📋 Microsoft Entra Documentation Changes

Daily summary for changes since February 23rd 2026, 8:26 PM PST

Report generated on February 24th 2026, 8:26 PM PST

📊 Summary

48
Total Commits
0
New Files
20
Modified Files
0
Deleted Files
20
Contributors

📝 Modified Documentation Files

Modified by Ortagus Winfrey on Feb 24, 2026 6:28 PM
📖 View on learn.microsoft.com
+0 / -132 lines changed
Commit: February 2026 rollback
Changes:
Before
After
> Get notified about when to revisit this page for updates by copying and pasting this URL: `https://learn.microsoft.com/api/search/rss?search=%22Release+notes+-+Azure+Active+Directory%22&locale=en-us` into your ![RSS feed reader icon](./media/whats-new/feed-icon-16x16.png) feed reader.
 
 
## February 2026
 
### General Availability - Expanded attribute support in Lifecycle Workflows attribute changes trigger
 
**Type:** New feature
**Service category:** Lifecycle Workflows
**Product capability:** Identity Governance
 
The Attribute Changes trigger in Lifecycle Workflows now supports additional attribute types, enabling broader detection of organizational changes. Previously, this trigger was limited to a set of core attributes. With this update, you can configure workflows to respond when any of the following attributes change:
 
- Custom security attributes
- Directory extension attributes
- EmployeeOrgData attributes
- On-premises attributes 1–15
 
This enhancement gives administrators greater flexibility to automate lifecycle processes for mover events based on custom or extended attributes, improving governance for complex organizational structures and hybrid environments. For more information, see: [Use Custom attribute triggers in lifecycle workflows](../id-governance/workflow-custom-triggers.md).
 
> Get notified about when to revisit this page for updates by copying and pasting this URL: `https://learn.microsoft.com/api/search/rss?search=%22Release+notes+-+Azure+Active+Directory%22&locale=en-us` into your ![RSS feed reader icon](./media/whats-new/feed-icon-16x16.png) feed reader.
 
 
## January 2026
 
### General Availability - Ability to convert Source of Authority of synced on-premises AD users to cloud users is now available
 
 
 
 
 
 
 
 
 
 
 
 
 
 
+38 / -38 lines changed
Commit: Update how-to-hybrid-join-using-microsoft-entra-kerberos.md
Changes:
Before
After
author: nbeesett
ms.author: justinha
ms.reviewer: nbeesett
ms.date: 02/16/2026
ms.topic: how-to
ms.service: entra-id
ms.subservice: devices
1. Run the following command to check your service principal settings:
 
```powershell
\$drsSP = Get-EntraServicePrincipal -Filter "AppId eq '01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9'"
\$drsSP.ServicePrincipalNames
```
 
1. Check the displayed service principal names. If `adrs/enterpriseregistration.windows.net` isn't listed, run the following command to add it:
 
```powershell
\$spns = \[System.Collections.Generic.List\[string\]\]::new(\$drsSP.ServicePrincipalNames)
\$kerbSpn = "adrs/enterpriseregistration.windows.net"
\$spns.Add(\$kerbSpn)
author: nbeesett
ms.author: justinha
ms.reviewer: nbeesett
ms.date: 02/24/2026
ms.topic: how-to
ms.service: entra-id
ms.subservice: devices
1. Run the following command to check your service principal settings:
 
```powershell
$drsSP = Get-EntraServicePrincipal -Filter "AppId eq '01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9'"
$drsSP.ServicePrincipalNames
```
 
1. Check the displayed service principal names. If `adrs/enterpriseregistration.windows.net` isn't listed, run the following command to add it:
 
```powershell
$spns = [System.Collections.Generic.List[string]]::new($drsSP.ServicePrincipalNames)
$kerbSpn = "adrs/enterpriseregistration.windows.net"
$spns.Add($kerbSpn)
+16 / -23 lines changed
Commit: updating the provisioning docs
Changes:
Before
After
 
 
ms.topic: how-to
ms.date: 03/25/2025
ms.author: jeedes
 
# Customer intent: As an IT administrator, I want to learn how to automatically provision and deprovision user accounts from Microsoft Entra ID to BIC Cloud Design so that I can streamline the user management process and ensure that users have the appropriate access to BIC Cloud Design.
 
