MODIFIED docs/id-governance/entitlement-management-ticketed-provisioning.md

Modified by Ortagus Winfrey on Feb 2, 2026 1:30 PM
📖 View on learn.microsoft.com

+7 / -7 lines changed

Commit: Acrolinx fixes

Changes:

Before

After

 
Scenario: In this scenario you learn how to use custom extensibility, and a Logic App, to automatically generate ServiceNow tickets for manual provisioning of users who have received assignments and need access to apps.
 
In this tutorial, you'll learn:
 
> [!div class="checklist"]
> * Adding a Logic App Workflow to an existing catalog.
- SSO integration with ServiceNow. If this isn't already configured, see:[Tutorial: Microsoft Entra single sign-on (SSO) integration with ServiceNow](~/identity/saas-apps/servicenow-tutorial.md) before continuing.
 
> [!NOTE]
> It is recommended to use a least privilege role when completing these steps.
 
## Adding Logic App Workflow to an existing Catalog for Entitlement Management
 
    :::image type="content" source="media/entitlement-management-servicenow-integration/entitlement-management-custom-extension-behavior.png" alt-text="Screenshot of entitlement management custom extension behavior actions tab." lightbox="media/entitlement-management-servicenow-integration/entitlement-management-custom-extension-behavior.png":::
1. Select **Launch and wait** in the **Extension Configuration** which will pause the associated access package action until after the Logic App linked to the extension completes its task, and a resume action is sent by the admin to continue the process. For more information on this process, see:  [Configuring custom extensions that pause entitlement management processes](entitlement-management-logic-apps-integration.md#configuring-custom-extensions-that-pause-entitlement-management-processes).
 
1.  In the **Details** tab, choose No in the "*Create new logic App*" field as the Logic App has already been created in the previous steps. However, you need to provide the Azure subscription and resource group details, along with the Logic App name.
    :::image type="content" source="media/entitlement-management-servicenow-integration/entitlement-management-custom-extension-details.png" alt-text="Screenshot of the entitlement management custom extension details tab." lightbox="media/entitlement-management-servicenow-integration/entitlement-management-custom-extension-details.png":::
1. In **Review and Create**, review the summary of your custom extension and make sure the details for your Logic App call-out are correct. Then select **Create**.

 
Scenario: In this scenario you learn how to use custom extensibility, and a Logic App, to automatically generate ServiceNow tickets for manual provisioning of users who have received assignments and need access to apps.
 
In this tutorial, you learn:
 
> [!div class="checklist"]
> * Adding a Logic App Workflow to an existing catalog.
- SSO integration with ServiceNow. If this isn't already configured, see:[Tutorial: Microsoft Entra single sign-on (SSO) integration with ServiceNow](~/identity/saas-apps/servicenow-tutorial.md) before continuing.
 
> [!NOTE]
> It's recommended to use a least privilege role when completing these steps.
 
## Adding Logic App Workflow to an existing Catalog for Entitlement Management
 
    :::image type="content" source="media/entitlement-management-servicenow-integration/entitlement-management-custom-extension-behavior.png" alt-text="Screenshot of entitlement management custom extension behavior actions tab." lightbox="media/entitlement-management-servicenow-integration/entitlement-management-custom-extension-behavior.png":::
1. Select **Launch and wait** in the **Extension Configuration** which will pause the associated access package action until after the Logic App linked to the extension completes its task, and a resume action is sent by the admin to continue the process. For more information on this process, see:  [Configuring custom extensions that pause entitlement management processes](entitlement-management-logic-apps-integration.md#configuring-custom-extensions-that-pause-entitlement-management-processes).
 
1.  In the **Details** tab, choose No in the "*Create new logic App*" field as the Logic App was created in the previous steps. However, you need to provide the Azure subscription and resource group details, along with the Logic App name.
    :::image type="content" source="media/entitlement-management-servicenow-integration/entitlement-management-custom-extension-details.png" alt-text="Screenshot of the entitlement management custom extension details tab." lightbox="media/entitlement-management-servicenow-integration/entitlement-management-custom-extension-details.png":::
1. In **Review and Create**, review the summary of your custom extension and make sure the details for your Logic App call-out are correct. Then select **Create**.

