MODIFIED docs/includes/secure-recommendations/21790.md

Modified by John Flores on Jan 22, 2026 7:45 PM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: [ZT Assess] Fix linking

Changes:

Before

After

 
**Remediation action**
 
- [Cross-tenant access overview](../../external-id/cross-tenant-access-overview.md)
- [Configure cross-tenant access settings](../../external-id/cross-tenant-access-settings-b2b-collaboration.yml#configure-default-settings)
- [Modify outbound access settings](../../external-id/cross-tenant-access-settings-b2b-collaboration.yml)

 
**Remediation action**
 
- [Cross-tenant access overview](/entra/external-id/cross-tenant-access-overview)
- [Configure cross-tenant access settings](/entra/external-id/cross-tenant-access-settings-b2b-collaboration#configure-default-settings)
- [Modify outbound access settings](/entra/external-id/cross-tenant-access-settings-b2b-collaboration)

MODIFIED docs/includes/secure-recommendations/21804.md

Modified by John Flores on Jan 22, 2026 7:45 PM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: [ZT Assess] Fix linking

Changes:

Before

After

**Remediation action**
 
- [Deploy authentication method registration campaigns to encourage stronger methods](/graph/api/authenticationmethodspolicy-update?view=graph-rest-beta&preserve-view=true)
- [Disable authentication methods](../../identity/authentication/concept-authentication-methods-manage.md)
- [Disable phone-based methods in legacy MFA settings](../../identity/authentication/howto-mfa-mfasettings.md)
- [Deploy Conditional Access policies using authentication strength](../../identity/authentication/concept-authentication-strength-how-it-works.md)

**Remediation action**
 
- [Deploy authentication method registration campaigns to encourage stronger methods](/graph/api/authenticationmethodspolicy-update?view=graph-rest-beta&preserve-view=true)
- [Disable authentication methods](/entra/identity/authentication/concept-authentication-methods-manage)
- [Disable phone-based methods in legacy MFA settings](/entra/identity/authentication/howto-mfa-mfasettings)
- [Deploy Conditional Access policies using authentication strength](/entra/identity/authentication/concept-authentication-strength-how-it-works)

MODIFIED docs/includes/secure-recommendations/21806.md

Modified by John Flores on Jan 22, 2026 7:45 PM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: [ZT Assess] Fix linking

Changes:

Before

After

 
**Remediation action**
 
- [Deploy a Conditional Access policy for security info registration](../../identity/conditional-access/policy-all-users-security-info-registration.md)
- [Configure known network locations](../../identity/conditional-access/concept-assignment-network.md)
- [Enable combined security info registration](../../identity/authentication/howto-registration-mfa-sspr-combined.md)

 
**Remediation action**
 
- [Deploy a Conditional Access policy for security info registration](/entra/identity/conditional-access/policy-all-users-security-info-registration)
- [Configure known network locations](/entra/identity/conditional-access/concept-assignment-network)
- [Enable combined security info registration](/entra/identity/authentication/howto-registration-mfa-sspr-combined)

MODIFIED docs/includes/secure-recommendations/21836.md

Modified by John Flores on Jan 22, 2026 7:45 PM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: [ZT Assess] Fix linking

Changes:

Before

After

If administrators assign privileged roles to workload identities, such as service principals or managed identities, the tenant can be exposed to significant risk if those identities are compromised. Threat actors who gain access to a privileged workload identity can perform reconnaissance to enumerate resources, escalate privileges, and manipulate or exfiltrate sensitive data. The attack chain typically begins with credential theft or abuse of a vulnerable application. Next step is privilege escalation through the assigned role, lateral movement across cloud resources, and finally persistence via other role assignments or credential updates. Workload identities are often used in automation and might not be monitored as closely as user accounts. Compromise can then go undetected, allowing threat actors to maintain access and control over critical resources. Workload identities aren't subject to user-centric protections like MFA, making least-privilege assignment and regular review essential. 
 
