Private Network for Microsoft Entra Private Access.
 
## Prerequisites
 
To configure a Global Secure Access (GSA) Private Networks, you must have:
 
- [Global Secure Access Administrator](/entra/identity/role-based-access-control/permissions-reference#global-secure-access-administrator)Β role or theΒ [Privileged Role Administrator](/entra/identity/role-based-access-control/permissions-reference#privileged-role-administrator) role.
 
 
## Private Access overview
MODIFIED docs/identity/role-based-access-control/includes/exchange-backup-administrator.md
Modified by TheWriteDoc on Nov 7, 2025 7:55 PM
πŸ“– View on learn.microsoft.com
+5 / -1 lines changed
Commit: exchange backup admin changes
Changes:
Before
After
ms.date: 10/16/2025
ms.custom: include file
---
 
 
<!-- autogenerated content starts here -->
 
 
 
 
 
ms.date: 10/16/2025
ms.custom: include file
---
Assign the Exchange Backup Administrator role to users who need to do the following tasks:
- Manage all aspects of Microsoft 365 Backup for Exchange Online
- Back up and restore content including granular restore for Exchange Online
- Create, edit, and manage backup configuration policies for Exchange Online
- Perform restore operations for Exchange Online
 
<!-- autogenerated content starts here -->
 
MODIFIED docs/identity/role-based-access-control/includes/sharepoint-backup-administrator.md
Modified by TheWriteDoc on Nov 7, 2025 4:43 PM
πŸ“– View on learn.microsoft.com
+5 / -1 lines changed
Commit: edits based on robert feedback
Changes:
Before
After
ms.custom: include file
---
 
 
<!-- autogenerated content starts here -->
 
> [!div class="mx-tableFixed"]
 
 
 
 
ms.custom: include file
---
 
Assign the SharePoint Backup Administrator role to users who need to do the following tasks:
- Manage all aspects of Microsoft 365 Backup for SharePoint and OneDrive
- Back up and restore content including granular restore across SharePoint and OneDrive
- Create, edit, and manage backup configuration policies for SharePoint and OneDrive
- Perform restore operations for SharePoint and OneDrive
<!-- autogenerated content starts here -->
 
> [!div class="mx-tableFixed"]
MODIFIED docs/global-secure-access/reference-current-known-limitations.md
Modified by Jill Grant on Nov 7, 2025 9:53 PM
πŸ“– View on learn.microsoft.com
+1 / -1 lines changed
Commit: Update docs/global-secure-access/reference-current-known-limitations.md
Changes:
Before
After
## Internet Access limitations
Known limitations for Internet Access include:
- Currently, an admin can create up to 100 web content filtering policies and up to 1,000 rules based on up to 8,000 total FQDNs. Admins can also create up to 256 security profiles.
- TLS inspection supports up to 100 TLS inspection policies, 1000 rules and 8000 destinations.
- The platform assumes standard ports for HTTP/S traffic (ports 80 and 443).
- The Global Secure Access client doesn't support IPv6. The client tunnels only IPv4 traffic. IPv6 traffic isn't acquired by the client and is therefore transferred directly to the network. To make sure that all traffic is routed to Global Secure Access, set the network adapter properties to [IPv4 preferred](troubleshoot-global-secure-access-client-diagnostics-health-check.md#ipv4-preferred).
- UDP isn't supported on this platform yet.
## Internet Access limitations
Known limitations for Internet Access include:
- Currently, an admin can create up to 100 web content filtering policies and up to 1,000 rules based on up to 8,000 total FQDNs. Admins can also create up to 256 security profiles.
- TLS inspection supports up to 100 TLS inspection policies, 1000 rules, and 8000 destinations.
- The platform assumes standard ports for HTTP/S traffic (ports 80 and 443).
- The Global Secure Access client doesn't support IPv6. The client tunnels only IPv4 traffic. IPv6 traffic isn't acquired by the client and is therefore transferred directly to the network. To make sure that all traffic is routed to Global Secure Access, set the network adapter properties to [IPv4 preferred](troubleshoot-global-secure-access-client-diagnostics-health-check.md#ipv4-preferred).
- UDP isn't supported on this platform yet.
MODIFIED docs/fundamentals/configure-security.md
Modified by John Flores on Nov 7, 2025 2:44 PM
πŸ“– View on learn.microsoft.com
+1 / -1 lines changed
Commit: Update link for Zero Trust Assessment documentation
Changes:
Before
After
 
## Automated assessment
 
Manually checking this guidance against a tenant's configuration can be time-consuming and error-prone. The Zero Trust Assessment transforms this process with automation to test for these security configuration items and more. Learn more in [What is the Zero Trust Assessment?](/zero-trust/assessment/overview)
 
## Protect identities and secrets
 
 
## Automated assessment
 
Manually checking this guidance against a tenant's configuration can be time-consuming and error-prone. The Zero Trust Assessment transforms this process with automation to test for these security configuration items and more. Learn more in [What is the Zero Trust Assessment?](/security/zero-trust/assessment/overview)
 
## Protect identities and secrets
 
MODIFIED docs/identity/role-based-access-control/whats-new.md
Modified by TheWriteDoc on Nov 7, 2025 7:55 PM
πŸ“– View on learn.microsoft.com
+1 / -0 lines changed
Commit: exchange backup admin changes
Changes:
Before
After
 
| Date | Area | Description |
| --- | --- | --- |
|Nov 2025 | Roles | Updated [SharePoint Backup Administrator](permissions-reference.md#sharepoint-backup-administrator) role. |
| Oct 2025 | Roles | Added [Dragon Administrator](permissions-reference.md#dragon-administrator) role. |
| August 2025 | Roles | Added [Teams Reader](permissions-reference.md#teams-reader) role. |
 
 
| Date | Area | Description |
| --- | --- | --- |
|Nov 2025 | Roles | Updated [Exchange Backup Administrator](permissions-reference.md#exchange-backup-administrator) role. |
|Nov 2025 | Roles | Updated [SharePoint Backup Administrator](permissions-reference.md#sharepoint-backup-administrator) role. |
| Oct 2025 | Roles | Added [Dragon Administrator](permissions-reference.md#dragon-administrator) role. |
| August 2025 | Roles | Added [Teams Reader](permissions-reference.md#teams-reader) role. |

πŸ€– This report was automatically generated by the Entra Docs Monitor

πŸ“§ Delivered to [email protected]

πŸ”— Visit Repository