MODIFIED docs/global-secure-access/how-to-install-windows-client.md

Modified by Jay on Feb 2, 2026 8:20 PM
📖 View on learn.microsoft.com

+5 / -5 lines changed

Commit: Copyedits to Windows client install doc

Changes:

Before

After

description: The Global Secure Access client secures network traffic at the end-user device. This article describes how to download and install the Windows client.
ms.service: global-secure-access
ms.topic: how-to
ms.date: 01/27/2026
ms.author: jayrusso
author: HULKsmashGithub
manager: dougeby
 
#### Deploy Global Secure Access client with Intune
 
Reference detailed guidance to [Add and assign Win32 apps to Microsoft Intune](/mem/intune/apps/apps-win32-add#add-a-win32-app-to-intune).
 
1. Navigate to [https://intune.microsoft.com](https://intune.microsoft.com/).
1. Select **Apps** > **All apps** > **Add**.
 
### Configure settings for Microsoft Entra Internet Access with Intune
 
Microsoft Entra Internet Access doesn't yet support DNS over HTTPS or Quick UDP Internet Connections (QUIC) traffic. To mitigate this, disable these protocols in users' browsers. The following instructions provide guidance on how to enforce these controls using Intune.
 
#### Disable QUIC in Microsoft Edge and Chrome with Intune 

description: The Global Secure Access client secures network traffic at the end-user device. This article describes how to download and install the Windows client.
ms.service: global-secure-access
ms.topic: how-to
ms.date: 02/02/2026
ms.author: jayrusso
author: HULKsmashGithub
manager: dougeby
 
#### Deploy Global Secure Access client with Intune
 
For detailed guidance, see [Add and assign Win32 apps to Microsoft Intune](/mem/intune/apps/apps-win32-add#add-a-win32-app-to-intune).
 
1. Navigate to [https://intune.microsoft.com](https://intune.microsoft.com/).
1. Select **Apps** > **All apps** > **Add**.
 
### Configure settings for Microsoft Entra Internet Access with Intune
 
Microsoft Entra Internet Access doesn't yet support DNS over HTTPS or Quick UDP Internet Connections (QUIC) traffic. To mitigate this limitation, disable these protocols in users' browsers. The following instructions provide guidance on how to enforce these controls using Intune.
 
#### Disable QUIC in Microsoft Edge and Chrome with Intune 

MODIFIED docs/identity/saas-apps/salesforce-sandbox-tutorial.md

Modified by Jeevan Desarda on Feb 2, 2026 10:25 PM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: Updating Salesforce article with the device activation note

Changes:

Before

After

ms.subservice: saas-apps
ms.topic: how-to
ms.date: 05/20/2025
ms.author: gideonkiratu
ms.custom: sfi-image-nochange
# Customer intent: As an IT administrator, I want to learn how to configure single sign-on between Microsoft Entra ID and Salesforce Sandbox so that I can control who has access to Salesforce Sandbox, enable automatic sign-in with Microsoft Entra accounts, and manage my accounts in one central location.
---
* Manage your accounts in one central location.
 
> [!Note]
>   We are aware that Salesforce will enforce the [device activation changes for Single Sign-On (SSO) Logins](https://help.salesforce.com/s/articleView?id=005237070&type=1) starting **February 3, 2026**. We have worked closely with the Salesforce team, and beginning February 3, Salesforce will start accepting the **authnmethodreferences** claim included by default in the SAML token issued by Entra ID. If the **authnmethodreferences** claim contains the value **multipleauthn**, Salesforce will treat the device as trusted. Please ensure that your Conditional Access policy is configured to enforce this requirement. You can read more about this claim [here](~/identity-platform/single-sign-on-saml-protocol#authnmethodreferences).
>
>  For customers using AD FS as the federation provider with Entra ID, please follow the guidance published [here](~/identity/authentication/how-to-mfa-expected-inbound-assertions#using-saml-20-federated-idp) so that Entra ID will have this claim in the SAML token.
 
## Prerequisites
The scenario outlined in this article assumes that you already have the following prerequisites:

ms.subservice: saas-apps
ms.topic: how-to
ms.date: 05/20/2025
ms.author: jeedes
ms.custom: sfi-image-nochange
# Customer intent: As an IT administrator, I want to learn how to configure single sign-on between Microsoft Entra ID and Salesforce Sandbox so that I can control who has access to Salesforce Sandbox, enable automatic sign-in with Microsoft Entra accounts, and manage my accounts in one central location.
---
* Manage your accounts in one central location.
 