![Provisioning tab](common/provisioning.png)
 
1. Set the **Provisioning Mode** to **Automatic**.
 
![Provisioning tab automatic](common/provisioning-automatic.png)
 
1. Under the **Admin Credentials** section, input your BIC Cloud Design Tenant URL and Secret Token. Select **Test Connection** to ensure Microsoft Entra ID can connect to BIC Cloud Design. If the connection fails, ensure your BIC Cloud Design account has Admin permissions and try again.
 
![Token](common/provisioning-testconnection-tenanturltoken.png)
 
1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.
 
 
 
ms.topic: how-to
ms.date: 02/24/2026
ms.author: jeedes
 
# Customer intent: As an IT administrator, I want to learn how to automatically provision and deprovision user accounts from Microsoft Entra ID to BIC Cloud Design so that I can streamline the user management process and ensure that users have the appropriate access to BIC Cloud Design.
 
![Provisioning tab](common/provisioning.png)
 
1. Set **+ New configuration**.
 
![Screenshot of Provisioning tab automatic.](common/application-provisioning.png)
 
1. In the **Tenant URL** field, input your BIC Cloud Design Tenant URL and Secret Token. Select **Test Connection** to ensure Microsoft Entra ID can connect to BIC Cloud Design. If the connection fails, ensure your BIC Cloud Design account has the required admin permissions and try again.
 
![Screenshot of Provisioning test connection.](common/provisioning-test-connection.png)
 
1. Select **Create** to create your configuration.
 
+15 / -23 lines changed
Commit: updating the provisioning docs
Changes:
Before
After
 
 
ms.topic: how-to
ms.date: 03/25/2025
ms.author: jeedes
 
# Customer intent: As an IT administrator, I want to learn how to automatically provision and deprovision user accounts from Microsoft Entra ID to Bentley - Automatic User Provisioning so that I can streamline the user management process and ensure that users have the appropriate access to Bentley - Automatic User Provisioning.
 
![Provisioning tab](common/provisioning.png)
 
4. Set the **Provisioning Mode** to **Automatic**.
 
![Provisioning tab automatic](common/provisioning-automatic.png)
 
5. Under the **Admin Credentials** section, input your Bentley - Automatic User Provisioning Tenant URL and Secret Token. Select **Test Connection** to ensure Microsoft Entra ID can connect to Bentley - Automatic User Provisioning. If the connection fails, ensure your Bentley - Automatic User Provisioning account has Admin permissions and try again.
 
![Token](common/provisioning-testconnection-tenanturltoken.png)
 
6. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.
 
 
 
ms.topic: how-to
ms.date: 02/24/2026
ms.author: jeedes
 
# Customer intent: As an IT administrator, I want to learn how to automatically provision and deprovision user accounts from Microsoft Entra ID to Bentley - Automatic User Provisioning so that I can streamline the user management process and ensure that users have the appropriate access to Bentley - Automatic User Provisioning.
 
![Provisioning tab](common/provisioning.png)
 
1. Set **+ New configuration**.
 
![Screenshot of Provisioning tab automatic.](common/application-provisioning.png)
 
1. In the **Tenant URL** field, input your Bentley - Automatic User Provisioning Tenant URL and Secret Token. Select **Test Connection** to ensure Microsoft Entra ID can connect to Bentley - Automatic User Provisioning. If the connection fails, ensure your Bentley - Automatic User Provisioning account has the required admin permissions and try again.
 
![Screenshot of Provisioning test connection.](common/provisioning-test-connection.png)
 
1. Select **Create** to create your configuration.
 
+15 / -23 lines changed
Commit: updating the provisioning docs
Changes:
Before
After
ms.subservice: saas-apps
 
ms.topic: how-to
ms.date: 03/25/2025
ms.author: jeedes
 
# Customer intent: As an IT administrator, I want to learn how to automatically provision and deprovision user accounts from Microsoft Entra ID to Better Stack so that I can streamline the user management process and ensure that users have the appropriate access to Better Stack.
 
![Screenshot of Provisioning tab.](common/provisioning.png)
 
1. Set the **Provisioning Mode** to **Automatic**.
 
![Screenshot of Provisioning tab automatic.](common/provisioning-automatic.png)
 
1. Under the **Admin Credentials** section, input your Better Stack Tenant URL and Secret Token. Select **Test Connection** to ensure Microsoft Entra ID can connect to Better Stack. If the connection fails, ensure your Better Stack account has Admin permissions and try again.
 
