📋 Microsoft Entra Documentation Changes

| asymmetricKeyLifetime | Enforce a max lifetime range for an asymmetric key (certificate). | Reduces security risk from long-lived credentials | Can be configured through [app management policy APIs](https://learn.microsoft.com/graph/api/resources/applicationauthenticationmethodpolicy?view=graph-rest-beta) and the [Microsoft Entra admin center](https://aka.ms/app-mgmt-policy-ux). Referred to as `Restrict max certificate lifetime` in the Microsoft Entra admin center. |

| audiences | Restricts creation or promotion of apps based on signInAudience values. | Prevents unsanctioned multitenant or consumer-facing applications | Can be configured through [app management policy APIs](https://learn.microsoft.com/graph/api/resources/applicationauthenticationmethodpolicy?view=graph-rest-beta) |

| customPasswordAddition | Restrict a custom password secret on application or service principal. | Prevents new user-provided app passwords, which are more easily compromised than system-generated ones | Can be configured through [app management policy APIs](https://learn.microsoft.com/graph/api/resources/applicationauthenticationmethodpolicy?view=graph-rest-beta) and the [Microsoft Entra admin center](https://aka.ms/app-mgmt-policy-ux). Referred to as `Block custom passwords` in the Microsoft Entra admin center. |

| nonDefaultUriAddition | Block new identifier URIs for apps unless they're one of the default formats `api://{appId}` or `api://{tenantId}/{appId}`. | Reduces security risk from improper audience validation | Can be configured through [app management policy APIs](https://learn.microsoft.com/graph/api/resources/applicationauthenticationmethodpolicy?view=graph-rest-beta) and the [Microsoft Entra admin center](https://aka.ms/app-mgmt-policy-ux). Referred to as `Block custom identifier URIs` in the Microsoft Entra admin center. |

| uriAdditionWithoutUniqueTenantIdentifier | Block new identifier URIs for apps unless they're one of the [secure formats](https://aka.ms/identifier-uri-policy). | Reduces security risk from audience overlap | Can be configured through [app management policy APIs](https://learn.microsoft.com/graph/api/resources/applicationauthenticationmethodpolicy?view=graph-rest-beta) and the [Microsoft Entra admin center](https://aka.ms/app-mgmt-policy-ux). Referred to as `Block identifier URIs without unique tenant identifier` in the Microsoft Entra admin center. |

| passwordAddition | Block the addition of new passwords (also referred to as secrets) on applications altogether. | Prevents new passwords, which are the most easily compromised form of credential | Can be configured through [app management policy APIs](https://learn.microsoft.com/graph/api/resources/applicationauthenticationmethodpolicy?view=graph-rest-beta) and the [Microsoft Entra admin center](https://aka.ms/app-mgmt-policy-ux). In the Microsoft Entra admin center, combined with the `symmetricKeyAddition` restriction under the `Block password addition` setting. |

| passwordLifetime | Enforce a max lifetime range for a password secret. | Reduces security risk from long-lived credentials | Can be configured through [app management policy APIs](https://learn.microsoft.com/graph/api/resources/applicationauthenticationmethodpolicy?view=graph-rest-beta) and the [Microsoft Entra admin center](https://aka.ms/app-mgmt-policy-ux). In the Microsoft Entra admin center, combined with the `symmetricKeyLifetime` restriction under the `Restrict max password lifetime` setting. |

| symmetricKeyAddition | Restrict symmetric keys on applications. | Prevents new symmetric keys, which are effectively passwords - the most easily compromised form of credential | Can be configured through [app management policy APIs](https://learn.microsoft.com/graph/api/resources/applicationauthenticationmethodpolicy?view=graph-rest-beta) and the [Microsoft Entra admin center](https://aka.ms/app-mgmt-policy-ux). In the Microsoft Entra admin center, combined with the `passwordAddition` restriction under the `Block password addition` setting. |

| symmetricKeyLifetime | Enforce a max lifetime range for a symmetric key. | Reduces security risk from long-lived credentials | Can be configured through [app management policy APIs](https://learn.microsoft.com/graph/api/resources/applicationauthenticationmethodpolicy?view=graph-rest-beta) and the [Microsoft Entra admin center](https://aka.ms/app-mgmt-policy-ux). In the Microsoft Entra admin center, combined with the `passwordLifetime` restriction under the `Restrict max password lifetime` setting. |

| trustedCertificateAuthority | Block new certificate credentials if the issuer isn't listed in the trusted certificate authority list. | Ensures only trusted CAs are used by apps in your tenant | Can be configured through [app management policy APIs](https://learn.microsoft.com/graph/api/resources/applicationauthenticationmethodpolicy?view=graph-rest-beta). |

 

To learn more about how the app management policy API works, visit the [API documentation](https://learn.microsoft.com/graph/api/resources/applicationauthenticationmethodpolicy?view=graph-rest-beta).

- Both of these Role-based access control actions:

- `microsoft.directory/applications/disablement/update`

1. Get the application ID if you don't have it

GET https://graph.microsoft.com/v1.0/applications?$filter=displayName eq 'Your App Name'

```

 

1. Deactivate the application

- [Microsoft Entra documentation](https://learn.microsoft.com/entra/) 

- [Microsoft Entra Global Secure Access](https://learn.microsoft.com/entra/global-secure-access/) 

- [Microsoft Defender for Cloud Apps overview](https://learn.microsoft.com/defender-cloud-apps/)

Starting Oct 28, 2026, all applications and scripts making calls to Microsoft Entra Privileged Identity Management (PIM) [Iteration 2](/graph/api/resources/privilegedidentitymanagement-root?view=graph-rest-beta) (beta) APIs for Azure resources, Microsoft Entra roles and Groups will fail.

 

If external user local accounts were synced from on-premises, reduce their on-premises footprint and use B2B guest accounts. You can:

 

- Randomize external user's local-account passwords to prevent authentication to on-premises resources

You can also create an access review programmatically using Microsoft Graph. For more information, see [Create a single stage access review on a catalog](/graph/api/accessreviewset-post-definitions?view=graph-rest-beta&tabs=http#example-6-create-a-single-stage-access-review-on-a-catalog).

You can also upload custom data via Graph by creating an upload session and then uploading a CSV file. For more information, see [customDataProvidedResourceUploadSession](/graph/api/resources/customdataprovidedresourceuploadsession?view=graph-rest-beta).

In the **Applying** stage, you can get a list of denied users by making the [list decisions](/graph/api/accessreviewinstance-list-decisions?view=graph-rest-beta&tabs=http) API call:

> * ZTNA Policy Service

With the introduction of [custom extensions](entitlement-management-logic-apps-integration.md) calling out to [Azure Logic Apps](/azure/logic-apps/logic-apps-overview) you are now able to dynamically determine approval requirements for each access package assignment request based on your organizations specific business logic. The access package assignment request process will pause until your business logic hosted in Azure Logic Apps returns a [approval stage](/graph/api/resources/accesspackageapprovalstage?view=graph-rest-1.0) which will then be leveraged in the subequent approval process via the [My Access portal](https://myaccess.microsoft.com). For example, if access requests must be approved by the department head of the person requesting an access package this feature allows you to query an external system, such as your human resources (HR) system, to on-the-fly look up the current department head and assign them as the approver for the given access request.

> Although the example uses a user ID, the primaryApprovers and escalationApprovers section can contain valid [subjectSets](/graph/api/resources/subjectset) supported by Entitlement Management. In Public Preview the resume call must be performed against Microsoft Graph's beta endpoint. However, the [approval stage](/graph/api/resources/accesspackageapprovalstage?view=graph-rest-1.0) provided in the resume call body must follow the [v1.0 convention](/graph/api/resources/accesspackageapprovalstage?view=graph-rest-1.0) and not the [beta convention](/graph/api/resources/approvalstage?view=graph-rest-beta).

First, call [Create accessPackageResourceRequest](/graph/api/entitlementmanagement-post-resourcerequests?view=graph-rest-1.0&tabs=http) to add the Microsoft Entra role as a resource to the catalog.

Then, to add that Microsoft Entra role to an access package as a resource role, use the following payload for [Create resourceRoleScope](/graph/api/accesspackage-post-resourcerolescopes?view=graph-rest-1.0&tabs=http):

1. If you encountered this error, it means your API currently uses v1.0 tokens. You can unblock yourself by updating your service to accept v2.0 tokens. V2.0 tokens are similar to v1.0, but there are some [differences](https://learn.microsoft.com/entra/identity-platform/access-token-claims-reference). Once your service is able to handle v2.0 tokens, you can update your app configuration so that Microsoft Entra sends them v2.0 tokens. An easy way to do this is through the manifest editor in the [Microsoft Entra admin center App registrations experience](https://aka.ms/ra/prod):

The enforcements are turned on by configuring an organization's [app management policies](https://learn.microsoft.com/graph/api/resources/applicationauthenticationmethodpolicy?view=graph-rest-beta). A tenant administrator can turn it on or off. Microsoft is enabling it by default in some organizations during the months of June and July 2025.

ms.date: 02/13/2026

- Provide [instructions](conditional-access-agent-optimization-settings.md#custom-instructions) and [knowledge artifacts]() to the agent

Private DNS support for Microsoft Entra Private Access lets you query your own internal DNS servers to resolve IP addresses for internal domain names. Let’s look at an example. Let’s say you have an internal IP range of `10.8.0.0` to `10.8.255.255`. You configure this range in your Quick Access application definition. You want users to access a web application responding on IP `10.8.0.5` when they type

The Microsoft agent identity platform introduces an administrative model that separates technical administration from business accountability, ensuring operational control and compliance oversight without excessive permissions. This document explains the administrative relationships for Microsoft Entra Agent ID identity types. This guidance applies to [agent identities](/graph/api/resources/agentidentity?view=graph-rest-beta), [agent identity blueprints](/graph/api/resources/agentidentityblueprint?view=graph-rest-beta), [agent identity blueprint principals](/graph/api/resources/agentidentityblueprintprincipal?view=graph-rest-beta), and [agent users](/graph/api/resources/agentuser?view=graph-rest-beta). The article covers owners, sponsors, and managers and their importance in maintaining secure operations.

- The agent identity itself can programmatically request an access package when needed for its operations, by creating an [accessPackageAssignmentRequest](/graph/api/entitlementmanagement-post-assignmentrequests?view=graph-rest-1.0&tabs=http).

[Microsoft Graph](https://developer.microsoft.com/graph) provides access to the tenant's [identity and access](/graph/api/resources/identity-network-access-overview?view=graph-rest-1.0), [users](/graph/api/resources/users?view=graph-rest-1.0&preserve-view=true), [groups](/graph/api/resources/groups-overview?view=graph-rest-1.0&tabs=http&preserve-view=true), and [applications](/graph/api/resources/application?view=graph-rest-1.0&preserve-view=true). Microsoft Graph is the gateway to data and intelligence in Microsoft 365. You can use its unified programmability model to access the tremendous amount of data in Microsoft 365, Windows, and Enterprise Mobility + Security (EMS).

Once an access review starts, you can use the [contactedReviewers](/graph/api/resources/accessreviewreviewer?view=graph-rest-1.0) API to retrieve the list of all users who were, or would have been, notified via email to perform reviews. Even in scenarios where notifications were turned off, the API still provides the list of reviewers along with timestamps indicating when notification would happen.