πŸ“‹ Microsoft Entra Documentation Changes

Daily summary for changes since February 17th 2026, 8:26 PM PST

Report generated on February 18th 2026, 8:26 PM PST

πŸ“Š Summary

36
Total Commits
6
New Files
14
Modified Files
0
Deleted Files
14
Contributors

πŸ†• New Documentation Files

NEW docs/includes/secure-recommendations/25409.md
Added by John Flores on Feb 18, 2026 3:17 PM
πŸ“– View on learn.microsoft.com
+22 lines added
Commit: [ZT Assessment] Network Checks 021826
NEW docs/includes/secure-recommendations/25407.md
Added by John Flores on Feb 18, 2026 3:17 PM
πŸ“– View on learn.microsoft.com
+21 lines added
Commit: [ZT Assessment] Network Checks 021826
NEW docs/includes/secure-recommendations/25410.md
Added by John Flores on Feb 18, 2026 3:17 PM
πŸ“– View on learn.microsoft.com
+21 lines added
Commit: [ZT Assessment] Network Checks 021826
NEW docs/includes/secure-recommendations/25399.md
Added by John Flores on Feb 18, 2026 3:17 PM
πŸ“– View on learn.microsoft.com
+20 lines added
Commit: [ZT Assessment] Network Checks 021826
NEW docs/includes/secure-recommendations/25405.md
Added by John Flores on Feb 18, 2026 3:17 PM
πŸ“– View on learn.microsoft.com
+20 lines added
Commit: [ZT Assessment] Network Checks 021826
NEW docs/includes/secure-recommendations/25411.md
Added by John Flores on Feb 18, 2026 3:17 PM
πŸ“– View on learn.microsoft.com
+20 lines added
Commit: [ZT Assessment] Network Checks 021826

πŸ“ Modified Documentation Files

MODIFIED docs/identity/app-proxy/application-proxy-integrate-with-traffic-manager.md
Modified by Ken Withee on Feb 18, 2026 7:36 PM
πŸ“– View on learn.microsoft.com
+31 / -2 lines changed
Commit: Update based on feedback.
Changes:
Before
After
1. In the Traffic Manager solution, add the application proxy regional URLs that were created for each app as an endpoint.
1. Configure the Traffic Manager's load balancing rules with a standard license.
1. To give your Traffic Manager a user-friendly URL, create a CNAME record that points the alternate URL to the Traffic Manager's endpoint.
1. With the `alternateUrl` property, configure the alternate URL on the [onPremisesPublishing resource type](/graph/api/resources/onpremisespublishing) of the app.
1. If you want the alternate URL to be maintained throughout the user session, call `onPremisesPublishing` and set the `useAlternateUrlForTranslationAndRedirect` flag to `true`.
 
## Sample application proxy configuration
 
 
 
 
 
 
 
 
 
 
 
 
 
1. In the Traffic Manager solution, add the application proxy regional URLs that were created for each app as an endpoint.
1. Configure the Traffic Manager's load balancing rules with a standard license.
1. To give your Traffic Manager a user-friendly URL, create a CNAME record that points the alternate URL to the Traffic Manager's endpoint.
1. Configure the alternate URL on the app by using the Microsoft Graph API to update the `alternateUrl` property on the [onPremisesPublishing resource type](/graph/api/resources/onpremisespublishing). The `alternateUrl` property isn't available in the Microsoft Entra admin center and must be configured by using the Graph API. For more information, see [Update application](/graph/api/application-update).
 
The following example shows the request body for setting the `alternateUrl`:
 
```http
PATCH https://graph.microsoft.com/beta/applications/{id}
Content-Type: application/json
 
{
"onPremisesPublishing": {
"alternateUrl": "https://www.contoso.com"
}
}
```
 
> [!NOTE]
> The `onPremisesPublishing` property can't be updated in the same request as other application properties.
MODIFIED docs/fundamentals/zero-trust-protect-networks.md
Modified by John Flores on Feb 18, 2026 3:17 PM
πŸ“– View on learn.microsoft.com
+19 / -1 lines changed
Commit: [ZT Assessment] Network Checks 021826
Changes:
Before
After
### Internet Access forwarding profile is enabled
[!INCLUDE [25406](../includes/secure-recommendations/25406.md)]
 
### Global Secure Access web content filtering is enabled and configured
[!INCLUDE [25408](../includes/secure-recommendations/25408.md)]
 
### Microsoft 365 traffic is actively flowing through Global Secure Access
[!INCLUDE [25376](../includes/secure-recommendations/25376.md)]
 
### Private network connectors are active and healthy to maintain Zero Trust access to internal resources
[!INCLUDE [25391](../includes/secure-recommendations/25391.md)]
 
