MODIFIED docs/identity/hybrid/connect/authenticate-application-id.md

Modified by omondiatieno on Nov 20, 2025 3:01 PM
📖 View on learn.microsoft.com

+642 / -288 lines changed

Commit: Modern auth updates

Changes:

Before

After

manager: mwongerapk
ms.service: entra-id
ms.topic: how-to
ms.tgt_pltfrm: na
ms.date: 07/24/2025
ms.subservice: hybrid
ms.author: jomondi
Microsoft Entra Connect provides three options for application and certificate management:
 
- [Managed by Microsoft Entra Connect (default)](#managed-by-microsoft-entra-connect-default)
- [Bring Your Own Application (BYOA)](#bring-your-own-application)
- [Bring Your Own Certificate (BYOC)](#bring-your-own-certificate)
 
> [!NOTE]
> The [Application Administrator](~/identity/role-based-access-control/permissions-reference.md#application-administrator) role grants the ability to consent for application permissions, with the exception of application permissions for Azure AD Graph and Microsoft Graph. This means that the application administrator can still consent to application permissions for other apps, notably the AWS first-party app and SSPR first-party app.
>
> This role also grants the ability to manage application credentials. User assigned to this role can add credentials to an application (notably the Connect Sync) and use those credentials to impersonate the application's identity. This might be an elevation of privilege over what the user can do via their role assignments.
 
 
 :::image type="content" source="media/authenticate-application-id/auth-1.png" alt-text="Diagram that shows authentication with application ID." lightbox="media/authenticate-application-id/auth-1.png":::

manager: mwongerapk
ms.service: entra-id
ms.topic: how-to
ms.date: 07/24/2025
ms.subservice: hybrid
ms.author: jomondi
Microsoft Entra Connect provides three options for application and certificate management:
 
- [Managed by Microsoft Entra Connect (default)](#managed-by-microsoft-entra-connect-default)
- [Bring Your Own Certificate (BYOC)](#bring-your-own-certificate)
- [Bring Your Own Application (BYOA)](#bring-your-own-application)
 
> [!NOTE]
> The [Application Administrator](~/identity/role-based-access-control/permissions-reference.md#application-administrator) role grants the ability to consent for application permissions, except for application permissions for Azure AD Graph and Microsoft Graph. This means that the application administrator can still consent to application permissions for other apps, notably the AWS first-party app, and SSPR first-party app.
>
> This role also grants the ability to manage application credentials. User assigned to this role can add credentials to an application (notably the Connect Sync) and use those credentials to impersonate the application's identity. This might be an elevation of privilege over what the user can do via their role assignments.
 
 
 :::image type="content" source="media/authenticate-application-id/auth-1.png" alt-text="Diagram that shows authentication with application ID." lightbox="media/authenticate-application-id/auth-1.png":::
 

MODIFIED docs/identity/authentication/kerberos.md

Modified by barclayn on Nov 20, 2025 3:47 PM
📖 View on learn.microsoft.com

+9 / -9 lines changed

Commit: addressing reviewer comments

Changes:

Before

After

 
For example, when a Microsoft Entra ID-joined Windows client accesses a file share or application over the internet, Microsoft Entra ID can issue the necessary Kerberos tickets as a KDC associated with the resource.
 
**Cloud-only identity support (Preview)**: Cloud-only identities can now use Kerberos authentication for workloads like Azure Files without requiring on-prem AD DS. This is enabled by Entra Kerberos, which acts as a cloud-based KDC.
 
**Enhanced security with modern credentials support**: Users can sign in by using passwordless methods such as Windows Hello for Business or FIDO2 security keys, yet still access on-premises resources that have Kerberos protections. This ability enables multifactor authentication (MFA) and passwordless authentication to reduce the risks associated with password theft and phishing attacks.
 
Upon successful authentication, Microsoft Entra ID issues a PRT that contains user and device information. Alongside the PRT, Microsoft Entra ID issues a Cloud TGT for the realm `KERBEROS.MICROSOFTONLINE.COM`.
 
