MODIFIED docs/external-id/customers/overview-customers-ciam.md

Modified by csmulligan on Jan 30, 2026 10:28 AM
📖 View on learn.microsoft.com

+7 / -1 lines changed

Commit: Removed preview tag.

Changes:

Before

After

 
ms.subservice: external
ms.topic: overview
ms.date: 09/16/2025
ms.custom: it-pro, seo-july-2024
 
#Customer intent: As a dev, devops, or it admin, I want to learn about identity solutions for apps for consumers and business customers.
 
Learn more about [MFA in external tenants](concept-multifactor-authentication-customers.md) or see [how to enable multifactor authentication](how-to-multifactor-authentication-customers.md).
 
### Microsoft Entra reliability and scalability
 
Create highly customized sign-in experiences and manage customer accounts at a large scale. Ensure a good customer experience by taking advantage of Microsoft Entra performance, resiliency, business continuity, low-latency, and high throughput.

 
ms.subservice: external
ms.topic: overview
ms.date: 01/30/2026
ms.custom: it-pro, seo-july-2024
 
#Customer intent: As a dev, devops, or it admin, I want to learn about identity solutions for apps for consumers and business customers.
 
Learn more about [MFA in external tenants](concept-multifactor-authentication-customers.md) or see [how to enable multifactor authentication](how-to-multifactor-authentication-customers.md).
 
### Machine-to-machine authentication (M2M)
 
Machine-to-machine (M2M) authentication uses the [OAuth 2.0 client credentials flow](/entra/identity-platform/v2-oauth2-client-creds-grant-flow) to let an application authenticate directly with Microsoft Entra ID. This flow is intended for scenarios without user interaction, where backend services need to securely request access tokens and call APIs on their own behalf.
 
For Microsoft Entra External ID applications, you can configure M2M authentication by using the client credentials flow with either a client secret or a certificate. This approach allows your application to authenticate as itself when accessing APIs. To enable M2M authentication, you must use the [M2M Premium add‑on](https://www.microsoft.com/security/pricing/microsoft-entra-external-id/). Review your organization’s premium add‑on usage policy to understand cost implications and ensure compliance with internal governance and licensing requirements.
 
### Microsoft Entra reliability and scalability
 
Create highly customized sign-in experiences and manage customer accounts at a large scale. Ensure a good customer experience by taking advantage of Microsoft Entra performance, resiliency, business continuity, low-latency, and high throughput.

MODIFIED docs/external-id/external-identities-overview.md

Modified by csmulligan on Jan 30, 2026 10:28 AM
📖 View on learn.microsoft.com

+2 / -3 lines changed

Commit: Removed preview tag.

Changes:

Before

After

title: Microsoft Entra External ID overview
description: Microsoft Entra External ID allows you to collaborate with or publish apps to people outside your organization. Compare solutions for External ID, including Microsoft Entra B2B collaboration, Microsoft Entra B2B collaboration, and Azure AD B2C.
 
 
ms.service: entra-external-id
ms.topic: overview
ms.date: 09/06/2024
ms.author: cmulligan
author: csmulligan
manager: dougeby
 
- **B2B collaboration invitation manager**: The [invitation manager API in Microsoft Graph](/graph/api/resources/invitation) is available for building your own onboarding experiences for business guests. You can use the [create invitation API](/graph/api/invitation-post) to automatically send a customized invitation email directly to the B2B user, for example. Or your app can use the inviteRedeemUrl returned in the creation response to craft your own invitation (through your communication mechanism of choice) to the invited user.
 