![Screenshot of Token.](common/provisioning-testconnection-tenanturltoken.png)
 
1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.
 
ms.subservice: saas-apps
 
ms.topic: how-to
ms.date: 02/24/2026
ms.author: jeedes
 
# Customer intent: As an IT administrator, I want to learn how to automatically provision and deprovision user accounts from Microsoft Entra ID to Better Stack so that I can streamline the user management process and ensure that users have the appropriate access to Better Stack.
 
![Screenshot of Provisioning tab.](common/provisioning.png)
 
1. Set **+ New configuration**.
 
![Screenshot of Provisioning tab automatic.](common/application-provisioning.png)
 
1. In the **Tenant URL** field, input your Better Stack Tenant URL and Secret Token. Select **Test Connection** to ensure Microsoft Entra ID can connect to Better Stack. If the connection fails, ensure your Better Stack account has the required admin permissions and try again.
 
![Screenshot of Provisioning test connection.](common/provisioning-test-connection.png)
 
1. Select **Create** to create your configuration.
 
+14 / -22 lines changed
Commit: updating the provisioning docs
Changes:
Before
After
ms.service: entra-id
ms.subservice: saas-apps
ms.topic: how-to
ms.date: 03/25/2025
ms.author: jeedes
ms.custom: sfi-image-nochange
# Customer intent: As an IT administrator, I want to learn how to automatically provision and deprovision user accounts from Microsoft Entra ID to BenQ IAM so that I can streamline the user management process and ensure that users have the appropriate access to BenQ IAM.
 
![Provision tab](common/provisioning.png)
 
4. Set the **Provisioning Mode** to **Automatic**.
 
![Provisioning tab](common/provisioning-automatic.png)
 
5. Under the **Admin Credentials** section, input your BenQ IAM Tenant URL and Secret Token. Select **Test Connection** to ensure Microsoft Entra ID can connect to BenQ IAM. If the connection fails, ensure your BenQ IAM account has Admin permissions and try again.
 
![Token](common/provisioning-testconnection-tenanturltoken.png)
 
6. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.
 
ms.service: entra-id
ms.subservice: saas-apps
ms.topic: how-to
ms.date: 02/24/2026
ms.author: jeedes
ms.custom: sfi-image-nochange
# Customer intent: As an IT administrator, I want to learn how to automatically provision and deprovision user accounts from Microsoft Entra ID to BenQ IAM so that I can streamline the user management process and ensure that users have the appropriate access to BenQ IAM.
 
![Provision tab](common/provisioning.png)
 
1. Set **+ New configuration**.
 
![Screenshot of Provisioning tab automatic.](common/application-provisioning.png)
 
1. In the **Tenant URL** field, input your BenQ IAM Tenant URL and Secret Token. Select **Test Connection** to ensure Microsoft Entra ID can connect to BenQ IAM. If the connection fails, ensure your BenQ IAM account has the required admin permissions and try again.
 
![Screenshot of Provisioning test connection.](common/provisioning-test-connection.png)
 
1. Select **Create** to create your configuration.
 
Modified by Sudhakaran-S-micro on Feb 24, 2026 9:25 AM
📖 View on learn.microsoft.com
+2 / -9 lines changed
Commit: Updated the content
Changes:
Before
After
![Screenshot of showing the endpoints on tab.](common/endpoints.png)
1. Navigate to **Authentication** tab on the left menu and perform the following steps:
1. In the **Redirect URIs** textbox, paste the **Relying Party Redirect URI** value, which you have copied from Lexmark Cloud Services (OIDC) side.
[![Screenshot of showing the redirect values.](common/redirect.png)](common/redirect.png#lightbox)
1. Select **Configure** button.
1. Navigate to **Certificates & secrets** on the left menu and perform the following steps:
1. Go to **Client secrets** tab and select **+New client secret**.
1. In the app's overview page, select **Users and groups**.
1. Select **Add user/group**, then select **Users and groups** in the **Add Assignment** dialog.
1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then select the **Select** button at the bottom of the screen.
1. If you're expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, select the **Assign** button.
![Screenshot of showing the endpoints on tab.](common/endpoints.png)
1. Navigate to **Certificates & secrets** on the left menu and perform the following steps:
1. Go to **Client secrets** tab and select **+New client secret**.
1. In the app's overview page, select **Users and groups**.
1. Select **Add user/group**, then select **Users and groups** in the **Add Assignment** dialog.
1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then select the **Select** button at the bottom of the screen.
1. In the **Add Assignment** dialog, select the **Assign** button.
## Configure Lexmark Cloud Services (OIDC) SSO
> Once authentication configuration is completed, you will receive an email on configuration status. In case of configuration failure, contact your Lexmark representative.
 