### Quick Access is bound to a Conditional Access policy
[!INCLUDE [25394](../includes/secure-recommendations/25394.md)]
 
 
 
 
 
 
### Internet Access forwarding profile is enabled
[!INCLUDE [25406](../includes/secure-recommendations/25406.md)]
 
### Web content filtering policies are configured
[!INCLUDE [25408](../includes/secure-recommendations/25408.md)]
 
### Web content filtering uses category-based rules
[!INCLUDE [25409](../includes/secure-recommendations/25409.md)]
 
### Web content filtering policies are linked to security profiles
[!INCLUDE [25410](../includes/secure-recommendations/25410.md)]
 
### Web content filtering integrates with Conditional Access
[!INCLUDE [25407](../includes/secure-recommendations/25407.md)]
 
### TLS inspection is enabled and correctly configured for outbound traffic
[!INCLUDE [25411](../includes/secure-recommendations/25411.md)]
 
### Microsoft 365 traffic is actively flowing through Global Secure Access
[!INCLUDE [25376](../includes/secure-recommendations/25376.md)]
MODIFIED docs/identity/authentication/concept-fido2-compatibility.md
Modified by Justinha on Feb 18, 2026 9:23 PM
πŸ“– View on learn.microsoft.com
+7 / -7 lines changed
Commit: Update concept-fido2-compatibility.md
Changes:
Before
After
title: Passkey (FIDO2) authentication matrix with Microsoft Entra ID
description: Web browser and native app support for FIDO2 passwordless authentication using Microsoft Entra ID.
ms.topic: reference
ms.date: 01/20/2026
ms.reviewer: kimhana
---
# Passkey (FIDO2) authentication matrix with Microsoft Entra ID
|----------------|----------|----------|----------|
| [Remote Desktop](/azure/virtual-desktop/compare-remote-desktop-clients) | ✅ | ✅ | ✅ |
| [Windows App](/windows-app/compare-platforms-features) | ✅ | ✅ | ✅ |
| Microsoft 365 Copilot (Office) | N/A | ✅ | ❌ |
| Word | ✅ | ✅ | ❌ |
| PowerPoint | ✅ | ✅ | ❌ |
| Excel | ✅ | ✅ | ❌ |
| OneNote | ✅ | ✅ | ❌ |
| Loop | N/A | ✅ | ❌ |
| OneDrive | ✅ | ✅ | ❌ |
| Outlook | ✅ | ✅ | ❌ |
| Teams | ✅ | ✅ | ❌ |
title: Passkey (FIDO2) authentication matrix with Microsoft Entra ID
description: Web browser and native app support for FIDO2 passwordless authentication using Microsoft Entra ID.
ms.topic: reference
ms.date: 02/18/2026
ms.reviewer: kimhana
---
# Passkey (FIDO2) authentication matrix with Microsoft Entra ID
|----------------|----------|----------|----------|
| [Remote Desktop](/azure/virtual-desktop/compare-remote-desktop-clients) | ✅ | ✅ | ✅ |
| [Windows App](/windows-app/compare-platforms-features) | ✅ | ✅ | ✅ |
| Microsoft 365 Copilot (Office) | N/A | ✅ |✅ |
| Word | ✅ | ✅ | ✅ |
| PowerPoint | ✅ | ✅ | ✅ |
| Excel | ✅ | ✅ | ✅ |
| OneNote | ✅ | ✅ | ✅ |
| Loop | N/A | ✅ | ✅ |
| OneDrive | ✅ | ✅ | ❌ |
| Outlook | ✅ | ✅ | ❌ |
| Teams | ✅ | ✅ | ❌ |
MODIFIED docs/identity/authentication/concept-authentication-security-questions.md
Modified by Gearoid O'Donnell on Feb 18, 2026 3:59 PM
πŸ“– View on learn.microsoft.com
+6 / -6 lines changed
Commit: Changing to warning and updating text
Changes:
Before
After
title: Security questions authentication method
description: Learn about using security questions in Microsoft Entra ID to help improve and secure sign-in events
ms.topic: concept-article
ms.date: 03/04/2025
ms.custom: sfi-image-nochange
# Customer intent: As an identity administrator, I want to understand how to use security questions in Microsoft Entra ID to improve and secure user sign-in events.
# Uses details from securing Entra include file entra-docs-pr\docs\includes\secure-recommendations\22072.md for important box.
 
Security questions aren't used as an authentication method during a sign-in event. Instead, security questions can be used during the self-service password reset (SSPR) process to confirm who you are. Administrator accounts can't use security questions as verification method with SSPR.
 
