MODIFIED docs/agent-id/identity-platform/preview-known-issues.md

Modified by Sherman Ouko on Dec 2, 2025 2:45 PM
📖 View on learn.microsoft.com

+52 / -24 lines changed

Commit: Improve know issues doc and add error codes doc

Changes:

Before

After

ms.author: shermanouko
manager: mwongerapk
ms.service: entra-id
ms.topic: reference
ms.date: 11/18/2025
ms.custom: agent-id-ignite
ms.reviewer: dastrock
#customer-intent: As a developer or IT administrator, I want to understand known issues and gaps in the Microsoft Entra Agent ID preview so that I can plan accordingly when deploying AI agents in my organization.
 
### Agent IDs in Graph API relationships
 
Microsoft Graph APIs support various relationships involving agent identities and agent identity blueprints, such as `/ownedObjects`, `/deletedItems`, `/owners`, and more. There's no way to filter these queries to return only Agent IDs. To use the existing APIs documented in Microsoft Graph reference docs and perform client side filtering, use the `odata.type` property to filter results to Agent IDs.
 
## Agent users
 
 
### Clean up agent users
 
When an agent identity blueprint or agent identity is deleted, any agent users created using that blueprint or identity remain in the tenant. They aren't shown as disabled or deleted, though they can't authenticate. Delete any orphaned agent users via Microsoft Entra admin center, Microsoft Graph APIs, or scripting tools.
 

ms.author: shermanouko
manager: mwongerapk
ms.service: entra-id
ms.topic: troubleshooting-known-issue
ms.date: 12/02/2025
ms.custom: agent-id-ignite
ms.reviewer: dastrock
#customer-intent: As a developer or IT administrator, I want to understand known issues and gaps in the Microsoft Entra Agent ID preview so that I can plan accordingly when deploying AI agents in my organization.
 
### Agent IDs in Graph API relationships
 
Microsoft Graph APIs support various relationships involving agent identities and agent identity blueprints, such as `/ownedObjects`, `/deletedItems`, `/owners`, and more. There's no way to filter these queries to return only Agent IDs. 
 
**Resolution**: Use the existing APIs documented in Microsoft Graph reference docs and perform client side filtering using the `odata.type` property to filter results to Agent IDs.
 
## Agent users
 
 
### Clean up agent users
 

MODIFIED docs/identity/authentication/concept-authentication-external-method-provider.md

Modified by Akul Loomba on Dec 2, 2025 2:49 PM
📖 View on learn.microsoft.com

+32 / -13 lines changed

Commit: Clarify OIDC Discovery endpoint requirements

Changes:

Before

After

 
### Discovery of provider metadata 
 
An external identity provider needs to provide an [OIDC Discovery endpoint](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig). This endpoint is used to get more configuration data. The *full* URL, including .*well-known*/*oidc-configuration*, must be included in the Discovery URL configured when the EAM is created. 
 
The endpoint returns a Provider Metadata [JSON document](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata) hosted there. The endpoint must also return the valid content-length header.
 
The following table lists the data that should be present in the metadata of the provider. These values are required for this extensibility scenario. The JSON metadata document may contain more information. 
 
For the OIDC document with the values for Provider Metadata, see [Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
 
| Metadata value        | Value  | Comments |
|-----------------------|--------|----------|
| Issuer                |        | This URL must match both the host URL used for discovery and the iss claim in the tokens issued by the provider’s service. |
| authorization_endpoint |        | The endpoint that Microsoft Entra ID communicates with for authorization. This endpoint must be present as one of the reply URLs for the allowed applications. |
| jwks_uri               |        | Where Microsoft Entra ID can find the public keys needed to verify the signatures issued by the provider. <br>[!NOTE]<br>The JSON Web Key (JWK) **x5c** parameter must be present to provide X.509 representations of keys provided. |
| scopes_supported       | openid | Other values may also be included but aren't required. |
| response_types_supported | id_token | Other values may also be included but aren't required. |
| subject_types_supported | | |
    "RS256"

 
### Discovery of provider metadata 
 
An external identity provider needs to provide an [OIDC Discovery endpoint](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig). This endpoint is used to get more configuration data. The Discovery URL **MUST** use the `https` scheme and **MUST** end with `/.well-known/openid-configuration`. No additional path segments, query strings, or fragments are permitted after this segment. The full Discovery URL must be included in the Discovery URL configured when the EAM is created.
 
The endpoint returns a Provider Metadata [JSON document](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata) hosted there. The endpoint must also return the valid content-length header. The metadata document **MUST** comply with [OpenID Connect Discovery 1.0](http://openid.net/specs/openid-connect-discovery-1_0.html) (incorporating errata set 2) and include all required OIDC metadata fields.
The following table lists the data that should be present in the metadata of the provider. These values are required for this extensibility scenario. The JSON metadata document may contain more information. 
 