Microsoft Entra ID also issues a OnPremTgt(partial TGT) that contains the user's security identifier (SID) but no group claims. This partial TGT is not sufficient for direct access to on-premises resources.
 
#### Cloud TGT issuance
 
Microsoft Entra ID acts as a KDC for cloud resources by issuing a Cloud TGT to the client when appropriate. The client recognizes the Microsoft Entra ID tenant as a separate Kerberos realm for cloud resources, and the TGT is stored in the client's Kerberos ticket cache. The Cloud TGT is cached locally and can be verified using PowerShell command 'klist cloud_debug'
 
The Cloud TGT that Microsoft Entra ID issues:
 
- On-premises domain controllers must be patched to support Kerberos Cloud Trust.
- Ensure line of sight between client devices and domain controllers for ticket exchange.

 
For example, when a Microsoft Entra ID-joined Windows client accesses a file share or application over the internet, Microsoft Entra ID can issue the necessary Kerberos tickets as a KDC associated with the resource.
 
**Cloud-only identity support (Preview)**: Cloud-only identities can now use Kerberos authentication for workloads like Azure Files without requiring on-premises AD DS. This is enabled by Entra Kerberos, which acts as a cloud-based KDC.
 
**Enhanced security with modern credentials support**: Users can sign in by using passwordless methods such as Windows Hello for Business or FIDO2 security keys, yet still access on-premises resources that have Kerberos protections. This ability enables multifactor authentication (MFA) and passwordless authentication to reduce the risks associated with password theft and phishing attacks.
 
Upon successful authentication, Microsoft Entra ID issues a PRT that contains user and device information. Alongside the PRT, Microsoft Entra ID issues a Cloud TGT for the realm `KERBEROS.MICROSOFTONLINE.COM`.
 
Microsoft Entra ID also issues an OnPremTgt (partial TGT) that contains the user's security identifier (SID) but no group claims. This partial TGT is not sufficient for direct access to on-premises resources.
 
#### Cloud TGT issuance
 
Microsoft Entra ID acts as a KDC for cloud resources by issuing a Cloud TGT to the client when appropriate. The client recognizes the Microsoft Entra ID tenant as a separate Kerberos realm for cloud resources, and the TGT is stored in the client's Kerberos ticket cache. The Cloud TGT is cached locally and can be verified using PowerShell command 'klist cloud_debug'.
 
The Cloud TGT that Microsoft Entra ID issues:
 
- On-premises domain controllers must be patched to support Kerberos Cloud Trust.
- Ensure line of sight between client devices and domain controllers for ticket exchange.

MODIFIED docs/includes/entra-entitlement-management-request-policy.md

Modified by Ortagus Winfrey on Nov 20, 2025 3:30 PM
📖 View on learn.microsoft.com

+7 / -6 lines changed

Commit: new note

Changes:

Before

After

 
    After you create the access package, you can directly assign specific internal and external users to it. If you specify an external user, a guest user account is created in your directory. For information about directly assigning a user, see [View, add, and remove assignments for an access package](~/id-governance/entitlement-management-access-package-assignments.md).
 
1. Skip down to the [Enable requests](#enable-requests) section.
 
## Specify approval settings
 
You can always either enable, or disable, email notifications in the future after you finish creating the access package.    
 
## Enable requests
 
1. If you want the access package to be made immediately available for users in the request policy to request, move the **Enable new requests and assignments** toggle to **Yes**.
 
    You can always enable it in the future, after you finish creating the access package.
 
    If you select **None (administrator direct assignments only)** and you set **Enable new requests and assignments** to **No**, administrators can't directly assign this access package.
 
    ![Screenshot that shows the option for enabling new requests and assignments.](./media/entitlement-management-request-policy/enable-requests.png)

 
    After you create the access package, you can directly assign specific internal and external users to it. If you specify an external user, a guest user account is created in your directory. For information about directly assigning a user, see [View, add, and remove assignments for an access package](~/id-governance/entitlement-management-access-package-assignments.md).
 