> [!IMPORTANT]
> Security Questions will be deprecated for Self‑Service Password Reset (SSPR) in March 2027. After that, users will not be able to use Security Questions to complete SSPR. [Learn more about setting up alternate authentication methods](tutorial-enable-sspr.md#select-authentication-methods-and-registration-options).
>
> Security questions should be eliminated from your authentication strategy because they introduce significant security vulnerabilities. Answers are frequently guessable, reused across sites, or discoverable through open-source intelligence (OSINT). Threat actors can enumerate or phish users to derive likely responses (family names, schools, locations), then trigger password reset flows to bypass stronger authentication methods. Once threat actors successfully reset a passwordβ€”especially on accounts without multifactor authenticationβ€”they gain valid credentials, establish persistent sessions, register additional authentication methods, add forwarding rules, and exfiltrate sensitive data.
>
> While some organizations may have business reasons for continuing to use security questions, this practice is strongly discouraged due to the inherent security weaknesses of knowledge-based authentication.
 
When users register for SSPR, they're prompted to choose the authentication methods to use. If they choose to use security questions, they pick from a set of questions to prompt for and then provide their own answers.
 
title: Security questions authentication method
description: Learn about using security questions in Microsoft Entra ID to help improve and secure sign-in events
ms.topic: concept-article
ms.date: 02/18/2026
ms.custom: sfi-image-nochange
# Customer intent: As an identity administrator, I want to understand how to use security questions in Microsoft Entra ID to improve and secure user sign-in events.
# Uses details from securing Entra include file entra-docs-pr\docs\includes\secure-recommendations\22072.md for important box.
 
Security questions aren't used as an authentication method during a sign-in event. Instead, security questions can be used during the self-service password reset (SSPR) process to confirm who you are. Administrator accounts can't use security questions as verification method with SSPR.
 
> [!WARNING]
> Security questions will be retired for Self‑Service Password Reset (SSPR) in March 2027. After that date, users will no longer be able to reset passwords using security questions. Ensure users are set up with [supported authentication methods](tutorial-enable-sspr.md#select-authentication-methods-and-registration-options) in the Authentication methods policy.
>
> This feature is being deprecated due to security risks and low reliability. Security questions are often guessable or susceptible to social engineering, increasing the risk of account takeover during SSPR. Stronger verification methods improve security and reduce reset failures and support escalations.
>
> Prepare in advance to avoid user lockouts, helpdesk escalations, and failed password reset experiences once enforcement begins in March 2027.
 
When users register for SSPR, they're prompted to choose the authentication methods to use. If they choose to use security questions, they pick from a set of questions to prompt for and then provide their own answers.
 
MODIFIED docs/global-secure-access/concept-bring-your-own-device.md
Modified by Ken Withee on Feb 18, 2026 3:26 PM
πŸ“– View on learn.microsoft.com
+7 / -5 lines changed
Commit: Updates table based on feedback.
Changes:
Before
After
 
### Platform behavior
 
| Platform/device state | Connection target | All Traffic support | Private Access only support | Notes |
|---|---|---:|---:|---|
| Windows | Always connects to the joined tenant. For non-joined tenants, user selects a tenant at first sign-in; remains connected to that tenant | From Microsoft Entra Joined and Hybrid joined device | From Microsoft Entra Registered device | For non-joined devices, multiple registrations allowed, no switching between registered tenants for now. Allows user to switch to a resource tenant using external user access(B2B collaboration). |
| macOS | User selects a tenant at first sign-in; remains connected to that tenant | Microsoft Entra Registered with and without device enrollment | ❌ | Applies to enrolled and unmanaged devices with Company Portal. |
| Android | User selects a tenant at first sign-in; remains connected to that tenant | Microsoft Entra Registered with and without device enrollment | ❌ | Applies to enrolled devices with Company Portal and unmanaged devices with Company portal and Authenticator app. |
 
### Summary
- βœ… Device join takes precedence on Windows.
 
 
 
### Platform behavior
 
| Platform/device state | Connection target | Entra tunnel | M365 tunnel | Internet tunnel | Private tunnel | Notes |
|---|---|---|---|---|---|---|
| Windows Microsoft Entra Joined and Hybrid joined device | Client connects to the tenant to which device joined. | βœ… | βœ… | βœ… | βœ… | Cannot switch to a registered tenants for now. Allows user to switch to a resource tenant using external user access(B2B). |
| Windows Microsoft Entra Registered device | User selects a tenant at first sign-in; remains connected to that tenant. | ❌ | ❌ | ❌ | βœ… | Cannot switch to other registered tenants for now. Allows user to switch to a resource tenant using external user access(B2B). |
| MacOS Microsoft Entra Registered device with and without device enrollment | User selects a tenant at first sign-in; remains connected to that tenant | βœ… | βœ… | βœ… | βœ… | Uses Company Portal to Entra register the device. |
| Android Microsoft Entra Registered with and without device enrollment | User selects a tenant at first sign-in; remains connected to that tenant | βœ… | βœ… | βœ… | βœ… | Applies to enrolled devices with Company Portal For unmanaged devices, entra registration can be done with Company portal and Authenticator app. |
| iOS Microsoft Entra Registered without device enrollment | User selects a tenant at first sign-in; remains connected to that tenant | βœ… | βœ… | βœ… | βœ… | Applies to enrolled devices with Company Portal For unmanaged devices are not supported as of now |
 