**Remediation action**
- [Review and remove privileged roles assignments](../../id-governance/privileged-identity-management/pim-resource-roles-assign-roles.md#update-or-remove-an-existing-role-assignment).
- [Follow the best practices for workload identities](../../workload-id/workload-identities-overview.md#key-scenarios).
- [Learn about privileged roles and permissions in Microsoft Entra ID](../../identity/role-based-access-control/privileged-roles-permissions.md)

If administrators assign privileged roles to workload identities, such as service principals or managed identities, the tenant can be exposed to significant risk if those identities are compromised. Threat actors who gain access to a privileged workload identity can perform reconnaissance to enumerate resources, escalate privileges, and manipulate or exfiltrate sensitive data. The attack chain typically begins with credential theft or abuse of a vulnerable application. Next step is privilege escalation through the assigned role, lateral movement across cloud resources, and finally persistence via other role assignments or credential updates. Workload identities are often used in automation and might not be monitored as closely as user accounts. Compromise can then go undetected, allowing threat actors to maintain access and control over critical resources. Workload identities aren't subject to user-centric protections like MFA, making least-privilege assignment and regular review essential. 
 
**Remediation action**
- [Review and remove privileged roles assignments](/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles#update-or-remove-an-existing-role-assignment).
- [Follow the best practices for workload identities](/entra/workload-id/workload-identities-overview#key-scenarios).
- [Learn about privileged roles and permissions in Microsoft Entra ID](/entra/identity/role-based-access-control/privileged-roles-permissions)

MODIFIED docs/includes/secure-recommendations/21869.md

Modified by John Flores on Jan 22, 2026 7:45 PM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: [ZT Assess] Fix linking

Changes:

Before

After

While an application with open assignment but proper provisioning scoping (such as department-based filters or group membership requirements) maintains security controls through the provisioning layer, applications lacking both controls create unrestricted access pathways that threat actors can exploit. When applications provision accounts for all users without assignment restrictions, threat actors can abuse compromised accounts to conduct reconnaissance activities, enumerate sensitive data across multiple systems, or use the applications as staging points for further attacks against connected resources. This unrestricted access model is dangerous for applications that have elevated permissions or are connected to critical business systems. Threat actors can use any compromised user account to access sensitive information, modify data, or perform unauthorized actions that the application's permissions allow. The absence of both assignment controls and provisioning scoping also prevents organizations from implementing proper access governance. Without proper governance, it's difficult to track who has access to which applications, when access was granted, and whether access should be revoked based on role changes or employment status. Furthermore, applications with broad provisioning scopes can create cascading security risks where a single compromised account provides access to an entire ecosystem of connected applications and services.
 
**Remediation action**
- Evaluate business requirements to determine appropriate access control method. [Restrict a Microsoft Entra app to a set of users](../../identity-platform/howto-restrict-your-app-to-a-set-of-users.md).
- Configure enterprise applications to require assignment for sensitive applications. [Learn about the "Assignment required" enterprise application property](../../identity/enterprise-apps/application-properties.md#assignment-required).
- Implement scoped provisioning based on groups, departments, or attributes. [Create scoping filters](../../identity/app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md#create-scoping-filters).

While an application with open assignment but proper provisioning scoping (such as department-based filters or group membership requirements) maintains security controls through the provisioning layer, applications lacking both controls create unrestricted access pathways that threat actors can exploit. When applications provision accounts for all users without assignment restrictions, threat actors can abuse compromised accounts to conduct reconnaissance activities, enumerate sensitive data across multiple systems, or use the applications as staging points for further attacks against connected resources. This unrestricted access model is dangerous for applications that have elevated permissions or are connected to critical business systems. Threat actors can use any compromised user account to access sensitive information, modify data, or perform unauthorized actions that the application's permissions allow. The absence of both assignment controls and provisioning scoping also prevents organizations from implementing proper access governance. Without proper governance, it's difficult to track who has access to which applications, when access was granted, and whether access should be revoked based on role changes or employment status. Furthermore, applications with broad provisioning scopes can create cascading security risks where a single compromised account provides access to an entire ecosystem of connected applications and services.
 