1. Skip down to the [Who can request access](#who-can-request-access) section.
 
## Specify approval settings
 
You can always either enable, or disable, email notifications in the future after you finish creating the access package.    
 
## Who can request access
 
1. After deciding who the access package is for you can designate who can request access for the access package. You can choose Self, Admin, or Manager as those who can request access.
 
You can always enable it in the future, after you finish creating the access package.
 
If you selected **None (administrator direct assignments only)** and you set enable to **No**, then administrators can't directly assign this access package.
 
![Screenshot that shows the option for enabling new requests and assignments.](./media/entitlement-management-request-policy/enable-requests.png)

MODIFIED docs/identity/enterprise-apps/assign-agent-identities-to-applications.md

Modified by omondiatieno on Nov 20, 2025 4:29 PM
📖 View on learn.microsoft.com

+4 / -6 lines changed

Commit: fix blocking issues

Changes:

Before

After

 
Applications using the Microsoft Entra identity platform can [expose APIs for other client applications to call](../../identity-platform/quickstart-configure-app-expose-web-apis.md#register-the-web-api). The application with the API can expose OAuth scopes for those API calls. The tool's service principal can be consented permission to those scopes, allowing it to call the APIs.
 
:::image type="content" source="../../identity-platform/media/quickstart-configure-app-access-web-apis/diagram-01-app-permission-to-api-scopes.svg" alt-text="Line diagram showing a web API with exposed scopes on the right and a client app on the left with those scopes selected as permissions" border="false":::
 
For more information on consenting an agent identity or service principal, see [admin consent for application permissions](grant-admin-consent.md#grant-admin-consent-for-application-permissions-using-microsoft-graph-api).
 
## Assigning an agent identity to an application role
 
Once these applications, users, role assignments, and grants are in place in the tenant, then an agent that needs a SAML assertion for authenticating to the enterprise application can:
 
1. Get a token as the agent identity blueprint.
1. Use that token to make a token request to `https://login.microsoftonline.com/<tenantid>/oauth2/v2.0/token` endpoint, and get a federated identity credential (FIC) token as the agent identity. 
   
   In that request, the `client_id` is the agent identity ID, the `scope` is `api://AzureADTokenExchange/.default`, the `grant_type` is `client_credentials`, the `client_assertion_type` is `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`, and the `client_assertion` is the agent identity blueprint token from step 1.
 
1. Use those two tokens to make a token request for a token as the agent user with the scope of the helper application. 
   
   In this request, the `client_id` is the agent identity ID, the `scope` is the concatenation of `api://'`, the SAML helper application's application ID, and `/.default`, the `grant_type` is `user_fic`, the `client_assertion_type` is `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`, the `client_assertion` is the agent identity blueprint token, the `user_id` is the agent user object ID, and the `user_federated_identity_credential` is the agent identity token.

 
Applications using the Microsoft Entra identity platform can [expose APIs for other client applications to call](../../identity-platform/quickstart-configure-app-expose-web-apis.md#register-the-web-api). The application with the API can expose OAuth scopes for those API calls. The tool's service principal can be consented permission to those scopes, allowing it to call the APIs.
 
For more information on consenting an agent identity or service principal, see [admin consent for application permissions](grant-admin-consent.md#grant-admin-consent-for-application-permissions-using-microsoft-graph-api).
 
## Assigning an agent identity to an application role
 
Once these applications, users, role assignments, and grants are in place in the tenant, then an agent that needs a SAML assertion for authenticating to the enterprise application can:
 
- Get a token as the agent identity blueprint.
- Use that token to make a token request to `https://login.microsoftonline.com/<tenantid>/oauth2/v2.0/token` endpoint, and get a federated identity credential (FIC) token as the agent identity. 
   