For the OIDC document with the values for Provider Metadata, see [Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
 
| Metadata value        | Value  | Comments |
|-----------------------|--------|----------|
| Issuer                |        | Must be an HTTPS URL.<br>The issuer value **MUST** match character-for-character between the configured issuer, the issuer value in the discovery document, and the `iss` claim in the tokens issued by the provider’s service.<br>The issuer MAY include a port and/or path segment, but MUST NOT contain query parameters or fragment identifiers. |
 
| authorization_endpoint |        | The endpoint that Microsoft Entra ID communicates with for authorization. This endpoint must be present as one of the reply URLs for the allowed applications. |
| jwks_uri               |        | Where Microsoft Entra ID can find the public keys needed to verify the signatures issued by the provider. The `jwks_uri` **MUST** be an HTTPS endpoint and **MUST NOT** include query parameters or fragment identifiers.<br>[!NOTE]<br>The JSON Web Key (JWK) **x5c** parameter must be present to provide X.509 representations of keys provided. |
| scopes_supported       | openid | Other values may also be included but aren't required. |
| response_types_supported | id_token | Other values may also be included but aren't required. |
| subject_types_supported | | |
    "RS256"

MODIFIED docs/identity/enterprise-apps/whats-new-docs.md

Modified by omondiatieno on Dec 2, 2025 9:48 AM
📖 View on learn.microsoft.com

+8 / -11 lines changed

Commit: December whatsnew updates

Changes:

Before

After

---
title: What's new in Microsoft Entra application management
description: This article shows the new and updated documentation for the Microsoft Entra application management.
ms.date: 11/17/2025
ms.service: entra-id
ms.subservice: enterprise-apps
ms.topic: whats-new
#customer intent: As an IT admin responsible for managing applications in Microsoft Entra ID, I want to stay updated on new documentation and significant updates, so that I can effectively manage and troubleshoot application-related issues in the platform.
---
 
# Microsoft Entra application management: What's new
 
Welcome to what's new in Microsoft Entra application management documentation. This article lists new docs and those articles that had significant updates in the last three months. To learn what's new with the application management service, see [What's new in Microsoft Entra ID](~/fundamentals/whats-new.md).
 
## October 2025
 
### Updated articles
 
- [Integrating Microsoft Entra ID with applications getting started guide](plan-an-application-integration.md) - Revised for technical accuracy
 

---
title: What's new in Microsoft Entra application management
description: This article shows the new and updated documentation for the Microsoft Entra application management.
ms.date: 12/02/2025
ms.service: entra-id
ms.subservice: enterprise-apps
ms.topic: whats-new
#customer intent: As an IT admin responsible for managing applications in Microsoft Entra ID, I want to stay updated on new documentation and significant updates, so that I can effectively manage and troubleshoot application-related issues in the platform.
---
 
# What's new in Microsoft Entra application management
 
Welcome to what's new in Microsoft Entra application management documentation. This article lists new docs and those articles that had significant updates in the last three months. To learn what's new with the application management service, see [What's new in Microsoft Entra ID](~/fundamentals/whats-new.md).
 
## November 2025
 
### New articles
 
- [Manage assignment of agent identities to an application (Preview)](assign-agent-identities-to-applications.md)
 

MODIFIED docs/id-governance/catalog-access-reviews.md

Modified by Mark Wahl on Dec 2, 2025 4:21 PM
📖 View on learn.microsoft.com

+8 / -6 lines changed

Commit: link catalogs

Changes:

Before

After

 
# Catalog Access Reviews (preview)
 
Catalog access reviews in Microsoft Entra ID let organizations review users access to multiple resource types such as groups, applications and custom disconnected resource within a catalog at once. This helps ensure only the right people retain access, while enabling managers and resource owners to review access efficiently through a multi-stage process.
 
## License requirements
 
## Add resources to catalog
 
To complete access reviews at the catalog level, you must first add resources to a catalog. Groups and Applications are currently the two resources that can be reviewed by catalog. To add resources to a catalog, you'd do the following steps:
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](../identity/role-based-access-control/permissions-reference.md#identity-governance-administrator).
 
1. Browse to **Entitlement management** > **Catalogs**.
 
1. On the catalogs screen, select an existing catalog or select **New Catalog** to create a new one.
 
1. On the catalog overview page, select **Resources** > **Add resource**.

 
# Catalog Access Reviews (preview)
 
Catalog access reviews in Microsoft Entra ID Governance enables organizations to simplify how managers can review users access to multiple resource types, such as groups, applications and custom disconnected resource at once. This helps ensure only the right people retain access, while enabling managers and resource owners to review access efficiently through a multi-stage process.
 