> [!Note]
>   We are aware that Salesforce will enforce the [device activation changes for Single Sign-On (SSO) Logins](https://help.salesforce.com/s/articleView?id=005237070&type=1) starting **February 3, 2026**. We have worked closely with the Salesforce team, and beginning February 3, Salesforce will start accepting the **authnmethodreferences** claim included by default in the SAML token issued by Entra ID. If the **authnmethodreferences** claim contains the value **multipleauthn**, Salesforce will treat the device as trusted. Please ensure that your Conditional Access policy is configured to enforce this requirement. You can read more about this claim [here](~/identity-platform/single-sign-on-saml-protocol.md#authnmethodreferences).
>
>  For customers using AD FS as the federation provider with Entra ID, please follow the guidance published [here](~/identity/authentication/how-to-mfa-expected-inbound-assertions.md#using-saml-20-federated-idp) so that Entra ID will have this claim in the SAML token.
 
## Prerequisites
The scenario outlined in this article assumes that you already have the following prerequisites:

MODIFIED docs/identity/saas-apps/salesforce-tutorial.md

Modified by Jeevan Desarda on Feb 2, 2026 10:25 PM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: Updating Salesforce article with the device activation note

Changes:

Before

After

ms.subservice: saas-apps
ms.topic: how-to
ms.date: 03/25/2025
ms.author: gideonkiratu
ms.custom: sfi-image-nochange
# Customer intent: As an IT administrator, I want to learn how to configure single sign-on between Microsoft Entra ID and Salesforce so that I can control who has access to Salesforce, enable automatic sign-in with Microsoft Entra accounts, and manage my accounts in one central location.
---
* Manage your accounts in one central location.
 
> [!Note]
>   We are aware that Salesforce will enforce the [device activation changes for Single Sign-On (SSO) Logins](https://help.salesforce.com/s/articleView?id=005237070&type=1) starting **February 3, 2026**. We have worked closely with the Salesforce team, and beginning February 3, Salesforce will start accepting the **authnmethodreferences** claim included by default in the SAML token issued by Entra ID. If the **authnmethodreferences** claim contains the value **multipleauthn**, Salesforce will treat the device as trusted. Please ensure that your Conditional Access policy is configured to enforce this requirement. You can read more about this claim [here](~/identity-platform/single-sign-on-saml-protocol#authnmethodreferences).
>
>  For customers using AD FS as the federation provider with Entra ID, please follow the guidance published [here](~/identity/authentication/how-to-mfa-expected-inbound-assertions#using-saml-20-federated-idp) so that Entra ID will have this claim in the SAML token.
 
## Prerequisites
 

ms.subservice: saas-apps
ms.topic: how-to
ms.date: 03/25/2025
ms.author: jeedes
ms.custom: sfi-image-nochange
# Customer intent: As an IT administrator, I want to learn how to configure single sign-on between Microsoft Entra ID and Salesforce so that I can control who has access to Salesforce, enable automatic sign-in with Microsoft Entra accounts, and manage my accounts in one central location.
---
* Manage your accounts in one central location.
 
> [!Note]
>   We are aware that Salesforce will enforce the [device activation changes for Single Sign-On (SSO) Logins](https://help.salesforce.com/s/articleView?id=005237070&type=1) starting **February 3, 2026**. We have worked closely with the Salesforce team, and beginning February 3, Salesforce will start accepting the **authnmethodreferences** claim included by default in the SAML token issued by Entra ID. If the **authnmethodreferences** claim contains the value **multipleauthn**, Salesforce will treat the device as trusted. Please ensure that your Conditional Access policy is configured to enforce this requirement. You can read more about this claim [here](~/identity-platform/single-sign-on-saml-protocol.md#authnmethodreferences).
>
>  For customers using AD FS as the federation provider with Entra ID, please follow the guidance published [here](~/identity/authentication/how-to-mfa-expected-inbound-assertions.md#using-saml-20-federated-idp) so that Entra ID will have this claim in the SAML token.
 
