📋 Microsoft Entra Documentation Changes

ms.date: 01/28/2026

External-facing identity systems support a wide range of customer experiences. That wide range also makes them attractive targets for common customer identity and access management (CIAM) attack patterns such as credential stuffing, automated bot sign-ups, account takeover attempts, and high-volume traffic spikes. Understanding these threats helps explain why a clear, layered security approach is essential. Microsoft Entra External ID provides foundational capabilities you can build on. This guide helps you understand how to strengthen that foundation with recommended controls and integrations based on common CIAM threat patterns.

This guide outlines:

- The attack vectors that commonly target CIAM systems.

- The security controls that can help you address them.

- A prioritized roadmap to guide implementation.

- Available third‑party integrations for fraud, bot, and DDoS protection.

- Known limitations specific to external tenants.

Our goal is to offer a practical, actionable roadmap that helps you make informed decisions about how to secure your customer-facing experiences.

| [Application certificates must be rotated on a regular basis](zero-trust-protect-identities.md#application-certificates-must-be-rotated-on-a-regular-basis) | None (included with Microsoft Entra ID) |

| [Block legacy authentication policy is configured](zero-trust-protect-identities.md#block-legacy-authentication-policy-is-configured) | Microsoft Entra ID P1 |

| [Enable Microsoft Entra ID security defaults for free tenants](zero-trust-protect-identities.md#enable-microsoft-entra-id-security-defaults-for-free-tenants) | None (included with Microsoft Entra ID) |

## Protect tenants and isolate production systems

### Application certificates must be rotated on a regular basis

[!INCLUDE [21839](../includes/secure-recommendations/21839.md)]

### Block legacy authentication policy is configured

- Resource exclusions for a confidential client application and Exchange Online

| A user signs in through a confidential client application (excluded from the policy) that requests only `User.Read` and `People.Read`. | **Before**: User not prompted for MFA</br>**After**: User is prompted for MFA | Conditional Access is now evaluated using Windows Azure Active Directory as the enforcement audience. |

There is no change in behavior when a client application requests a scope beyond those listed previously, as illustrated in the following examples.

| A user signs in to a confidential client application (excluded from the policy) that requests offline_access and SharePoint access (`Files.Read`). | No change in behavior | Conditional Access continues to be enforced based on the SharePoint resource. |

Microsoft Entra ID supports applying [sensitivity labels](/purview/sensitivity-labels) to Microsoft 365 groups when those labels are published in the [Microsoft Purview portal](/purview/purview-portal) and the labels are configured for groups and sites.

1. The sensitivity labels are published in the Microsoft Purview portal or the Microsoft Purview portal for this Microsoft Entra organization.

- The label might not be published in the Microsoft Purview portal. Also, the label might no longer be published. Check with your administrator for more information.

ms.date: 01/28/2026

Microsoft allows customers with complex environments or technical barriers to postpone the enforcement of Phase 2 for their tenants until July 1st, 2026. You can request more time to prepare for Phase 2 MFA enforcement at [https://aka.ms/postponePhase2MFA](https://aka.ms/postponePhase2MFA). Choose another start date, and click **Apply**. After Phase 2 enforcement begins, you can submit a request to Microsoft Help and Support to temporarily lift enforcement. The request must be done by a Global Administrator due to the security implications.

**Answer**: Azure Phase 2 enforcement applies to all user accounts that make Azure resource management actions through any Azure client, including PowerShell, CLI, SDKs, or even REST APIs. This enforcement is on the Azure Resource Manager server side, so any requests that target `https://management.azure.com` are under scope of enforcement. Automation accounts are not in scope as long as they use a managed identity or service principal. Any automation accounts that are set up as user identities will be enforced upon.

In this article, you learn how to set up a SAML integration for a GitHub enterprise with Enterprise Managed Users with Microsoft Entra ID. Setting up a SAML or [OIDC](https://docs.github.com/enterprise-cloud@latest/admin/managing-iam/configuring-authentication-for-enterprise-managed-users/configuring-oidc-for-enterprise-managed-users) authentication integration, in addition to setting up [SCIM provisioning](./github-enterprise-managed-user-provisioning-tutorial.md), is required for a GitHub enterprise with Enterprise Managed Users. Setting up authentication and [SCIM provisioning](./github-enterprise-managed-user-provisioning-tutorial.md) for a GitHub enterprise with Enterprise Managed Users allows an admin to:

* Provision users and groups to the enterprise (once both the authentication and SCIM provisioning integrations have been set up). GitHub teams can be mapped to SCIM-provisioned groups.