### Summary
- βœ… Device join takes precedence on Windows.
MODIFIED docs/includes/secure-recommendations/25408.md
Modified by John Flores on Feb 18, 2026 3:17 PM
πŸ“– View on learn.microsoft.com
+5 / -6 lines changed
Commit: [ZT Assessment] Network Checks 021826
Changes:
Before
After
---
title: Global Secure Access web content filtering is enabled and configured
ms.author: jayrusso
author: HULKsmashGithub
ms.service: entra-id
# risklevel: Medium
# userimpact: Medium
# implementationcost: Medium
---
Web Content Filtering in Microsoft Entra Internet Access helps organizations control access to websites based on web categories, domains, or URLs. It reduces exposure to malicious or inappropriate content. When you route traffic through Microsoft Entra Internet Access, filtering policies can block or allow entire categories like gambling or social media, or specific domains and URLs. This approach ensures safer browsing across all devices and locations.
 
Configuring these policies is critical for security and compliance. A secure configuration prevents phishing and malware risks, enforces corporate standards, and improves productivity by restricting nonbusiness sites. Web Content Filtering, combined with identity-aware Conditional Access, delivers dynamic, cloud-based protection that aligns with modern Zero Trust principles.
 
**Remediation action**
Implement granular internet access controls for your organization based on website categorization.
- [How to configure Global Secure Access web content filtering](/entra/global-secure-access/how-to-configure-web-content-filtering)
---
title: Web content filtering policies are configured
ms.author: jayrusso
author: HULKsmashGithub
ms.service: entra-id
# risklevel: Medium
# userimpact: Medium
# implementationcost: Medium
# progression: 1 of 4 - Foundation (policies exist). See also: 25409 (categories), 25410 (enforcement), 25407 (CA integration)
---
Web content filtering policies are the foundation of internet access control in Global Secure Access. Without any configured policies, users have unrestricted access to all internet destinations, exposing the organization to malware, phishing sites, and inappropriate content. Create filtering policies to block dangerous website categories and establish baseline internet access controls.
 
**Remediation action**
 
- [Configure web content filtering policies](/entra/global-secure-access/how-to-configure-web-content-filtering)
 
MODIFIED docs/fundamentals/configure-security.md
Modified by John Flores on Feb 18, 2026 3:17 PM
πŸ“– View on learn.microsoft.com
+8 / -2 lines changed
Commit: [ZT Assessment] Network Checks 021826
Changes:
Before
After
|---|---|
| [Named locations are configured](zero-trust-protect-networks.md#named-locations-are-configured) | Microsoft Entra ID P1 |
| [Tenant restrictions v2 policy is configured](zero-trust-protect-networks.md#tenant-restrictions-v2-policy-is-configured) | Microsoft Entra ID P1 |
| [Internet Access forwarding profile is enabled](zero-trust-protect-networks.md#internet-access-forwarding-profile-is-enabled) | <!--Entra_Premium_Internet_Access--> Microsoft Entra Internet Access |
| [Global Secure Access web content filtering is enabled and configured](zero-trust-protect-networks.md#global-secure-access-web-content-filtering-is-enabled-and-configured) | <!--Entra_Premium_Internet_Access--> Microsoft Entra Internet Access |
| [Network validation is configured through Universal Continuous Access Evaluation](zero-trust-protect-networks.md#network-validation-is-configured-through-universal-continuous-access-evaluation) | Microsoft Entra ID P1 or Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [Global Secure Access client is deployed on all managed endpoints](zero-trust-protect-networks.md#global-secure-access-client-is-deployed-on-all-managed-endpoints) | Microsoft Entra ID P1 or Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [Global Secure Access licenses are available in the tenant and assigned to users](zero-trust-protect-networks.md#global-secure-access-licenses-are-available-in-the-tenant-and-assigned-to-users) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [Network traffic is routed through Global Secure Access for security policy enforcement](zero-trust-protect-networks.md#network-traffic-is-routed-through-global-secure-access-for-security-policy-enforcement) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [Traffic forwarding profiles are scoped to appropriate users and groups for controlled deployment](zero-trust-protect-networks.md#traffic-forwarding-profiles-are-scoped-to-appropriate-users-and-groups-for-controlled-deployment) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [Private network connectors are active and healthy to maintain Zero Trust access to internal resources](zero-trust-protect-networks.md#private-network-connectors-are-active-and-healthy-to-maintain-zero-trust-access-to-internal-resources) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [Quick Access is bound to a Conditional Access policy](zero-trust-protect-networks.md#quick-access-is-bound-to-a-conditional-access-policy) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [Entra Private Access Application segments are defined to enforce least-privilege access](zero-trust-protect-networks.md#entra-private-access-application-segments-are-defined-to-enforce-least-privilege-access) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [Domain controller RDP access is protected by phishing-resistant authentication through Global Secure Access](zero-trust-protect-networks.md#domain-controller-rdp-access-is-protected-by-phishing-resistant-authentication-through-global-secure-access) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
 