## Prerequisites
 

MODIFIED docs/identity/hybrid/connect/reference-connect-version-history.md

Modified by copilot-swe-agent[bot] on Feb 2, 2026 10:58 AM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Update release date from 01/30/2026 to 02/02/2026

Changes:

Before

After

|[2.5.3.0](#2530)|31 July 2026 (12 months after release of 2.5.76.0)|
|[2.5.76.0](#25760)|01 September 2026 (12 months after release of 2.5.79.0)|
|[2.5.79.0](#25790)|23 Oct 2026 (12 months after release of 2.5.190.0)|
|[2.5.190.0](#251900)|30 Jan 2026 (12 months after release of 2.6.1.0)|
|[2.6.1.0](#2610)||
 
**All other versions are not supported**
 
### Release status
 
01/30/2026: Released for download via the Microsoft Entra admin center. Existing installations will be auto-upgraded to this build starting February 9th, 2026, and will be done in multiple phases.
 
### Bug Fixes
 

|[2.5.3.0](#2530)|31 July 2026 (12 months after release of 2.5.76.0)|
|[2.5.76.0](#25760)|01 September 2026 (12 months after release of 2.5.79.0)|
|[2.5.79.0](#25790)|23 Oct 2026 (12 months after release of 2.5.190.0)|
|[2.5.190.0](#251900)|02 Feb 2026 (12 months after release of 2.6.1.0)|
|[2.6.1.0](#2610)||
 
**All other versions are not supported**
 
### Release status
 
02/02/2026: Released for download via the Microsoft Entra admin center. Existing installations will be auto-upgraded to this build starting February 9th, 2026, and will be done in multiple phases.
 
### Bug Fixes
 

MODIFIED docs/identity-platform/single-sign-on-saml-protocol.md

Modified by Jeevan Desarda on Feb 2, 2026 4:30 AM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Adding authnmethodreferences claim details

Changes:

Before

After

| `ID` | Required | Microsoft Entra ID uses this attribute to populate the `InResponseTo` attribute of the returned response. ID must not begin with a number, so a common strategy is to prepend a string like "ID" to the string representation of a GUID. For example, `id6c1c178c166d486687be4aaf5e482730` is a valid ID. |
| `Version` | Required | This parameter should be set to `2.0`. |
| `IssueInstant` | Required | This is a DateTime string with a UTC value and [round-trip format ("o")](/dotnet/standard/base-types/standard-date-and-time-format-strings). Microsoft Entra ID expects a DateTime value of this type, but doesn't evaluate or use the value. |
| `AssertionConsumerServiceURL` | Optional | If provided, this parameter must match the `RedirectUri` of the cloud service in Microsoft Entra ID. Entra ID will honors the ACS URL if it's present in the SAML Request.|
| `ForceAuthn` | Optional | This is a boolean value. If true, it means that the user will be forced to reauthenticate, even if they have a valid session with Microsoft Entra ID. |
| `IsPassive` | Optional | This is a boolean value that specifies whether Microsoft Entra ID should authenticate the user silently, without user interaction, using the session cookie if one exists. If this is true, Microsoft Entra ID attempts to authenticate the user using  the session cookie. |
 
 
* The `authnmethodsreferences` attribute specifies the way the user authenticated with Microsoft Entra ID.
* The `http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password` claim value specifies the user has done username and password authentication with Entra ID.
* The `http://schemas.microsoft.com/claims/multipleauthn` claim value specifies the user has done username and password and also performed a strong authentication with Entra ID such as MFA with Authenticator app.
 
```xml
  <Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">

| `ID` | Required | Microsoft Entra ID uses this attribute to populate the `InResponseTo` attribute of the returned response. ID must not begin with a number, so a common strategy is to prepend a string like "ID" to the string representation of a GUID. For example, `id6c1c178c166d486687be4aaf5e482730` is a valid ID. |
| `Version` | Required | This parameter should be set to `2.0`. |
| `IssueInstant` | Required | This is a DateTime string with a UTC value and [round-trip format ("o")](/dotnet/standard/base-types/standard-date-and-time-format-strings). Microsoft Entra ID expects a DateTime value of this type, but doesn't evaluate or use the value. |
| `AssertionConsumerServiceURL` | Optional | If provided, this parameter must match the `RedirectUri` of the cloud service in Microsoft Entra ID. Entra ID will honor the ACS URL if it's present in the SAML Request.|
| `ForceAuthn` | Optional | This is a boolean value. If true, it means that the user will be forced to reauthenticate, even if they have a valid session with Microsoft Entra ID. |
| `IsPassive` | Optional | This is a boolean value that specifies whether Microsoft Entra ID should authenticate the user silently, without user interaction, using the session cookie if one exists. If this is true, Microsoft Entra ID attempts to authenticate the user using  the session cookie. |
 
 
* The `authnmethodsreferences` attribute specifies the way the user authenticated with Microsoft Entra ID.
* The `http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password` claim value specifies the user has done username and password authentication with Entra ID.
* The `http://schemas.microsoft.com/claims/multipleauthn` claim value specifies the user has done username and password and also performed multiple factor authentication resulting in MFA.
 