## License requirements
 
## Add resources to catalog
 
To enable access reviews across multiple resources in a single reviewer experience, you must first add those resources to a catalog. Groups, Applications and custom data provided resources are currently the three resources that can be reviewed by catalog. To add resources to a catalog:
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](../identity/role-based-access-control/permissions-reference.md#identity-governance-administrator) or catalog creator, and as the owner or administrator of the resources.
 
1. Browse to **Entitlement management** > **Catalogs**.
 
1. On the catalogs screen, select an existing catalog or select **New Catalog** to create a new one.
 
1. On the catalog overview page, select **Resources** > **Add resources**.

MODIFIED docs/identity-platform/whats-new-docs.md

Modified by Henry Mbugua on Dec 2, 2025 10:52 AM
📖 View on learn.microsoft.com

+6 / -5 lines changed

Commit: Update Microsoft identity platform docs: What's new - November 2025

Changes:

Before

After

 
Welcome to what's new in the Microsoft identity platform documentation. This article lists new articles that were added or had significant updates in the last three months.
 
## October 2025
 
We did not publish any updates this month.
- [Configure a mobile app that calls web APIs](scenario-mobile-app-configuration.md) - The update improved content clarity.
- [Desktop app that calls web APIs: Code configuration](scenario-desktop-app-configuration.md) - The update improved content clarity.
 
## August 2025
 
### Updated articles
 
- [Microsoft Enterprise SSO plug-in for Apple devices](apple-sso-plugin.md) - We adjusted Apple SSO, updated the token protection image, and troubleshot secure enclave issues.

 
Welcome to what's new in the Microsoft identity platform documentation. This article lists new articles that were added or had significant updates in the last three months.
 
## November 2025
 
### New articles
 
- [Content Security Policy overview for Microsoft Entra ID](content-security-policy.md)
 
## October 2025
 
We did not publish any updates this month.
- [Configure a mobile app that calls web APIs](scenario-mobile-app-configuration.md) - The update improved content clarity.
- [Desktop app that calls web APIs: Code configuration](scenario-desktop-app-configuration.md) - The update improved content clarity.

MODIFIED docs/security-copilot/entra-agents.md

Modified by shlipsey3 on Dec 2, 2025 8:47 PM
📖 View on learn.microsoft.com

+5 / -5 lines changed

Commit: agent-updates-120225

Changes:

Before

After

 
| Attribute           | Description |
|---------------------|------------ |
| Identity            | Uses [Microsoft Entra Agent ID](../agent-id/identity-professional/authorization-agent-id.md) for authorization. A unique agent identity is created when the agent is turned on. Learn more about [agent identities]().<br><br>The agent uses this identity to scan your tenant for active access reviews, gather additional insights, and save its recommendations and justifications for the reviewer. For more information, see: [How it works](access-review-agent.md#how-it-works).<br><br>Final decisions, submitted through the Microsoft Teams conversation, use the reviewer's identity.  |
| Licenses            | [Microsoft Entra ID Governance or Microsoft Entra Suite](../id-governance/licensing-fundamentals.md) |
| Permissions         | Get details for access reviews<br>Read details and lifecycle workflow history for users, groups, apps, and access packages. Save access review recommendations and justifications |
| Plugins             | [Microsoft Entra](/entra/fundamentals/copilot-security-entra) |
 
### Application Lifecycle Management Agent (Preview)
 
Identify, onboard, and monitor applications in your environment with the Application Lifecycle Management Agent. This agent uses application discovery capabilities of Microsoft Entra Internet Access and Microsoft Entra Private Access to find unmanaged applications, recommend onboarding actions, and monitor application security posture over time. This agent is currently being deployed and might not be available in all tenants.
 
| Attribute           | Description |
|---------------------|------------ |
| Identity            | Uses [Microsoft Entra Agent ID](../agent-id/identity-professional/authorization-agent-id.md) for authorization. A unique agent identity is created when the agent is turned on that provides read-only permissions. Agent authentication will expire according to your policies and need to be renewed. |
| Licenses            |  [Microsoft Entra ID P2 or Workload Identity Premium P2](/entra/fundamentals/licensing) for **App Risk Remediation** suggestions and/or Microsoft Entra Suite or [Microsoft Entra Private Access](../global-secure-access/overview-what-is-global-secure-access.md#licensing-overview) licenses for **Application Discovery & Onboarding** suggestions |
| Permissions         | Read access for Global Secure Access network logs.<br>Read access for users, applications, and service principals.<br>Read access for Microsoft Entra recommendations. |
| Plugins             | [Microsoft Entra](/entra/fundamentals/copilot-security-entra) |
| Products            | [Global Secure Access](../global-secure-access/overview-what-is-global-secure-access.md)<br>[Microsoft Entra recommendations](../identity/monitoring-health/overview-recommendations.md)<br>[Enterprise Applications](/entra/identity/enterprise-apps/)<br>[App Management](/entra/identity/enterprise-apps/) |
| Role requirements   | Use any of the following:<br>[Cloud Application Administrator](../identity/role-based-access-control/permissions-reference.md#cloud-application-administrator)<br>[Application Administrator](../identity/role-based-access-control/permissions-reference.md#application-administrator)<br>[Global Secure Access Administrator](../identity/role-based-access-control/permissions-reference.md#global-secure-access-administrator)<br>[Security Administrator](../identity/role-based-access-control/permissions-reference.md#security-administrator) |