## Next steps
 
- [What is Microsoft Entra B2B collaboration?](what-is-b2b.md)
- [What is Microsoft Entra B2B direct connect?](b2b-direct-connect-overview.md)

title: Microsoft Entra External ID overview
description: Microsoft Entra External ID allows you to collaborate with or publish apps to people outside your organization. Compare solutions for External ID, including Microsoft Entra B2B collaboration, Microsoft Entra B2B collaboration, and Azure AD B2C.
 
ms.service: entra-external-id
ms.topic: overview
ms.date: 01/30/2026
ms.author: cmulligan
author: csmulligan
manager: dougeby
 
- **B2B collaboration invitation manager**: The [invitation manager API in Microsoft Graph](/graph/api/resources/invitation) is available for building your own onboarding experiences for business guests. You can use the [create invitation API](/graph/api/invitation-post) to automatically send a customized invitation email directly to the B2B user, for example. Or your app can use the inviteRedeemUrl returned in the creation response to craft your own invitation (through your communication mechanism of choice) to the invited user.
 
## Related content
 
- [What is Microsoft Entra B2B collaboration?](what-is-b2b.md)
- [What is Microsoft Entra B2B direct connect?](b2b-direct-connect-overview.md)
 

MODIFIED docs/identity-platform/v2-oauth2-client-creds-grant-flow.md

Modified by csmulligan on Jan 30, 2026 10:28 AM
📖 View on learn.microsoft.com

+4 / -1 lines changed

Commit: Removed preview tag.

Changes:

Before

After

author: OwenRichards1
manager: pmwongera
ms.author: owenrichards
ms.date: 01/23/2025
ms.service: identity-platform
ms.reviewer: jmprieur, ludwignick
ms.topic: reference
 
The OAuth 2.0 client credentials grant flow permits a web service (confidential client) to use its own credentials, instead of impersonating a user, to authenticate when calling another web service. The grant specified in [RFC 6749](https://tools.ietf.org/html/rfc6749#section-4.4), sometimes called *two-legged OAuth*, can be used to access web-hosted resources by using the identity of an application. This type is commonly used for server-to-server interactions that must run in the background, without immediate interaction with a user, and is often referred to as *daemons* or *service accounts*.
 
In the client credentials flow, permissions are granted directly to the application itself by an administrator. When the app presents a token to a resource, the resource enforces that the app itself has authorization to perform an action since there is no user involved in the authentication. This article covers both the steps needed to: 
 
- [Authorize an application to call an API](#application-permissions)
 
 
 

author: OwenRichards1
manager: pmwongera
ms.author: owenrichards
ms.date: 01/30/2026
ms.service: identity-platform
ms.reviewer: jmprieur, ludwignick
ms.topic: reference
 
The OAuth 2.0 client credentials grant flow permits a web service (confidential client) to use its own credentials, instead of impersonating a user, to authenticate when calling another web service. The grant specified in [RFC 6749](https://tools.ietf.org/html/rfc6749#section-4.4), sometimes called *two-legged OAuth*, can be used to access web-hosted resources by using the identity of an application. This type is commonly used for server-to-server interactions that must run in the background, without immediate interaction with a user, and is often referred to as *daemons* or *service accounts*.
 
> [!NOTE]
> When you configure machine-to-machine (M2M) authentication for [Microsoft Entra External ID](/entra/external-id/external-identities-overview), you must use the [M2M Premium add‑on](https://www.microsoft.com/security/pricing/microsoft-entra-external-id/). Review your organization’s premium add‑on usage policy to understand cost implications and ensure the implementation complies with internal governance and licensing guidelines.
 
In the client credentials flow, permissions are granted directly to the application itself by an administrator. When the app presents a token to a resource, the resource enforces that the app itself has authorization to perform an action since there is no user involved in the authentication. This article covers both the steps needed to: 
 
- [Authorize an application to call an API](#application-permissions)

MODIFIED docs/identity/role-based-access-control/manage-roles-portal.md

Modified by Robert Lyon on Jan 30, 2026 11:00 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Small edits to restrictions on role permissions for admins

Changes:

Before

After

| [User Administrator](permissions-reference.md#user-administrator) | Can manage all aspects of users and groups, including resetting passwords for limited admins within the assigned administrative unit only. Cannot currently manage users' profile photographs. |
| [&lt;Custom role&gt;](custom-create.md) | Can perform actions that apply to users, groups, or devices, according to the definition of the custom role. |
 