   In that request, the `client_id` is the agent identity ID, the `scope` is `api://AzureADTokenExchange/.default`, the `grant_type` is `client_credentials`, the `client_assertion_type` is `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`, and the `client_assertion` is the agent identity blueprint token from step 1.
 
- Use those two tokens to make a token request for a token as the agent user with the scope of the helper application. 
   
   In this request, the `client_id` is the agent identity ID, the `scope` is the concatenation of `api://'`, the SAML helper application's application ID, and `/.default`, the `grant_type` is `user_fic`, the `client_assertion_type` is `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`, the `client_assertion` is the agent identity blueprint token, the `user_id` is the agent user object ID, and the `user_federated_identity_credential` is the agent identity token.
 
- Make the on-behalf-of-call token request to `https://login.microsoftonline.com/<tenantid>/oauth2/v2.0/token` to [obtain a SAML token](../../identity-platform/v2-oauth2-on-behalf-of-flow.md#obtain-a-saml-token-by-using-an-obo-request-with-a-shared-secret).

MODIFIED docs/id-governance/entitlement-management-access-package-request-policy.md

Modified by Ortagus Winfrey on Nov 20, 2025 3:30 PM
📖 View on learn.microsoft.com

+4 / -1 lines changed

Commit: new note

Changes:

Before

After

 
## Who can request access
 
1. After choosing who can get access and the scope you are able to specify who can request access to the access package. Here you can grant Self, Admin, or Manager the ability to request access to the access package.
 
    You can always enable it in the future after you have finished creating the access package.
 
    If you selected **None (administrator direct assignments only)** then the who can request access section boxes are not selectable.
 
    ![Access package - Policy- Enable policy setting](./media/entitlement-management-access-package-approval-policy/enable-requests.png)
 
1. Select **Next**.

 
## Who can request access
 
> [!NOTE]
> Previously, a setting called "*Enable new requests and assignments*" controlled self-service access requests. This capability is now more accurately reflected by the "*Self*" option.
 
1. After choosing who can get access and the scope you are able to specify who can request access to the access package. Here you can grant Self, Admin, or Manager the ability to request access to the access package.
 
    You can always enable it in the future after you have finished creating the access package.
 
    If you selected **None (administrator direct assignments only)** then the who can request access section boxes are not selectable.
 
    ![Screenshot of access package policy who can request access.](./media/entitlement-management-access-package-approval-policy/enable-requests.png)
 
1. Select **Next**.

MODIFIED docs/identity/conditional-access/concept-conditional-access-cloud-apps.md

Modified by Diana Richards on Nov 20, 2025 9:04 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: fixing typo

Changes:

Before

After

- [Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites](/purview/sensitivity-labels-teams-groups-sites)
- [Microsoft Defender for Cloud Apps](/defender-cloud-apps/session-policy-aad?branch=pr-en-us-2082#require-step-up-authentication-authentication-context)
- [Custom applications](~/identity-platform/developer-guide-conditional-access-authentication-context.md)
- [Priviledged Identity Management - On activation, require Microsoft Entra Conditional Access authentication context](/entra/id-governance/privileged-identity-management/pim-resource-roles-configure-role-settings#on-activation-require-microsoft-entra-conditional-access-authentication-context)
 
## Related content
 

- [Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites](/purview/sensitivity-labels-teams-groups-sites)
- [Microsoft Defender for Cloud Apps](/defender-cloud-apps/session-policy-aad?branch=pr-en-us-2082#require-step-up-authentication-authentication-context)
- [Custom applications](~/identity-platform/developer-guide-conditional-access-authentication-context.md)
- [Privileged Identity Management - On activation, require Microsoft Entra Conditional Access authentication context](/entra/id-governance/privileged-identity-management/pim-resource-roles-configure-role-settings#on-activation-require-microsoft-entra-conditional-access-authentication-context)
 
## Related content
 

MODIFIED docs/identity/conditional-access/concept-token-protection.md

Modified by John Flores on Nov 20, 2025 8:22 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Apply suggestion from @MicrosoftGuyJFlo

Changes:

Before

After

- Windows Server 2019 or newer that are hybrid Microsoft Entra joined.
 