```xml
  <Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">

MODIFIED docs/identity/monitoring-health/overview-recommendations.md

Modified by Sarah Lipsey on Feb 2, 2026 4:51 PM
📖 View on learn.microsoft.com

+1 / -2 lines changed

Commit: adal-msal-recommendation-020226

Changes:

Before

After

ms.service: entra-id
ms.topic: overview
ms.subservice: monitoring-health
ms.date: 08/22/2025
ms.author: sarahlipsey
ms.reviewer: jadedsouza 
ms.custom: sfi-ga-nochange
| Group Policy Object (GPO) assigns unprivileged identities to local groups with elevated privileges | Users | Preview | Yes | N/A |
| [Migrate applications from AD FS to Microsoft Entra ID](recommendation-migrate-apps-from-adfs-to-azure-ad.md) | Applications | Generally available | No | Application Administrator, Authentication Administrator Hybrid Identity Administrator |
| [Migrate applications from the retiring Azure AD Graph APIs to Microsoft Graph](recommendation-migrate-to-microsoft-graph-api.md) | Applications | Preview | No | Application Administrator |
| [Migrate from ADAL to MSAL](recommendation-migrate-from-adal-to-msal.md) | Applications | Generally available | No | Application Administrator |
| [Migrate from MFA server to Microsoft Entra MFA](recommendation-migrate-to-microsoft-entra-mfa.md) | Tenant | Generally Available | No | Global Administrator |
| [Migrate service principals from the retiring Azure AD Graph APIs to Microsoft Graph](recommendation-migrate-to-microsoft-graph-api.md) | Applications | Preview | No | Application Administrator |
| [Migrate to Microsoft Authenticator](recommendation-migrate-to-authenticator.md) | Users | Preview | No | Global Administrator | 

ms.service: entra-id
ms.topic: overview
ms.subservice: monitoring-health
ms.date: 02/02/2026
ms.author: sarahlipsey
ms.reviewer: jadedsouza 
ms.custom: sfi-ga-nochange
| Group Policy Object (GPO) assigns unprivileged identities to local groups with elevated privileges | Users | Preview | Yes | N/A |
| [Migrate applications from AD FS to Microsoft Entra ID](recommendation-migrate-apps-from-adfs-to-azure-ad.md) | Applications | Generally available | No | Application Administrator, Authentication Administrator Hybrid Identity Administrator |
| [Migrate applications from the retiring Azure AD Graph APIs to Microsoft Graph](recommendation-migrate-to-microsoft-graph-api.md) | Applications | Preview | No | Application Administrator |
| [Migrate from MFA server to Microsoft Entra MFA](recommendation-migrate-to-microsoft-entra-mfa.md) | Tenant | Generally Available | No | Global Administrator |
| [Migrate service principals from the retiring Azure AD Graph APIs to Microsoft Graph](recommendation-migrate-to-microsoft-graph-api.md) | Applications | Preview | No | Application Administrator |
| [Migrate to Microsoft Authenticator](recommendation-migrate-to-authenticator.md) | Users | Preview | No | Global Administrator | 
 

MODIFIED docs/fundamentals/whats-new.md

Modified by Sarah Lipsey on Feb 2, 2026 4:51 PM
📖 View on learn.microsoft.com

+0 / -1 lines changed

Commit: adal-msal-recommendation-020226

Changes:

Before

After

 
For guidance, see:
 
*   [Recommendation: Migrate from Microsoft Authentication Library to MSAL](../identity/monitoring-health/recommendation-migrate-from-adal-to-msal.md)
*   [Analyze a sign-in with Microsoft Graph API](/azure/azure-monitor/reference/tables/aadnoninteractiveusersigninlogs)
 
No action is required to disable the API.

 
For guidance, see:
 
*   [Analyze a sign-in with Microsoft Graph API](/azure/azure-monitor/reference/tables/aadnoninteractiveusersigninlogs)
 
No action is required to disable the API.

📋 Microsoft Entra Documentation Changes

📊 Summary

📝 Modified Documentation Files

🗑️ Deleted Documentation Files