Certain role permissions apply only to nonadministrator users when assigned with the scope of an administrative unit. In other words, administrative unit scoped [Helpdesk Administrators](permissions-reference.md#helpdesk-administrator) can reset passwords for users in the administrative unit only if those users don't have administrator roles. The following permissions are restricted when the target of an action is a user in another role or an Administrator:
 
- Read and modify user authentication methods
- Reset user passwords

| [User Administrator](permissions-reference.md#user-administrator) | Can manage all aspects of users and groups, including resetting passwords for limited admins within the assigned administrative unit only. Cannot currently manage users' profile photographs. |
| [&lt;Custom role&gt;](custom-create.md) | Can perform actions that apply to users, groups, or devices, according to the definition of the custom role. |
 
Certain role permissions apply only to nonadministrator users when assigned with the scope of an administrative unit. In other words, administrative unit scoped [Helpdesk Administrators](permissions-reference.md#helpdesk-administrator) can reset passwords for users in the administrative unit only if those users don't have administrator roles. The following permissions are restricted when the target of an action is a user with another role or an administrator:
 
- Read and modify user authentication methods
- Reset user passwords

MODIFIED docs/identity/authentication/kerberos.md

Modified by vimrang on Jan 30, 2026 4:34 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Update Kerberos authentication support details

Changes:

Before

After

 
### Support for cloud-only user identities (Preview)
 
Cloud-only user accounts managed solely in Microsoft Entra ID are supported for Kerberos authentication by workloads like Azure Files and Azure Virtual Desktop.
 
### Operating system and device restrictions

 
### Support for cloud-only user identities (Preview)
 
Cloud-only user accounts managed solely in Microsoft Entra ID are supported for Kerberos authentication by workloads like Azure Files, Azure Virtual Desktop and Windows authentication access to Azure SQL Managed Instance.
 
### Operating system and device restrictions

MODIFIED docs/external-id/customers/concept-supported-features-customers.md

Modified by csmulligan on Jan 30, 2026 10:28 AM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Removed preview tag.

Changes:

Before

After

|[OpenID Connect](../../identity-platform/v2-protocols-oidc.md)| Yes| Yes|
|[Authorization code](../../identity-platform/v2-oauth2-auth-code-flow.md)| Yes| Yes|
|[Authorization code with Code Exchange (PKCE)](../../identity-platform/v2-oauth2-auth-code-flow.md)|Yes| Yes|
|[Client credentials](../../identity-platform/v2-oauth2-client-creds-grant-flow.md)|Yes| [v2.0 applications](../../identity-platform/reference-app-manifest.md) (preview)|
|[Device authorization](../../identity-platform/v2-oauth2-device-code.md)| Yes| Preview |
|[On-Behalf-Of flow](../../identity-platform/v2-oauth2-on-behalf-of-flow.md)| Yes| Yes|
|[Implicit grant](../../identity-platform/v2-oauth2-implicit-grant-flow.md)| Yes| Yes|

|[OpenID Connect](../../identity-platform/v2-protocols-oidc.md)| Yes| Yes|
|[Authorization code](../../identity-platform/v2-oauth2-auth-code-flow.md)| Yes| Yes|
|[Authorization code with Code Exchange (PKCE)](../../identity-platform/v2-oauth2-auth-code-flow.md)|Yes| Yes|
|[Client credentials](../../identity-platform/v2-oauth2-client-creds-grant-flow.md)|Yes| [v2.0 applications](../../identity-platform/reference-app-manifest.md) |
|[Device authorization](../../identity-platform/v2-oauth2-device-code.md)| Yes| Preview |
|[On-Behalf-Of flow](../../identity-platform/v2-oauth2-on-behalf-of-flow.md)| Yes| Yes|
|[Implicit grant](../../identity-platform/v2-oauth2-implicit-grant-flow.md)| Yes| Yes|

📋 Microsoft Entra Documentation Changes

📊 Summary

📝 Modified Documentation Files