 
 
 
 
 
|---|---|
| [Named locations are configured](zero-trust-protect-networks.md#named-locations-are-configured) | Microsoft Entra ID P1 |
| [Tenant restrictions v2 policy is configured](zero-trust-protect-networks.md#tenant-restrictions-v2-policy-is-configured) | Microsoft Entra ID P1 |
| [Internet Access forwarding profile is enabled](zero-trust-protect-networks.md#internet-access-forwarding-profile-is-enabled) | Microsoft Entra Internet Access |
| [Web content filtering policies are configured](zero-trust-protect-networks.md#web-content-filtering-policies-are-configured) | Microsoft Entra Internet Access |
| [Web content filtering uses category-based rules](zero-trust-protect-networks.md#web-content-filtering-uses-category-based-rules) | Microsoft Entra ID P1 |
| [Web content filtering policies are linked to security profiles](zero-trust-protect-networks.md#web-content-filtering-policies-are-linked-to-security-profiles) | Microsoft Entra ID P1 |
| [Web content filtering integrates with Conditional Access](zero-trust-protect-networks.md#web-content-filtering-integrates-with-conditional-access) | Microsoft Entra Internet Access |
| [TLS inspection is enabled and correctly configured for outbound traffic](zero-trust-protect-networks.md#tls-inspection-is-enabled-and-correctly-configured-for-outbound-traffic) | Microsoft Entra ID P1 |
| [Network validation is configured through Universal Continuous Access Evaluation](zero-trust-protect-networks.md#network-validation-is-configured-through-universal-continuous-access-evaluation) | Microsoft Entra ID P1 or Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [Global Secure Access client is deployed on all managed endpoints](zero-trust-protect-networks.md#global-secure-access-client-is-deployed-on-all-managed-endpoints) | Microsoft Entra ID P1 or Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [Global Secure Access licenses are available in the tenant and assigned to users](zero-trust-protect-networks.md#global-secure-access-licenses-are-available-in-the-tenant-and-assigned-to-users) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [Network traffic is routed through Global Secure Access for security policy enforcement](zero-trust-protect-networks.md#network-traffic-is-routed-through-global-secure-access-for-security-policy-enforcement) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [Traffic forwarding profiles are scoped to appropriate users and groups for controlled deployment](zero-trust-protect-networks.md#traffic-forwarding-profiles-are-scoped-to-appropriate-users-and-groups-for-controlled-deployment) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [Private network connectors are active and healthy to maintain Zero Trust access to internal resources](zero-trust-protect-networks.md#private-network-connectors-are-active-and-healthy-to-maintain-zero-trust-access-to-internal-resources) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [Private DNS is configured for internal name resolution](zero-trust-protect-networks.md#private-dns-is-configured-for-internal-name-resolution) | Microsoft Entra Private Access |
| [Intelligent Local Access is enabled and configured](zero-trust-protect-networks.md#intelligent-local-access-is-enabled-and-configured) | <Microsoft Entra Private Access |
| [Quick Access is bound to a Conditional Access policy](zero-trust-protect-networks.md#quick-access-is-bound-to-a-conditional-access-policy) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [Entra Private Access Application segments are defined to enforce least-privilege access](zero-trust-protect-networks.md#entra-private-access-application-segments-are-defined-to-enforce-least-privilege-access) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [Domain controller RDP access is protected by phishing-resistant authentication through Global Secure Access](zero-trust-protect-networks.md#domain-controller-rdp-access-is-protected-by-phishing-resistant-authentication-through-global-secure-access) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
MODIFIED docs/global-secure-access/concept-external-user-access.md
Modified by cagautham on Feb 18, 2026 3:25 PM
πŸ“– View on learn.microsoft.com
+5 / -3 lines changed
Commit: Update external user access documentation with new Q&As
Changes:
Before
After
**Q: Can I configure MFA on the resource tenant?**
A: Yes, you can configure MFA on the user and on the applications.
 