> [!NOTE]  
> For detailed steps on how to register your device, see [How it works: Device registration – Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/devices/device-registration-how-it-works).
 
### Supported applications

- Windows Server 2019 or newer that are hybrid Microsoft Entra joined.
 
> [!NOTE]  
> For detailed steps on how to register your device, see [Register your personal device on your work or school network](https://support.microsoft.com/account-billing/register-your-personal-device-on-your-work-or-school-network-8803dd61-a613-45e3-ae6c-bd1ab25bf8a8).
 
### Supported applications

MODIFIED docs/identity/devices/assign-local-admin.md

Modified by Ortagus Winfrey on Nov 20, 2025 7:09 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Updates

Changes:

Before

After

- Microsoft Entra groups deployed to a device with this policy don't apply to remote desktop connections. To control remote desktop permissions for Microsoft Entra joined devices, you need to add the individual user's SID to the appropriate group.
 
> [!IMPORTANT]
> Windows sign-in with Microsoft Entra ID supports evaluation of up to 20 groups for administrator rights. We recommend having no more than 20 Microsoft Entra groups on each device, or having a user as a member in no more than 20 groups to ensure that administrator rights are correctly assigned. This limitation also applies to nested groups.
 
## Manage regular users

- Microsoft Entra groups deployed to a device with this policy don't apply to remote desktop connections. To control remote desktop permissions for Microsoft Entra joined devices, you need to add the individual user's SID to the appropriate group.
 
> [!IMPORTANT]
> Windows sign-in with Microsoft Entra ID supports evaluation of up to 20 groups for administrator rights. We recommend having no more than 20 Microsoft Entra groups on each device, and having a user as a member in no more than 20 groups, to ensure that administrator rights are correctly assigned. This limitation also applies to nested groups.
 
## Manage regular users

MODIFIED docs/id-governance/entitlement-management-access-package-assignments.md

Modified by Jill Grant on Nov 20, 2025 3:50 AM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Update docs/id-governance/entitlement-management-access-package-assignments.md

Changes:

Before

After

 
1. Select **New assignment** to open Add user to access package.
 
    ![Screenshot of adding identities to an access package](./media/entitlement-management-access-package-assignments/assignments-add-user.png)
 
1. In the **Select policy** list, select a policy that the users' future requests and lifecycle will be governed and tracked by. If you want the selected users to have different policy settings, you can select **Create new policy** to add a new policy.

 
1. Select **New assignment** to open Add user to access package.
 
    ![Screenshot of adding identities to an access package.](./media/entitlement-management-access-package-assignments/assignments-add-user.png)
 
1. In the **Select policy** list, select a policy that the users' future requests and lifecycle will be governed and tracked by. If you want the selected users to have different policy settings, you can select **Create new policy** to add a new policy.

MODIFIED docs/workload-id/workload-identity-federation-considerations.md

Modified by Denis Salamanca on Nov 20, 2025 5:11 AM
📖 View on learn.microsoft.com

+0 / -1 lines changed

Commit: Update workload-identity-federation-considerations.md

Changes:

Before

After

Creation of federated identity credentials is currently **not supported** on user-assigned managed identities created in the following regions:
 
- Malaysia South
- New Zealand North
 
Support for creating federated identity credentials on user assigned identities in these regions will be gradually rolled out. 
Resources in this region which need to use federated identity credentials, can do so by leveraging a user assigned managed identity created in a supported region. 

Creation of federated identity credentials is currently **not supported** on user-assigned managed identities created in the following regions:
 
- Malaysia South
 
Support for creating federated identity credentials on user assigned identities in these regions will be gradually rolled out. 
Resources in this region which need to use federated identity credentials, can do so by leveraging a user assigned managed identity created in a supported region.

📋 Microsoft Entra Documentation Changes

📊 Summary

📝 Modified Documentation Files