 
| Attribute           | Description |
|---------------------|------------ |
| Identity            | A unique [agent identity](../agent-id/identity-professional/authorization-agent-id.md) for authorization is created when the agent is turned on.<br><br>The agent uses this identity to scan your tenant for active access reviews, gather additional insights, and save its recommendations and justifications for the reviewer. For more information, see: [How it works](access-review-agent.md#how-it-works).<br><br>Final decisions, submitted through the Microsoft Teams conversation, use the reviewer's identity.  |
| Licenses            | [Microsoft Entra ID Governance or Microsoft Entra Suite](../id-governance/licensing-fundamentals.md) |
| Permissions         | Get details for access reviews<br>Read details and lifecycle workflow history for users, groups, apps, and access packages. Save access review recommendations and justifications |
| Plugins             | [Microsoft Entra](/entra/fundamentals/copilot-security-entra) |
 
### Application Lifecycle Management Agent (Preview)
 
The App Lifecycle Management Agent (Preview) helps you manage the full lifecycle of apps in Microsoft Entra, from discovery and onboarding to risk remediation and decommissioning. It correlates identity and network signals from Global Secure Access telemetry data to surface unmanaged private apps and Microsoft Entra application data. It provides clear, AI-driven recommendations to reduce app sprawl and enforce governance at scale. This agent is currently being deployed and might not be available in all tenants.
 
| Attribute           | Description |
|---------------------|------------ |
| Identity            | A unique [agent identity](../agent-id/identity-professional/authorization-agent-id.md) for authorization is created when the agent is turned on.<br><br>The agent uses this identity to scan your tenant with specific **permissions** to review network logs and application data to provide insights and suggestions for application management. The agent identity includes **role-based access** used for any write actions, such as creating and disabling applications, dismissing suggestions, and sending emails or Teams notifications. |
| Licenses            | [Microsoft Entra ID P2 or Workload Identity Premium P2](/entra/fundamentals/licensing) for **App Risk Remediation** suggestions and/or Microsoft Entra Suite or [Microsoft Entra Private Access](../global-secure-access/overview-what-is-global-secure-access.md#licensing-overview) licenses for **Application Discovery & Onboarding** suggestions |
| Permissions         | Read access for Global Secure Access network logs.<br>Read access for users, applications, and service principals.<br>Read access for Microsoft Entra recommendations. |
| Plugins             | [Microsoft Entra](/entra/fundamentals/copilot-security-entra) |
| Products            | [Global Secure Access](../global-secure-access/overview-what-is-global-secure-access.md)<br>[Microsoft Entra recommendations](../identity/monitoring-health/overview-recommendations.md)<br>[Enterprise Applications](/entra/identity/enterprise-apps/)<br>[App Management](/entra/identity/enterprise-apps/) |
| Role-based access   | Set up the agent and manage the agent:<br>[Cloud Application Administrator](../identity/role-based-access-control/permissions-reference.md#cloud-application-administrator)<br>[Application Administrator](../identity/role-based-access-control/permissions-reference.md#application-administrator)<br>[Global Secure Access Administrator](../identity/role-based-access-control/permissions-reference.md#global-secure-access-administrator)<br>[Security Administrator](../identity/role-based-access-control/permissions-reference.md#security-administrator)<br> View the output suggestions from the agent:<br>[Reports Reader](../identity/role-based-access-control/permissions-reference.md#reports-reader)<br>[Security Reader](../identity/role-based-access-control/permissions-reference.md#security-reader)<br>[Globl Reader](../identity/role-based-access-control/permissions-reference.md#global-reader) |

MODIFIED docs/id-governance/custom-data-resource-access-reviews.md

Modified by Mark Wahl on Dec 2, 2025 5:21 PM
📖 View on learn.microsoft.com

+7 / -3 lines changed

Commit: add custom data

Changes:

Before

After

 
## Create a catalog
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](../identity/role-based-access-control/permissions-reference.md#identity-governance-administrator).
    > [!TIP]
    > Other least privilege roles that can complete this task include the Catalog creator. Users who were assigned to the User Administrator role will no longer be able to create catalogs or manage access packages in a catalog they don't own. If users in your organization were assigned to the User Administrator role to configure catalogs, access packages, or policies in entitlement management, you should instead assign these users the Identity Governance Administrator role.
1. Browse to **ID Governance** > **Catalogs**.
 
