MODIFIED docs/identity/conditional-access/concept-conditional-access-cloud-apps.md

Modified by Sarah Lipsey on Jan 27, 2026 3:33 PM
📖 View on learn.microsoft.com

+9 / -11 lines changed

Commit: pm-updats

Changes:

Before

After

- Resource exclusions for a custom enterprise application and Exchange Online
- MFA is configured as the grant control
 
#### Example scenario 1
 
| Example scenario | User impact (before → after) | Conditional Access evaluation change |
|---|---|---|
| A user signs into VSCode desktop client, which requests openid and profile scopes. | **Before**: User not prompted for MFA</br>**After**: User is prompted for MFA | Conditional Access is now evaluated using Windows Azure Active Directory as the enforcement audience. |
| A user signs in using Azure CLI, which requests only User.Read. | **Before**: User not prompted for MFA</br>**After**: User is prompted for MFA | Conditional Access is now evaluated using Windows Azure Active Directory as the enforcement audience. |
| A user signs in through a custom enterprise application (excluded from the policy) that requests only User.Read and People.Read. | **Before**: User not prompted for MFA</br>**After**: User is prompted for MFA | Conditional Access is now evaluated using Windows Azure Active Directory as the enforcement audience. |
 
There is no change in behavior when an application requests a scope beyond those listed previously.
 
In the following example, Conditional Access is not enforced because Exchange Online is excluded from the policy.
 
#### Example scenario 2
 
| Example scenario | User impact | Conditional Access evaluation |
|---|---|---|
| A user signs in to a custom enterprise application (excluded from the policy) that requests offline_access and SharePoint access (Files.Read). | No change in behavior | Conditional Access continues to be enforced based on the SharePoint resource. |

- Resource exclusions for a custom enterprise application and Exchange Online
- MFA is configured as the grant control
 
#### Example scenarios
 
| Example scenario | User impact (before → after) | Conditional Access evaluation |
|---|---|---|
| A user signs into VSCode desktop client, which requests openid and profile scopes. | **Before**: User not prompted for MFA</br>**After**: User is prompted for MFA | Conditional Access is now evaluated using Windows Azure Active Directory as the enforcement audience. |
| A user signs in using Azure CLI, which requests only `User.Read`. | **Before**: User not prompted for MFA</br>**After**: User is prompted for MFA | Conditional Access is now evaluated using Windows Azure Active Directory as the enforcement audience. |
| A user signs in through a custom enterprise application (excluded from the policy) that requests only `User.Read` and `People.Read`. | **Before**: User not prompted for MFA</br>**After**: User is prompted for MFA | Conditional Access is now evaluated using Windows Azure Active Directory as the enforcement audience. |
 
There is no change in behavior when an application requests a scope beyond those listed previously, as illustrated in the following examples.
 
#### Example scenarios
 
| Example scenario | User impact | Conditional Access evaluation |
|---|---|---|
| A user signs in to a custom enterprise application (excluded from the policy) that requests offline_access and SharePoint access (`Files.Read`). | No change in behavior | Conditional Access continues to be enforced based on the SharePoint resource. |
| A user signs in to the OneDrive desktop sync client. OneDrive requests offline_access and Exchange Online access (`Mail.Read`). | No change in behavior | Conditional Access is not enforced because Exchange Online is excluded from the policy. |
 

MODIFIED docs/identity/users/groups-dynamic-rule-member-of.md

Modified by barclayn on Jan 27, 2026 1:21 PM
📖 View on learn.microsoft.com

+4 / -1 lines changed

Commit: Add important note about memberOf behavior when source group is deleted

Changes:

Before

After

ms.service: entra-id
ms.subservice: users
ms.topic: how-to
ms.date: 11/18/2025
ms.author: barclayn
ms.reviewer: krbain
ms.custom: it-pro
- The `memberOf` attribute can't be used with other operators. For example, you can't create a rule that states "Members Of group A can't be in Dynamic group B."
- Users included in `memberOf` dynamic membership groups may cause a slower processing time for your tenant, if the tenant has a large number of groups or frequent dynamic membership groups updates.
 
## Get started
 
This feature can be used in the Azure portal, Microsoft Graph, and PowerShell. Because `memberOf` isn't yet supported in the rule builder, you must enter your rule in the rule editor.
 