**Q: How does a external user access an on-premises resource in the resource tenant when the resource uses AD DS and Kerberos (such as a file share or a Kerberos-integrated application)?**
A: This scenario isn't supported. Microsoft Entra B2B collaboration doesn't provide Kerberos tickets, and Global Secure Access Private Access doesn't proxy Kerberos or support Kerberos Constrained Delegation (KCD). As a result, external users can't directly access on-premises resources requiring Kerberos (for example, SMB file shares or applications using Integrated Windows Authentication).
For web applications, the only supported method for B2B users to access Kerberos-backed on-premises apps is by publishing the app through **Application Proxy with KCD**. For more information, see [Configure single sign-on with Kerberos constrained delegation](../identity/app-proxy/how-to-configure-sso-with-kcd.md).
 
## Known limitations
- External user access doesn't support keeping the Internet Access, Microsoft 365, and Microsoft Entra tunnels to the home tenant.
 
 
**Q: Can I configure MFA on the resource tenant?**
A: Yes, you can configure MFA on the user and on the applications.
 
**Q: Is tenant connection status is persisted on reboot?**
A: Yes, the client retains the tenant connection after a reboot. Additionally, if the user has selected Disable Private Access, the tunnel’s disabled state will persist across reboots
 
**Q: Is this feature supported from a windows Entra registered device(BYOD)?**
A: Yes, you can use a windows device which is registered to Entra for switching to resource tenant.
 
## Known limitations
- External user access doesn't support keeping the Internet Access, Microsoft 365, and Microsoft Entra tunnels to the home tenant.
MODIFIED docs/identity/app-provisioning/use-scim-to-provision-users-and-groups.md
Modified by Ken Withee on Feb 18, 2026 4:31 AM
πŸ“– View on learn.microsoft.com
+6 / -1 lines changed
Commit: Updates based on customer feedback.
Changes:
Before
After
> **Test Connection** queries the SCIM endpoint for a user that doesn't exist, using a random GUID as the matching property selected in the Microsoft Entra configuration. The expected correct response is HTTP 200 OK with an empty SCIM ListResponse message.
 
1. If the attempt to connect to the application succeeds, then select **Create** to create the provisioning job.
1. If syncing only assigned users and groups (recommended), select the **Users and groups** tab. Then, assign the users or groups you want to sync.
1. Select **Attribute mapping** in the left panel. There are two selectable sets of [attribute mappings](customize-application-attributes.md): one for user objects and one for group objects. Select each one to review the attributes that are synchronized from Microsoft Entra ID to your app. The attributes selected as **Matching** properties are used to match the users and groups in your app for update operations. Select **Save** to commit any changes.
 
> You can optionally disable syncing of group objects by disabling the "groups" mapping.
 
> [!div class="nextstepaction"]
> [Develop a sample SCIM endpoint](use-scim-to-build-users-and-groups-endpoints.md)
> [Automate user provisioning and deprovisioning to SaaS apps](user-provisioning.md)
> [Customize attribute mappings for user provisioning](customize-application-attributes.md)
> [Writing expressions for attribute mappings](functions-for-customizing-application-data.md)
 
 
 
 
 
> **Test Connection** queries the SCIM endpoint for a user that doesn't exist, using a random GUID as the matching property selected in the Microsoft Entra configuration. The expected correct response is HTTP 200 OK with an empty SCIM ListResponse message.
 
1. If the attempt to connect to the application succeeds, then select **Create** to create the provisioning job.
1. If syncing only assigned users and groups (recommended), select the **Users and groups** tab. Then, assign the users or groups you want to sync. This step is required for provisioning to work when the scope is set to sync only assigned users and groups. If no users or groups are assigned, there's nothing to provision. For detailed instructions on how to assign users and groups, see [Assign users and groups to an application](~/identity/enterprise-apps/assign-user-or-group-access-portal.md).
 
> [!IMPORTANT]
> The Microsoft Entra provisioning service only provisions users and groups that are **assigned** to the application (when the scope is set to **Sync only assigned users and groups**). If you don't assign any users or groups, no provisioning occurs. Make sure to complete this step before you start provisioning.
 
1. Select **Attribute mapping** in the left panel. There are two selectable sets of [attribute mappings](customize-application-attributes.md): one for user objects and one for group objects. Select each one to review the attributes that are synchronized from Microsoft Entra ID to your app. The attributes selected as **Matching** properties are used to match the users and groups in your app for update operations. Select **Save** to commit any changes.
 
> You can optionally disable syncing of group objects by disabling the "groups" mapping.
 