1. Select **New catalog**.
    Users see this information in an access package's details.
1. Select **Create** to create the catalog.
 
## Add a custom data provided resource to a catalog
 
With a catalog created, you can add custom data provided resource to it by doing the following steps:
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](../identity/role-based-access-control/permissions-reference.md#identity-governance-administrator).

 
## Create a catalog
 
If you do not yet have a catalog, then create a new catalog. If you have a catalog already, then continue at the [next section](#add-a-custom-data-provided-resource-to-a-catalog).
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](../identity/role-based-access-control/permissions-reference.md#identity-governance-administrator) or catalog creator.
    > [!TIP]
    > Users who were assigned to the User Administrator role will no longer be able to create catalogs or manage access packages in a catalog they don't own. If users in your organization were assigned to the User Administrator role to configure catalogs, access packages, or policies in entitlement management, you should instead assign these users the Identity Governance Administrator role.
1. Browse to **ID Governance** > **Catalogs**.
 
1. Select **New catalog**.
    Users see this information in an access package's details.
1. Select **Create** to create the catalog.
 
For more information on creating a catalog and adding resources, see [Create and manage a catalog of resources](entitlement-management-catalog-create.md).
 
## Add a custom data provided resource to a catalog
 
With a catalog created, you can add custom data provided resources to it by doing the following steps:
 

MODIFIED docs/id-governance/delegate-approvals-my-access.md

Modified by Lesia Nalepa on Dec 2, 2025 10:26 PM
📖 View on learn.microsoft.com

+5 / -3 lines changed

Commit: Update delegation feature details in My Access documentation

Changes:

Before

After

Approval delegation in My Access allows approvers to assign another individual to respond to access package approval requests on their behalf. This feature helps maintain productivity when approvers are unavailable due to leave, travel, or other commitments.
 
> [!NOTE]
> This feature currently applies only to access package approvals and will be expanded to support access reviews in November 2025.
 
## License requirements
 
 
When an approver sets a delegate, the following happens:
 
- All approvals assigned after the delegation are routed to the delegate.
- The original approver can still respond to approvals during the delegation period.
- Delegations, prior to November 1 2025, are time-bound. After November 1, 2025, they can be time-bound or indefinite.
- Delegates are notified when they're assigned.
- Requestors are notified when their request is approved by a delegate.
- Delegation is always bulk; approvers can't delegate specific types of approvals.
 
- Delegation is limited to one level. If User A delegates to User B, and User B delegates to User C, User C won't receive approvals from User A.
- Delegation isn't restricted. Any user can be selected as a delegate.
- Delegation applies only to approvals assigned after the delegation is configured.

Approval delegation in My Access allows approvers to assign another individual to respond to access package approval requests on their behalf. This feature helps maintain productivity when approvers are unavailable due to leave, travel, or other commitments.
 
> [!NOTE]
> This feature currently applies only to access package approvals and will be expanded to support access reviews.
 
## License requirements
 
 
When an approver sets a delegate, the following happens:
 
- All approvals explicitly assigned to an approver (not through a group) after delegation are routed to the specified delegate.
- The original approver can still respond to approvals during the delegation period.
- Delegations can be time-bound or indefinite.
- Delegates are notified when they're assigned.
- Requestors are notified when their request is approved by a delegate.
- Delegation is always bulk; approvers can't delegate specific types of approvals.
 
- Delegation is limited to one level. If User A delegates to User B, and User B delegates to User C, User C won't receive approvals from User A.
- Delegation isn't restricted. Any user can be selected as a delegate.
- Delegation only applies to approvals explicitly assigned to an approver, not those assigned through a group.

MODIFIED docs/id-governance/create-access-review.md

Modified by Mark Wahl on Dec 2, 2025 5:41 PM
📖 View on learn.microsoft.com

+6 / -2 lines changed

Commit: add new step of template selection

Changes:

Before

After

- To review access package assignments, see [configure an access review in entitlement management](entitlement-management-access-reviews-create.md).
- To review Azure resource or Microsoft Entra roles, see [Create an access review of Azure resource and Microsoft Entra roles in Privileged Identity Management](privileged-identity-management/pim-create-roles-and-resource-roles-review.md). 
- For reviews of PIM for Groups, see [create an access review of PIM for Groups](create-access-review-pim-for-groups.md).
 
> [!NOTE]
> In a group review, nested groups are automatically flattened, so users from nested groups appear as individual users. If a user is flagged for removal due to their membership in a nested group, they won't be automatically removed from the nested group, but only from direct group membership.
 