**Remediation action**
- Evaluate business requirements to determine appropriate access control method. [Restrict a Microsoft Entra app to a set of users](/entra/identity-platform/howto-restrict-your-app-to-a-set-of-users).
- Configure enterprise applications to require assignment for sensitive applications. [Learn about the "Assignment required" enterprise application property](/entra/identity/enterprise-apps/application-properties#assignment-required).
- Implement scoped provisioning based on groups, departments, or attributes. [Create scoping filters](/entra/identity/app-provisioning/define-conditional-rules-for-provisioning-user-accounts#create-scoping-filters).

MODIFIED docs/includes/secure-recommendations/21884.md

Modified by John Flores on Jan 22, 2026 7:45 PM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: [ZT Assess] Fix linking

Changes:

Before

After

 
**Remediation action**
 
- [Configure Conditional Access for workload identities](../../identity/conditional-access/workload-identity.md)
- [Create named locations](../../identity/conditional-access/concept-assignment-network.md)
- [Follow best practices for securing workload identities](../../workload-id/workload-identities-overview.md)

 
**Remediation action**
 
- [Configure Conditional Access for workload identities](/entra/identity/conditional-access/workload-identity)
- [Create named locations](/entra/identity/conditional-access/concept-assignment-network)
- [Follow best practices for securing workload identities](/entra/workload-id/workload-identities-overview)

MODIFIED docs/includes/secure-recommendations/21985.md

Modified by John Flores on Jan 22, 2026 7:45 PM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: [ZT Assess] Fix linking

Changes:

Before

After

 
**Remediation action**
 
- [Review how Seamless SSO works](../../identity/hybrid/connect/how-to-connect-sso-how-it-works.md)
- [Disable Seamless SSO](../../identity/hybrid/connect/how-to-connect-sso-faq.yml#how-can-i-disable-seamless-sso-)
- [Clean up stale devices in Microsoft Entra ID](../../identity/devices/manage-stale-devices.md)

 
**Remediation action**
 
- [Review how Seamless SSO works](/entra/identity/hybrid/connect/how-to-connect-sso-how-it-works)
- [Disable Seamless SSO](/entra/identity/hybrid/connect/how-to-connect-sso-faq#how-can-i-disable-seamless-sso-)
- [Clean up stale devices in Microsoft Entra ID](/entra/identity/devices/manage-stale-devices)

MODIFIED docs/includes/secure-recommendations/21817.md

Modified by John Flores on Jan 22, 2026 7:45 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: [ZT Assess] Fix linking

Changes:

Before

After

 
**Remediation action**
 
- [Configure role settings to require approval for Global Administrator activation](../../id-governance/privileged-identity-management/pim-how-to-change-default-settings.md)
- [Set up approval workflow for privileged roles](../../id-governance/privileged-identity-management/pim-approval-workflow.md)

 
**Remediation action**
 
- [Configure role settings to require approval for Global Administrator activation](/entra/id-governance/privileged-identity-management/pim-how-to-change-default-settings)
- [Set up approval workflow for privileged roles](/entra/id-governance/privileged-identity-management/pim-approval-workflow)

MODIFIED docs/includes/secure-recommendations/21825.md

Modified by John Flores on Jan 22, 2026 7:45 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: [ZT Assess] Fix linking

Changes:

Before

After

 
**Remediation action**
 
- [Learn about Conditional Access adaptive session lifetime policies](../../identity/conditional-access/concept-session-lifetime.md)
- [Configure sign-in frequency for privileged users with Conditional Access policies ](../../identity/conditional-access/howto-conditional-access-session-lifetime.md)

