MODIFIED docs/identity/devices/macos-get-started.md

Modified by Ortagus Winfrey on Jan 21, 2026 7:25 PM
📖 View on learn.microsoft.com

+7 / -3 lines changed

Commit: Updates

Changes:

Before

After

 
Adding a work or school account to macOS is a straightforward process that enhances your access to organizational resources and services. This article provides an overview and answers to some frequently asked questions (FAQ) about adding a work or school account to your macOS device using applications such as Microsoft Outlook or Microsoft Edge.
 
## Overview
 
## Frequently Asked Questions - FAQS
 
### What is the Microsoft Entra account registration page?
 
All Microsoft Entra customers are prompted to sign in using Web Account Manager if the app and operating system support it.
 
Learn more about [device management with Microsoft Intune](/intune/intune-service/fundamentals/what-is-device-management).

 
Adding a work or school account to macOS is a straightforward process that enhances your access to organizational resources and services. This article provides an overview and answers to some Frequently Asked Questions (FAQs) about adding a work or school account to your macOS device using applications such as Microsoft Outlook or Microsoft Edge.
 
## Overview
 
## Frequently Asked Questions
 
### What is the Microsoft Entra account registration page?
 
All Microsoft Entra customers are prompted to sign in using Web Account Manager if the app and operating system support it.
 
Learn more about [device management with Microsoft Intune](/intune/intune-service/fundamentals/what-is-device-management).
 
## See also

MODIFIED docs/global-secure-access/how-to-configure-domain-controllers.md

Modified by jenniferf-skc on Jan 21, 2026 5:28 PM
📖 View on learn.microsoft.com

+5 / -2 lines changed

Commit: Domain Controllers UPN rule update

Changes:

Before

After

ms.author: kenwith
manager: dougeby
ms.topic: how-to
ms.date: 01/07/2025
ms.service: global-secure-access
ms.subservice: entra-private-access
ms.reviewer: shkhalid
 
- Client IP address
- IP address ranges
- On-premises User Principal Name (UPN) such as `username@domain`. UPN is supported with Private Access Sensor version 2.1.31 or higher and is case insensitive. Username, which is the first part of the UPN, is supported with the earlier sensor versions and can be added in the `localpolicy`file only. We highly recommend using the UPNs instead of usernames. UPNs for on-premises users that are synced to Entra can be added from Microsoft Entra Admin Center. UPNs for on-premises users that aren't synced can only be added to the `localpolicy` file.
 
You can configure multiple IP addresses, multiple IP ranges, or both for a single SPN. Similarly, you can exclude multiple usernames for an SPN.
 
 
 
 

ms.author: kenwith
manager: dougeby
ms.topic: how-to
ms.date: 01/21/2026
ms.service: global-secure-access
ms.subservice: entra-private-access
ms.reviewer: shkhalid
 
- Client IP address
- IP address ranges
- On-premises User Principal Name (UPN) such as `username@domain`. UPN is supported with Private Access Sensor version 2.1.31 or higher and is case insensitive. Username, which is the first part of the UPN, is supported with the earlier sensor versions and can be added in the `localpolicy`file only. We highly recommend using the UPNs instead of usernames. UPNs for on-premises users can be added from Microsoft Entra admin center. These can be UPNs for on-premises users that are synced to Entra or local to Active Directory and not synced to Entra. 
 
> [!NOTE] 
> UPNs for on-premises users that aren't synced can only be added to the `localpolicy` file in Private Access Sensor versions earlier than 2.2.0.
 
You can configure multiple IP addresses, multiple IP ranges, or both for a single SPN. Similarly, you can exclude multiple usernames for an SPN.
 

MODIFIED docs/identity/hybrid/troubleshoot-connect-sync-application-authentication.md

Modified by Nuno Alexandre on Jan 21, 2026 6:50 AM
📖 View on learn.microsoft.com

+3 / -2 lines changed

Commit: Update troubleshooting guide for Microsoft Entra Connect

Changes:

Before

After

The same issue occurs when a server with Microsoft Entra Connect installed is cloned into another production server, which isn't a supported method of deploying this product as these servers with share the same machine identifier. In short, the server's identity conflicts because they get tied to one app registration. The Microsoft Entra Connect wizard by default uses unique accounts per server because it uses the server's name to identify the application registration instead of the Microsoft Entra connector's service account, which avoids this issue.
 
> [!NOTE]
> To prevent this issue, ensure that each Microsoft Entra Connect instance uses a unique connector account. If you have multiple sync servers (for example, in staging mode) using the same Microsoft Entra (Azure AD) Connector account, run the application-based authentication configuration on each server separately via the wizard, so that each one gets its own application registration.
 