## Create a single-stage access review
 
### Scope
 
    ![Screenshot that shows the Access reviews pane in Identity Governance.](./media/create-access-review/access-reviews.png)
 
4. In the **Select what to review** box, select which resource you want to review.
 
    ![Screenshot that shows creating an access review.](./media/create-access-review/select-what-review.png)
    > - If you set **Select reviewers** to **Users review their own access** or **Managers of users**, B2B direct connect users and Teams won't be able to review their own access in your tenant. The owner of the Team under review gets an email that asks the owner to review the B2B direct connect user and Teams.

- To review access package assignments, see [configure an access review in entitlement management](entitlement-management-access-reviews-create.md).
- To review Azure resource or Microsoft Entra roles, see [Create an access review of Azure resource and Microsoft Entra roles in Privileged Identity Management](privileged-identity-management/pim-create-roles-and-resource-roles-review.md). 
- For reviews of PIM for Groups, see [create an access review of PIM for Groups](create-access-review-pim-for-groups.md).
- For reviews across multiple groups, applications and custom data providers, see [catalog access reviews (preview)](catalog-access-reviews.md).
 
> [!NOTE]
> In a group review, nested groups are automatically flattened, so users from nested groups appear as individual users. If a user is flagged for removal due to their membership in a nested group, they won't be automatically removed from the nested group, but only from direct group membership.
 
## Create a single-stage access review for individual groups and applications
 
### Scope
 
    ![Screenshot that shows the Access reviews pane in Identity Governance.](./media/create-access-review/access-reviews.png)
 
1. On the Access reviews template screen, select **Review access to a resource type**.
    :::image type="content" source="media/catalog-access-reviews/access-review-templates.png" alt-text="Screenshot of the access review templates page.":::

MODIFIED docs/includes/cloud-sync-version-history.md

Modified by Ortagus Winfrey on Dec 2, 2025 2:32 PM
📖 View on learn.microsoft.com

+8 / -0 lines changed

Commit: Provisioning agent history Update

Changes:

Before

After

Get notified about when to revisit this page for updates by copying and pasting this URL: `https://aka.ms/cloudsyncrss` into your ![RSS feed reader icon](media/cloud-sync-version-history/feed-icon-16-x-16.png) feed reader.
 
## 1.1.2102.0
 
Sept 22, 2025: released for download only

Get notified about when to revisit this page for updates by copying and pasting this URL: `https://aka.ms/cloudsyncrss` into your ![RSS feed reader icon](media/cloud-sync-version-history/feed-icon-16-x-16.png) feed reader.
 
## 1.1.2106.0
 
December 1, 2025: released for download only
 
### Fixed Issues
 
Fixed an issue with OnPremises Self-Service Password Reset integration using provisioning agent in AzureUSGovernment cloud.
 
## 1.1.2102.0
 
Sept 22, 2025: released for download only

MODIFIED docs/id-governance/entitlement-management-catalog-create.md

Modified by Mark Wahl on Dec 2, 2025 4:21 PM
📖 View on learn.microsoft.com

+5 / -3 lines changed

Commit: link catalogs

Changes:

Before

After

---
# Create and manage a catalog of resources in entitlement management
 
This article shows you how to create and manage a catalog of resources and access packages in entitlement management.
 
## Create a catalog
 
## Add resources to a catalog
 
To include resources in an access package, the resources must exist in a catalog. The types of resources you can add to a catalog are groups, applications, and SharePoint Online sites.
 
* Groups can be cloud-created Microsoft 365 Groups or cloud-created Microsoft Entra security groups.
 
  * Groups that originate in an on-premises Active Directory can't be assigned as resources because their owner or member attributes can't be changed in Microsoft Entra ID. To give a user access to an application that uses AD security group memberships, create a new security group in Microsoft Entra ID, configure [group writeback to AD](../identity/hybrid/cloud-sync/how-to-configure-entra-to-active-directory.md), and [enable that group to be written to AD](entitlement-management-group-writeback.md), so that the cloud-created group can be used by an AD-based application.
 
  * Groups that originate in Exchange Online as Distribution groups can't be modified in Microsoft Entra ID either, so they can't be added to catalogs.
 
> [!NOTE]
> Search SharePoint Site by site name or an exact URL as the search box is case sensitive.

---
# Create and manage a catalog of resources in entitlement management
 
This article shows you how to create and manage a catalog of resources and access packages in entitlement management.  Catalogs are also used in [access reviews (preview)](catalog-access-reviews.md).
 
## Create a catalog
 
## Add resources to a catalog
 
To include resources in an access package, the resources must exist in a catalog. The types of resources you can add to a catalog include groups, applications, and SharePoint Online sites.
 
* Groups can be cloud-created Microsoft 365 Groups or cloud-created Microsoft Entra security groups.
 