 
**Remediation action**
 
- [Learn about Conditional Access adaptive session lifetime policies](/entra/identity/conditional-access/concept-session-lifetime)
- [Configure sign-in frequency for privileged users with Conditional Access policies ](/entra/identity/conditional-access/howto-conditional-access-session-lifetime)

MODIFIED docs/identity/role-based-access-control/includes/purview-workload-content-administrator.md

Modified by Faith Moraa Ombongi on Jan 22, 2026 8:56 AM
📖 View on learn.microsoft.com

+3 / -1 lines changed

Commit: Address feedback from pub team reviewers

Changes:

Before

After

ms.service: entra-id
ms.subservice: role-based-access-control
ms.topic: include
ms.date: 01/20/2026
ms.custom: include file
---
 
 
 
 

ms.service: entra-id
ms.subservice: role-based-access-control
ms.topic: include
ms.date: 01/22/2026
ms.custom: include file
author: FaithOmbongi
ms.author: ombongifaith
---
 
 

MODIFIED docs/identity/role-based-access-control/includes/purview-workload-content-reader.md

Modified by Faith Moraa Ombongi on Jan 22, 2026 8:56 AM
📖 View on learn.microsoft.com

+3 / -1 lines changed

Commit: Address feedback from pub team reviewers

Changes:

Before

After

ms.service: entra-id
ms.subservice: role-based-access-control
ms.topic: include
ms.date: 01/20/2026
ms.custom: include file
---
 
 
 
 

ms.service: entra-id
ms.subservice: role-based-access-control
ms.topic: include
ms.date: 01/22/2026
ms.custom: include file
author: FaithOmbongi
ms.author: ombongifaith
---
 
 

MODIFIED docs/identity/role-based-access-control/includes/purview-workload-content-writer.md

Modified by Faith Moraa Ombongi on Jan 22, 2026 8:56 AM
📖 View on learn.microsoft.com

+3 / -1 lines changed

Commit: Address feedback from pub team reviewers

Changes:

Before

After

ms.service: entra-id
ms.subservice: role-based-access-control
ms.topic: include
ms.date: 01/20/2026
ms.custom: include file
---
 
 
 
 

ms.service: entra-id
ms.subservice: role-based-access-control
ms.topic: include
ms.date: 01/22/2026
ms.custom: include file
author: FaithOmbongi
ms.author: ombongifaith
---
 
 

MODIFIED docs/identity/role-based-access-control/permissions-reference.md

Modified by Faith Moraa Ombongi on Jan 22, 2026 8:56 AM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Address feedback from pub team reviewers

Changes:

Before

After

ms.service: entra-id
ms.subservice: role-based-access-control
ms.topic: reference
ms.date: 01/21/2026
ms.author: rolyon
ms.reviewer: abhijeetsinha
ms.custom: generated, it-pro, fasttrack-edit, has-azure-ad-ps-ref, azure-ad-ref-level-one-done, sfi-ga-nochange
 
# Microsoft Entra built-in roles
 
In Microsoft Entra ID, if another administrator or non-administrator needs to manage Microsoft Entra resources, you assign them a Microsoft Entra role that provides the permissions they need. For example, you can assign roles to allow adding or changing users, resetting user passwords, managing user licenses, or managing domain names.
 
This article lists the Microsoft Entra built-in roles you can assign to allow management of Microsoft Entra resources. For information about how to assign roles, see [Assign Microsoft Entra roles](manage-roles-portal.md). If you are looking for roles to manage Azure resources, see [Azure built-in roles](/azure/role-based-access-control/built-in-roles).
 

ms.service: entra-id
ms.subservice: role-based-access-control
ms.topic: reference
ms.date: 01/22/2026
ms.author: rolyon
ms.reviewer: abhijeetsinha
ms.custom: generated, it-pro, fasttrack-edit, has-azure-ad-ps-ref, azure-ad-ref-level-one-done, sfi-ga-nochange
 
# Microsoft Entra built-in roles
 
In Microsoft Entra ID, if another administrator or nonadministrator needs to manage Microsoft Entra resources, you assign them a Microsoft Entra role that provides the permissions they need. For example, you can assign roles to allow adding or changing users, resetting user passwords, managing user licenses, or managing domain names.
 