> [!div class="nextstepaction"]
> [Develop a sample SCIM endpoint](use-scim-to-build-users-and-groups-endpoints.md)
> [Assign users and groups to an application](~/identity/enterprise-apps/assign-user-or-group-access-portal.md)
> [Automate user provisioning and deprovisioning to SaaS apps](user-provisioning.md)
> [Customize attribute mappings for user provisioning](customize-application-attributes.md)
> [Writing expressions for attribute mappings](functions-for-customizing-application-data.md)
MODIFIED docs/global-secure-access/reference-current-known-limitations.md
Modified by Frank Gomulka on Feb 18, 2026 3:21 PM
πŸ“– View on learn.microsoft.com
+0 / -5 lines changed
Commit: remove outdated IA limitations from known limitations doc
Changes:
Before
After
- The platform assumes standard ports for HTTP/S traffic (ports 80 and 443).
- The Global Secure Access client doesn't support IPv6. The client tunnels only IPv4 traffic and transfers IPv6 traffic directly to the network. To make sure that all traffic routes to Global Secure Access, set the network adapter properties to [IPv4 preferred](troubleshoot-global-secure-access-client-diagnostics-health-check.md#ipv4-preferred).
- UDP isn't supported on this platform yet.
- End-user notifications are in development.
- Transport Layer Security (TLS) inspection is in development.
- URL path-based filtering and URL categorization for HTTP and HTTPS traffic are in development.
- User-friendly end-user notifications are in development.
- URL path based filtering and URL categorization for HTTP and HTTPS traffic are in development.
- Traffic available for acquisition in the Microsoft traffic profile isn't available for acquisition in the Internet Access traffic profile.
 
## B2B guest access (preview) limitations
- The platform assumes standard ports for HTTP/S traffic (ports 80 and 443).
- The Global Secure Access client doesn't support IPv6. The client tunnels only IPv4 traffic and transfers IPv6 traffic directly to the network. To make sure that all traffic routes to Global Secure Access, set the network adapter properties to [IPv4 preferred](troubleshoot-global-secure-access-client-diagnostics-health-check.md#ipv4-preferred).
- UDP isn't supported on this platform yet.
- Traffic available for acquisition in the Microsoft traffic profile isn't available for acquisition in the Internet Access traffic profile.
 
## B2B guest access (preview) limitations
 
 
 
 
 
MODIFIED docs/identity/app-proxy/scripts/powershell-get-all-custom-domains-and-certs.md
Modified by Ken Withee on Feb 18, 2026 7:22 PM
πŸ“– View on learn.microsoft.com
+2 / -2 lines changed
Commit: Update based on feedback.
Changes:
Before
After
Write-Host " "
Write-Host "SSL Certificate details:"
Write-Host "Certificate SubjectName: " $aadapAppConf1.VerifiedCustomDomainCertificatesMetadata.SubjectName
Write-Host "Certificate Issuer: " $aadapAppConf1.VerifiedCustomDomainCertificatesMetadata.Issuer
Write-Host "Certificate Thumbprint: " $aadapAppConf1.VerifiedCustomDomainCertificatesMetadata.Thumbprint
Write-Host "Valid from: " $aadapAppConf1.VerifiedCustomDomainCertificatesMetadata.IssueDate
Write-Host "Valid to: " $aadapAppConf1.VerifiedCustomDomainCertificatesMetadata.ExpiryDate
$certs += " `r`nSSL Certificate details:`r`nCertificate SubjectName: " + $aadapAppConf1.VerifiedCustomDomainCertificatesMetadata.SubjectName
$certs += "Certificate Issuer: " + $aadapAppConf1.VerifiedCustomDomainCertificatesMetadata.Issuer
$certs += "Certificate Thumbprint: " + $aadapAppConf1.VerifiedCustomDomainCertificatesMetadata.Thumbprint
$certs += "Valid from: " + $aadapAppConf1.VerifiedCustomDomainCertificatesMetadata.IssueDate
$certs += "Valid to: " + $aadapAppConf1.VerifiedCustomDomainCertificatesMetadata.ExpiryDate + "`r`n"
Write-Host " "
Write-Host "SSL Certificate details:"
Write-Host "Certificate SubjectName: " $aadapAppConf1.VerifiedCustomDomainCertificatesMetadata.SubjectName
Write-Host "Certificate Issuer: " $aadapAppConf1.VerifiedCustomDomainCertificatesMetadata.IssuerName
Write-Host "Certificate Thumbprint: " $aadapAppConf1.VerifiedCustomDomainCertificatesMetadata.Thumbprint
Write-Host "Valid from: " $aadapAppConf1.VerifiedCustomDomainCertificatesMetadata.IssueDate
Write-Host "Valid to: " $aadapAppConf1.VerifiedCustomDomainCertificatesMetadata.ExpiryDate
$certs += " `r`nSSL Certificate details:`r`nCertificate SubjectName: " + $aadapAppConf1.VerifiedCustomDomainCertificatesMetadata.SubjectName
$certs += "Certificate Issuer: " + $aadapAppConf1.VerifiedCustomDomainCertificatesMetadata.IssuerName
$certs += "Certificate Thumbprint: " + $aadapAppConf1.VerifiedCustomDomainCertificatesMetadata.Thumbprint
$certs += "Valid from: " + $aadapAppConf1.VerifiedCustomDomainCertificatesMetadata.IssueDate
$certs += "Valid to: " + $aadapAppConf1.VerifiedCustomDomainCertificatesMetadata.ExpiryDate + "`r`n"
MODIFIED docs/identity/app-proxy/how-to-configure-custom-domain.md
Modified by Ken Withee on Feb 18, 2026 8:53 PM
πŸ“– View on learn.microsoft.com
+3 / -0 lines changed
Commit: Updates based on customer confusion.
Changes:
Before
After
 