  * Groups that originate in an on-premises Active Directory can't be assigned as resources because their owner or member attributes can't be changed in Microsoft Entra ID. To give a user access to an application that uses AD security group memberships, you can either change the source of authority of an existing group configure it for group writeback, or create a new security group in Microsoft Entra ID, configure [group writeback to AD](../identity/hybrid/cloud-sync/how-to-configure-entra-to-active-directory.md), and [enable that group to be written to AD](entitlement-management-group-writeback.md), so that the cloud-created group can be used by an AD-based application.
 
  * Groups that originate in Exchange Online as Distribution groups can't be modified in Microsoft Entra ID either, so they can't be added to catalogs.
 
> [!NOTE]
> Search SharePoint Site by site name or an exact URL as the search box is case sensitive.

MODIFIED docs/agent-id/identity-platform/error-codes.md

Modified by Sherman Ouko on Dec 2, 2025 2:55 PM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: Improve know issues doc and add error codes doc

Changes:

Before

After

 
# Microsoft agent identity platform error codes
 
This article provides a comprehensive reference for error codes you may encounter when working with the Microsoft agent identity platform.
 
## Handling error codes in your application
 
| `AgentBlueprintPrincipal_AgentIdentity_IncompatibleProperty` | A property specified in the request is incompatible with agent identity and can't be set. |
| `AgentBlueprintPrincipal_IncompatibleProperty` | A property specified in the request is incompatible with agent identity blueprint principals and can't be set. |
| `AgentBlueprintPrincipal_requireAgentBlueprint` | Agent identity blueprint principals can only be created for Agent Blueprints. |
| `AgentBlueprint_LimitExceeded` | You've reached the maximum number of agent identity blueprints allowed (including active and soft-deleted items). To create more, you must permanently delete unneeded blueprints. |
| `AgentIdentity_LimitExceeded` | You've reached the maximum number of agent identities allowed (including active and soft-deleted entries). To add more, you must permanently delete unneeded agent identities. |
| `AgentIdentity_AgentBlueprintPrincipalDoesNotExist` | The required agent identity blueprint principal doesn't exist for the specified agent identity blueprint ID. |
| `AgentIdentity_InompatibleParentType` | The specified Application (AppId) isn't an Agent Blueprint. The *AgentIdentityBlueprintId* must be set to the *AppId* of a valid agent identity blueprint. |
| `Error_AgentIdentitiesCreatingAgentIdentitiesNotAllowed` | Agent identities can't create other agent identities. To create an agent identity, use the associated agent identity blueprint principal or nonagent blueprint service principal with the required permissions. |

 
# Microsoft agent identity platform error codes
 
This article provides a comprehensive reference for error codes you might encounter when working with the Microsoft agent identity platform.
 
## Handling error codes in your application
 
| `AgentBlueprintPrincipal_AgentIdentity_IncompatibleProperty` | A property specified in the request is incompatible with agent identity and can't be set. |
| `AgentBlueprintPrincipal_IncompatibleProperty` | A property specified in the request is incompatible with agent identity blueprint principals and can't be set. |
| `AgentBlueprintPrincipal_requireAgentBlueprint` | Agent identity blueprint principals can only be created for Agent Blueprints. |
| `AgentBlueprint_LimitExceeded` | You've reached the maximum number of agent identity blueprints allowed including active and soft-deleted items. To create more, you must permanently delete unneeded blueprints. |
| `AgentIdentity_LimitExceeded` | You've reached the maximum number of agent identities allowed including active and soft-deleted entries. To add more, you must permanently delete unneeded agent identities. |
| `AgentIdentity_AgentBlueprintPrincipalDoesNotExist` | The required agent identity blueprint principal doesn't exist for the specified agent identity blueprint ID. |
| `AgentIdentity_InompatibleParentType` | The specified Application (AppId) isn't an Agent Blueprint. The *AgentIdentityBlueprintId* must be set to the *AppId* of a valid agent identity blueprint. |
| `Error_AgentIdentitiesCreatingAgentIdentitiesNotAllowed` | Agent identities can't create other agent identities. To create an agent identity, use the associated agent identity blueprint principal or nonagent blueprint service principal with the required permissions. |

MODIFIED docs/id-governance/access-reviews-overview.md

Modified by Mark Wahl on Dec 2, 2025 4:21 PM
📖 View on learn.microsoft.com

+3 / -1 lines changed

Commit: link catalogs

Changes:

Before

After

| Microsoft Entra role | Specified reviewers</br>Self-review | [PIM](../id-governance/privileged-identity-management/pim-create-roles-and-resource-roles-review.md?toc=/azure/active-directory/governance/toc.json) | Microsoft Entra admin center |
| Azure resource role | Specified reviewers</br>Self-review | [PIM](../id-governance/privileged-identity-management/pim-create-roles-and-resource-roles-review.md?toc=/azure/active-directory/governance/toc.json) | Microsoft Entra admin center |
| Access package assignments | Specified reviewers</br>Group members</br>Self-review | entitlement management | Access panel |
 
## License requirements
 
[!INCLUDE [active-directory-p2-governance-license.md](../includes/entra-p2-governance-license.md)]
 
>[!NOTE]
>Creating a review on inactive users and with [user-to-group affiliation](review-recommendations-access-reviews.md#user-to-group-affiliation) recommendations requires a Microsoft Entra ID Governance license.
 