 
 

ms.service: entra-id
ms.subservice: users
ms.topic: how-to
ms.date: 01/27/2026
ms.author: barclayn
ms.reviewer: krbain
ms.custom: it-pro
- The `memberOf` attribute can't be used with other operators. For example, you can't create a rule that states "Members Of group A can't be in Dynamic group B."
- Users included in `memberOf` dynamic membership groups may cause a slower processing time for your tenant, if the tenant has a large number of groups or frequent dynamic membership groups updates.
 
> [!IMPORTANT]
> When a group object that is listed in the rule of a memberOf dynamic group is deleted from the tenant, the users or devices that were members of the deleted group at the time of deletion remain members of the memberOf dynamic group. This behavior continues until the memberOf dynamic group rule is modified.
 
## Get started
 
This feature can be used in the Azure portal, Microsoft Graph, and PowerShell. Because `memberOf` isn't yet supported in the rule builder, you must enter your rule in the rule editor.

MODIFIED docs/fundamentals/reference-company-branding-css-template.md

Modified by csmulligan on Jan 27, 2026 3:14 PM
📖 View on learn.microsoft.com

+4 / -1 lines changed

Commit: Added a note.

Changes:

Before

After

 
## Microsoft Entra CSS selectors
 
Use the following CSS selectors to configure the details of the sign-in experience. 
 
- `.ext-background-image` - Container that includes the background image in the default lightbox template
- `.ext-header` - Header at the top of the container

 
## Microsoft Entra CSS selectors
 
Use the following CSS selectors to configure the details of the sign-in experience.
 
>[!Note]
>To customize internal navigation links, use the new custom CSS selector: `.ext-link`.
 
- `.ext-background-image` - Container that includes the background image in the default lightbox template
- `.ext-header` - Header at the top of the container

MODIFIED docs/identity/authentication/how-to-enable-authenticator-passkey.md

Modified by Justinha on Jan 27, 2026 5:36 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Update how-to-enable-authenticator-passkey.md

Changes:

Before

After

ms.service: entra-id
ms.subservice: authentication
ms.topic: how-to
ms.date: 06/24/2025
ms.author: justinha
author: justinha
manager: dougeby
    iOS | `cable.auth.com`<br>`app-site-association.cdn-apple.com`<br>`app-site-association.networking.apple`
 
  > [!NOTE]
  > Users can't use cross-device registration or authentication if you enable attestation. 
 
To learn more about FIDO2 support, see [Support for FIDO2 authentication with Microsoft Entra ID](fido2-compatibility.md).
 

ms.service: entra-id
ms.subservice: authentication
ms.topic: how-to
ms.date: 01/27/2026
ms.author: justinha
author: justinha
manager: dougeby
    iOS | `cable.auth.com`<br>`app-site-association.cdn-apple.com`<br>`app-site-association.networking.apple`
 
  > [!NOTE]
  > Users can't use cross-device registration if you enable attestation. 
 
To learn more about FIDO2 support, see [Support for FIDO2 authentication with Microsoft Entra ID](fido2-compatibility.md).
 

MODIFIED docs/id-governance/entitlement-management-access-package-assignments.md

Modified by Diana Richards on Jan 27, 2026 9:07 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Update docs/id-governance/entitlement-management-access-package-assignments.md

Changes:

Before

After

1. Once you select a policy, you are able to add users to select the users you want to assign this access package to, under the chosen policy.
 
    > [!NOTE]
    > If you select a policy with questions, you can only assign one user at a time. Additionally, please note that if the external user already exists in the directory, you will need to use the **Identities in my directory** option and select the existing user. The **External user** option can be used when the user does not exist in the directory.
 
1. Set the date and time you want the selected users' assignment to start and end. If an end date isn't provided, the policy's lifecycle settings are used.

1. Once you select a policy, you are able to add users to select the users you want to assign this access package to, under the chosen policy.
 
    > [!NOTE]
    > If you select a policy with questions, you can only assign one user at a time. If the external user already exists in the directory, use the **Identities in my directory** option and select the existing user. Use the **External user** option when the user doesn't exist in the directory.
 
1. Set the date and time you want the selected users' assignment to start and end. If an end date isn't provided, the policy's lifecycle settings are used.

📋 Microsoft Entra Documentation Changes

📊 Summary

📝 Modified Documentation Files