> [!IMPORTANT]
> Ensure that you're properly using a CNAME record that points to the *`msappproxy.net`* domain. Don't point records to IP addresses or server DNS names since they aren't static and might affect the resiliency of the service.
11. To check that the DNS record is configured correctly, use the [nslookup](https://social.technet.microsoft.com/wiki/contents/articles/29184.nslookup-for-beginners.aspx) command to confirm that your external URL is reachable and the *`msappproxy.net`* domain appears as an alias.
 
 
 
 
 
> [!IMPORTANT]
> Ensure that you're properly using a CNAME record that points to the *`msappproxy.net`* domain. Don't point records to IP addresses or server DNS names since they aren't static and might affect the resiliency of the service.
 
> [!NOTE]
> The CNAME record you create in this step is for the application's external URL hostname (for example, `expenses.contoso.com`), which is different from the TXT record you created during domain verification in step 6 (for example, `contoso.com`). Because these records are on different DNS names, they don't conflict with each other or with [RFC 1912](https://www.ietf.org/rfc/rfc1912.txt), which prohibits a CNAME from coexisting with other record types at the same name.
11. To check that the DNS record is configured correctly, use the [nslookup](https://social.technet.microsoft.com/wiki/contents/articles/29184.nslookup-for-beginners.aspx) command to confirm that your external URL is reachable and the *`msappproxy.net`* domain appears as an alias.
 
MODIFIED docs/identity/app-proxy/application-proxy-configure-complex-application.md
Modified by Ken Withee on Feb 18, 2026 7:02 PM
πŸ“– View on learn.microsoft.com
+3 / -0 lines changed
Commit: Updates based on customer feedback to provide clarity.
Changes:
Before
After
 
## DNS updates
 
When using custom domains, create a DNS entry with a CNAME record for the external URL. For example, point `*.adventure-works.com` to the external URL of the application proxy endpoint. For wildcard applications, point the CNAME record to the relevant external URL: `<yourAADTenantId>.tenant.runtime.msappproxy.net`.
 
Alternatively, a dedicated DNS entry with a CNAME record for every individual application segment can be created as follows:
 
 
 
 
## DNS updates
 
> [!IMPORTANT]
> The CNAME instructions shown in the portal UI when editing an application segment might differ from the instructions in this section. For complex (wildcard) applications, always use the CNAME configuration described here, pointing to `tenant.runtime.msappproxy.net`, not the generic `.msappproxy.net` endpoint shown in the portal.
 
When using custom domains, create a DNS entry with a CNAME record for the external URL. For example, point `*.adventure-works.com` to the external URL of the application proxy endpoint. For wildcard applications, point the CNAME record to the relevant external URL: `<yourAADTenantId>.tenant.runtime.msappproxy.net`.
 
Alternatively, a dedicated DNS entry with a CNAME record for every individual application segment can be created as follows:
MODIFIED docs/identity/app-proxy/scripts/powershell-get-custom-domain-replace-cert.md
Modified by Ken Withee on Feb 18, 2026 4:05 PM
πŸ“– View on learn.microsoft.com
+1 / -1 lines changed
Commit: Fixes script based on customer feedback.
Changes:
Before
After
onPremisesPublishing = @{
verifiedCustomDomainKeyCredential = @{
type="X509CertAndPassword";
value = [convert]::ToBase64String((Get-Content $certPfxFilePath -Encoding byte));
};
verifiedCustomDomainPasswordCredential = @{
value = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePassword)) };
onPremisesPublishing = @{
verifiedCustomDomainKeyCredential = @{
type="X509CertAndPassword";
value = [convert]::ToBase64String([System.IO.File]::ReadAllBytes($certPfxFilePath));
};
verifiedCustomDomainPasswordCredential = @{
value = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePassword)) };

πŸ€– This report was automatically generated by the Entra Docs Monitor

πŸ“§ Delivered to [email protected]

πŸ”— Visit Repository