## Access Review Agent (Preview)
 
- [Prepare for an access review of users' access to an application](access-reviews-application-preparation.md)
- [Create an access review of groups or applications](create-access-review.md)
- [Create an access review of users in a Microsoft Entra administrative role](../id-governance/privileged-identity-management/pim-create-roles-and-resource-roles-review.md?toc=/azure/active-directory/governance/toc.json)
- [Review access to groups or applications](perform-access-review.md)
- [Complete an access review of groups or applications](complete-access-review.md)
 
 

| Microsoft Entra role | Specified reviewers</br>Self-review | [PIM](../id-governance/privileged-identity-management/pim-create-roles-and-resource-roles-review.md?toc=/azure/active-directory/governance/toc.json) | Microsoft Entra admin center |
| Azure resource role | Specified reviewers</br>Self-review | [PIM](../id-governance/privileged-identity-management/pim-create-roles-and-resource-roles-review.md?toc=/azure/active-directory/governance/toc.json) | Microsoft Entra admin center |
| Access package assignments | Specified reviewers</br>Group members</br>Self-review | entitlement management | Access panel |
| Access rights from custom data resources (preview) | Managers  | access reviews | Access panel |
 
## License requirements
 
[!INCLUDE [active-directory-p2-governance-license.md](../includes/entra-p2-governance-license.md)]
 
>[!NOTE]
>Creating a review on inactive users and with [user-to-group affiliation](review-recommendations-access-reviews.md#user-to-group-affiliation) recommendations, or an [access review of multiple resources together (preview)](catalog-access-reviews.md), requires a Microsoft Entra ID Governance license.
 
## Access Review Agent (Preview)
 
- [Prepare for an access review of users' access to an application](access-reviews-application-preparation.md)
- [Create an access review of groups or applications](create-access-review.md)
- [Create an access review of users in a Microsoft Entra administrative role](../id-governance/privileged-identity-management/pim-create-roles-and-resource-roles-review.md?toc=/azure/active-directory/governance/toc.json)
- [Create an access review to multiple resources in a catalog (preview)](catalog-access-reviews.md)
- [Review access to groups or applications](perform-access-review.md)
- [Complete an access review of groups or applications](complete-access-review.md)

MODIFIED docs/id-governance/create-access-review-pim-for-groups.md

Modified by Mark Wahl on Dec 2, 2025 5:41 PM
📖 View on learn.microsoft.com

+3 / -0 lines changed

Commit: add new step of template selection

Changes:

Before

After

 
    ![Screenshot that shows the Access reviews pane in Identity Governance.](./media/create-access-review/access-reviews.png)
 
1. In the **Select what to review** box, select **Teams + Groups**.
 
    ![Screenshot that shows creating an access review.](./media/create-access-review/select-what-review.png)

 
    ![Screenshot that shows the Access reviews pane in Identity Governance.](./media/create-access-review/access-reviews.png)
 
1. On the Access reviews template screen, select **Review access to a resource type**.
    :::image type="content" source="media/catalog-access-reviews/access-review-templates.png" alt-text="Screenshot of the access review templates page.":::
 
1. In the **Select what to review** box, select **Teams + Groups**.
 
    ![Screenshot that shows creating an access review.](./media/create-access-review/select-what-review.png)

MODIFIED docs/id-governance/manage-user-access-with-access-reviews.md

Modified by Mark Wahl on Dec 2, 2025 4:53 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: add link to create-access-review

Changes:

Before

After

 
Select a group in Microsoft Entra ID that has one or more members. Or select an application connected to Microsoft Entra ID that has one or more users assigned to it. 
 
Decide whether to have each user review their own access or to have one or more users review everyone's access.
 
As at least a User Administrator, or (Preview) an owner of a Microsoft 365 group or Microsoft Entra security group to be reviewed, go to the [Identity Governance page](https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/).

 
Select a group in Microsoft Entra ID that has one or more members. Or select an application connected to Microsoft Entra ID that has one or more users assigned to it. 
 
Decide whether to have each user review their own access or to have one or more users review everyone's access in that group or application.
 
As at least a User Administrator, or (Preview) an owner of a Microsoft 365 group or Microsoft Entra security group to be reviewed, go to the [Identity Governance page](https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/).

📋 Microsoft Entra Documentation Changes

📊 Summary

🆕 New Documentation Files

📝 Modified Documentation Files