This article lists the Microsoft Entra built-in roles you can assign to allow management of Microsoft Entra resources. For information about how to assign roles, see [Assign Microsoft Entra roles](manage-roles-portal.md). If you are looking for roles to manage Azure resources, see [Azure built-in roles](/azure/role-based-access-control/built-in-roles).
 

MODIFIED docs/id-governance/identity-governance-overview.md

Modified by Tee Earls on Jan 22, 2026 8:18 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Enhance access reviews section with AI suggestions

Changes:

Before

After

In Microsoft Entra ID Governance, you can enable business groups to determine which of these guests should have access, and for how long, using:
 
- [entitlement management](entitlement-management-overview.md) in which you can specify the other organizations whose identities are allowed to request access to your organization's resources. When one of the identities request is approved, they're automatically added by entitlement management as a [B2B](../external-id/what-is-b2b.md) guest to your organization's directory. Then, they're assigned appropriate access. Entitlement management automatically removes the B2B guest user from your organization's directory when their access rights expire or are revoked.
- [access reviews](access-reviews-overview.md) that automates recurring reviews of existing guests already in your organization's directory, and removes those identities from your organization's directory when they no longer need access.
 
For more information, see [Govern the employee and guest lifecycle](scenarios/govern-the-employee-lifecycle.md).

In Microsoft Entra ID Governance, you can enable business groups to determine which of these guests should have access, and for how long, using:
 
- [entitlement management](entitlement-management-overview.md) in which you can specify the other organizations whose identities are allowed to request access to your organization's resources. When one of the identities request is approved, they're automatically added by entitlement management as a [B2B](../external-id/what-is-b2b.md) guest to your organization's directory. Then, they're assigned appropriate access. Entitlement management automatically removes the B2B guest user from your organization's directory when their access rights expire or are revoked.
- [access reviews](access-reviews-overview.md) that automates recurring reviews of existing guests already in your organization's directory, and removes those identities from your organization's directory when they no longer need access. AI-powered suggestions help reviewers make better informed decisions.
 
For more information, see [Govern the employee and guest lifecycle](scenarios/govern-the-employee-lifecycle.md).

MODIFIED docs/includes/secure-recommendations/21773.md

Modified by John Flores on Jan 22, 2026 7:45 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: [ZT Assess] Fix linking

Changes:

Before

After

- [Define certificate based application configuration](https://devblogs.microsoft.com/identity/app-management-policy/)
- [Define trusted certificate authorities for apps and service principals in the tenant](/graph/api/resources/certificatebasedapplicationconfiguration)
- [Define application management policies](/graph/api/resources/applicationauthenticationmethodpolicy)
- [Enforce secret and certificate standards](../../identity/enterprise-apps/tutorial-enforce-secret-standards.md)
- [Create a least-privileged custom role to rotate application credentials](/entra/identity/role-based-access-control/custom-create)

- [Define certificate based application configuration](https://devblogs.microsoft.com/identity/app-management-policy/)
- [Define trusted certificate authorities for apps and service principals in the tenant](/graph/api/resources/certificatebasedapplicationconfiguration)
- [Define application management policies](/graph/api/resources/applicationauthenticationmethodpolicy)
- [Enforce secret and certificate standards](/entra/identity/enterprise-apps/tutorial-enforce-secret-standards)
- [Create a least-privileged custom role to rotate application credentials](/entra/identity/role-based-access-control/custom-create)

📋 Microsoft Entra Documentation Changes

📊 Summary

📝 Modified Documentation Files

🗑️ Deleted Documentation Files