> A GitHub.com enterprise account with Enterprise Managed Users is a specific type of enterprise. This is determined with you request or [create a new GitHub enterprise account](https://docs.github.com/en/enterprise-cloud@latest/admin/managing-your-enterprise-account/creating-an-enterprise-account) on GitHub.com. You can read more about the different types of GitHub enterprises in [this GitHub article](https://docs.github.com/en/enterprise-cloud@latest/admin/managing-iam/understanding-iam-for-enterprises/choosing-an-enterprise-type-for-github-enterprise-cloud). If you do not have an enterprise that is set up for Enterprise Managed Users, please see [this GitHub article](https://docs.github.com/en/enterprise-cloud@latest/admin/managing-iam/understanding-iam-for-enterprises/about-identity-and-access-management#authentication-through-githubcom-with-additional-saml-access-restriction) for more details and links.

* A GitHub enterprise that is set up for Enterprise Managed Users.

Users with this role have permissions to manage compliance-related features in the Microsoft Purview portal, Microsoft 365 admin center, Azure, and Microsoft 365 Defender portal. Assignees can also manage all features within the Exchange admin center and create support tickets for Azure and Microsoft 365. For more information, see [Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview compliance](/microsoft-365/security/office-365-security/scc-permissions).

| [Microsoft Purview portal](/purview/purview-portal) | Protect and manage your organization's data across Microsoft 365 services<br>Manage compliance alerts |

| [Microsoft Purview Compliance Manager](/purview/compliance-manager) | Track, assign, and verify your organization's regulatory compliance activities |

Users with this role have permissions to track data in the Microsoft Purview portal, Microsoft 365 admin center, and Azure. Users can also track compliance data within the Exchange admin center, Compliance Manager, and Teams & Skype for Business admin center and create support tickets for Azure and Microsoft 365. For more information about the differences between Compliance Administrator and Compliance Data Administrator, see [Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview compliance](/microsoft-365/security/office-365-security/scc-permissions).

| [Microsoft Purview portal](/purview/purview-portal) | Monitor compliance-related policies across Microsoft 365 services<br>Manage compliance alerts |

| [Microsoft Purview Compliance Manager](/purview/compliance-manager) | Track, assign, and verify your organization's regulatory compliance activities |

- Microsoft 365 Defender portal or

- [Microsoft Purview compliance portal](/purview/purview-portal?view=o365-worldwide&preserve-view=true)

In a Microsoft Entra External ID [external tenant](/entra/external-id/customers/concept-supported-features-customers#conditional-access), you can use the following session controls:

 

- Sign-in frequency

- Persistent browser session

 

To provide a group of users with just-in-time access to Microsoft Entra roles with permissions in SharePoint, Exchange, or Microsoft Purview portal (for example, Exchange Administrator role), be sure to make active assignments of users to the group, and then assign the group to a role as eligible for activation (Option #1 above). If you choose to make active assignment of a group to a role and assign users to be eligible to group membership instead, it may take significant time to have all permissions of the role activated and ready to use.

In other words, to avoid activation delays, use [PIM for Microsoft Entra roles](pim-how-to-add-role-to-user.md) instead of PIM for Groups to provide just-in-time access to SharePoint, Exchange, or Microsoft Purview portal. For more information, see [Error when accessing SharePoint or OneDrive after role activation in PIM](/sharepoint/troubleshoot/administration/access-denied-to-pim-user-accounts).

This is a [privileged role](../privileged-roles-permissions.md). Users in this role can read settings and administrative information across Microsoft 365 services but can't take management actions. Global Reader is the read-only counterpart to Global Administrator. Assign Global Reader instead of Global Administrator for planning, audits, or investigations. Use Global Reader in combination with other limited admin roles like Exchange Administrator to make it easier to get work done without the assigning the Global Administrator role. Global Reader works with Microsoft 365 admin center, Exchange admin center, SharePoint admin center, Teams admin center, Microsoft 365 Defender portal, Microsoft Purview portal, Azure portal, and Device Management admin center.

>- [Privileged Access Management](/purview/privileged-access-management) doesn't support the Global Reader role.

This is a [privileged role](../privileged-roles-permissions.md). Users with this role have permissions to manage security-related features in the Microsoft 365 Defender portal, Microsoft Entra ID Protection, Microsoft Entra Authentication, Azure Information Protection, and Microsoft Purview portal. For more information about Office 365 permissions, see [Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview compliance](/microsoft-365/security/office-365-security/scc-permissions).

| [Microsoft Purview portal](/purview/purview-portal) | Manage security policies<br>View, investigate, and respond to security threats<br>View reports |

This is a [privileged role](../privileged-roles-permissions.md). Users with this role can manage alerts and have global read-only access on security-related features, including all information in Microsoft 365 Defender portal, Microsoft Entra ID Protection, Privileged Identity Management, and Microsoft Purview portal. For more information about Office 365 permissions, see [Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview compliance](/microsoft-365/security/office-365-security/scc-permissions).

| [Microsoft Purview portal](/purview/purview-portal) | All permissions of the Security Reader role<br>View, investigate, and respond to security alerts |