> [!WARNING]
> Don't use a **Global Administrator** account as the Microsoft Entra (Azure AD) Connector account. The Microsoft Entra service account that is configured by default has more restricted permissions for what's needed during synchronization whereas an administrator account has unlimited privileges in the cloud. If an on-premises Microsoft Entra Connect server configured with a Global Administrator account gets compromised, it puts your entire Microsoft Entra tenant at risk.
 
### Resolution
 
Give each Microsoft Entra Connect server its own application identity. To do this, you need to reconfigure each server separately: revert each server to legacy auth and then run the ABA configuration for each so that it creates its own app registration. Let's say in this scenario you have two servers configured with ABA with ServerA running correctly and Server B in a broken state. Perform the following steps on both servers (one at a time).
 
1. **On ServerA, temporarily pause the sync scheduler**: Open PowerShell as an administrator on the Microsoft Entra Connect server and run:

The same issue occurs when a server with Microsoft Entra Connect installed is cloned into another production server, which isn't a supported method of deploying this product as these servers with share the same machine identifier. In short, the server's identity conflicts because they get tied to one app registration. The Microsoft Entra Connect wizard by default uses unique accounts per server because it uses the server's name to identify the application registration instead of the Microsoft Entra connector's service account, which avoids this issue.
 
> [!NOTE]
> To prevent this issue, ensure that each Microsoft Entra Connect instance uses a unique connector account and a unique machine identifier. If you have multiple sync servers (for example, in staging mode) using the same Microsoft Entra (Azure AD) Connector account, follow the documented resolution steps on each server so that each instance gets its own application registration.
 
> [!WARNING]
> Don't use a **Global Administrator** account as the Microsoft Entra (Azure AD) Connector account. The Microsoft Entra service account that is configured by default has more restricted permissions for what's needed during synchronization whereas an administrator account has unlimited privileges in the cloud. If an on-premises Microsoft Entra Connect server configured with a Global Administrator account gets compromised, it puts your entire Microsoft Entra tenant at risk.
 
### Resolution
 
Give each Microsoft Entra Connect server its own application identity. To do this, you must reconfigure each server separately by reverting it to legacy authentication and then running the ABA configuration so that each server creates its own app registration.
In this scenario, there are two servers configured with ABA: ServerA is running correctly, and ServerB is in a broken state. Perform the following steps on each server, starting with the working server and then moving to the server in the broken state.
 
1. **On ServerA, temporarily pause the sync scheduler**: Open PowerShell as an administrator on the Microsoft Entra Connect server and run:
 

MODIFIED docs/architecture/gsa-deployment-guide-internet-access.md

Modified by Janice Ricketts on Jan 21, 2026 6:19 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Fix formatting of link in deployment guide

Changes:

Before

After

- [Microsoft Global Secure Access deployment guide for Microsoft Traffic](gsa-deployment-guide-microsoft-traffic.md)
- [Simulate remote network connectivity using Azure Virtual Network Gateway - Global Secure Access](../global-secure-access/how-to-simulate-remote-network.md)
- [Simulate remote network connectivity using Azure vWAN - Global Secure Access](../global-secure-access/how-to-create-remote-network-vwan.md)
- [Introduction to Global Secure Access Proof of Concept Guidance](gsa-poc-guidance-intro.md)](gsa-poc-guidance-intro.md)
- [Global Secure Access Proof of Concept Guidance - Configure Microsoft Entra Private Access](gsa-poc-private-access.md)
- [Global Secure Access Proof of Concept Guidance - Configure Microsoft Entra Internet Access](gsa-poc-internet-access.md)

- [Microsoft Global Secure Access deployment guide for Microsoft Traffic](gsa-deployment-guide-microsoft-traffic.md)
- [Simulate remote network connectivity using Azure Virtual Network Gateway - Global Secure Access](../global-secure-access/how-to-simulate-remote-network.md)
- [Simulate remote network connectivity using Azure vWAN - Global Secure Access](../global-secure-access/how-to-create-remote-network-vwan.md)
- [Introduction to Global Secure Access Proof of Concept Guidance](gsa-poc-guidance-intro.md)
- [Global Secure Access Proof of Concept Guidance - Configure Microsoft Entra Private Access](gsa-poc-private-access.md)
- [Global Secure Access Proof of Concept Guidance - Configure Microsoft Entra Internet Access](gsa-poc-internet-access.md)

📋 Microsoft Entra Documentation Changes

📊 Summary

📝 Modified Documentation Files