9. The relying party redirect URIs for US and EU regions. (To be used in the Microsoft Entra Authentication Configuration)
- US region: `https://lexmarkb2c.b2clogin.com/lexmarkb2c.onmicrosoft.com/oauth2/authresp`
- EU region: `https://lexmarkb2ceu.b2clogin.com/lexmarkb2ceu.onmicrosoft.com/oauth2/authresp`
 
> [!NOTE]
> Select ID Tokens in Implicit grant and hybrid flows under Entra Authentication Configuration
+5 / -5 lines changed
Commit: Clarify GSA proxy support: remove grpc_proxy, update connector docs
Changes:
Before
After
title: "Troubleshoot the Windows Global Secure Access client: Health check"
description: Troubleshoot the Global Secure Access client using the Health check tab in the Advanced diagnostics utility.
ms.topic: troubleshooting
ms.date: 02/21/2026
ms.author: jayrusso
author: HULKsmashGithub
ms.reviewer: lirazbarak
}
```
#### Add a system variable
Configure the Global Secure Access client to route Global Secure Access traffic through a proxy:
1. Set a system environment variable in Windows named `grpc_proxy` to the value of the proxy address. For example, `http://10.1.0.10:8080`.
1. Restart the Global Secure Access client.
 
### No Hyper-V external virtual switch detected
Hyper-V support:
title: "Troubleshoot the Windows Global Secure Access client: Health check"
description: Troubleshoot the Global Secure Access client using the Health check tab in the Advanced diagnostics utility.
ms.topic: troubleshooting
ms.date: 02/24/2026
ms.author: jayrusso
author: HULKsmashGithub
ms.reviewer: lirazbarak
}
```
#### Global Secure Access client and outbound proxies
 
> [!IMPORTANT]
> The Global Secure Access client doesn't support routing traffic through an outbound proxy. If the client is behind an outbound proxy, configure the PAC file exclusions as described previously to bypass the proxy for Global Secure Access traffic.
 
### No Hyper-V external virtual switch detected
Hyper-V support:
Modified by Sudhakaran-S-micro on Feb 24, 2026 11:20 AM
📖 View on learn.microsoft.com
+4 / -4 lines changed
Commit: reworked on comments
Changes:
Before
After
 
If you want to configure the **SAML Authentication Provider** section with Metadata URL, then perform the following steps:
1. In the **SAML Authentication Provider** section, select **With Metadata URL**.
![Screenshot of with metadata URL authentication provider.](media/lexmark-oidc-tutorial/authentication-provider.png)
1. In the SAML Metadata URL (Required) field, paste the App Federation Metadata Url that you have previously copied and retained.
 
> [!Note]
> For more information on App Federation Metadata Url, see [Downloading certificates and copying URLs](https://support.lexmark.com/en_us/manuals-guides/online/Lexmark-Cloud-Platform/downloading-certificates-and-copying-urls-v5921516.html).
 
1. Click **Configure Authentication Provider**.
 
### Without Metadata URL
 
If you want to configure the SAML Authentication Provider section without Metadata URL, then perform the following steps:
1. In the SAML Authentication Provider section, select **Without Metadata URL**.
![Screenshot of single sign on settings without metadata URL.](media/lexmark-oidc-tutorial/single-sign-on-settings.png)
1. In the **Identity provider entity ID (Required)** field, depending on your location, type either of the following:
- For EU:
 
If you want to configure the **SAML Authentication Provider** section with Metadata URL, then perform the following steps:
1. In the **SAML Authentication Provider** section, select **With Metadata URL**.
![Screenshot of authentication provider with metadata URL option.](media/lexmark-oidc-tutorial/authentication-provider.png)
1. In the **SAML Metadata URL (Required)** field, paste the App Federation Metadata URL that you have previously copied and retained.
 
> [!Note]
> For more information on App Federation Metadata Url, see [Downloading certificates and copying URLs](https://support.lexmark.com/en_us/manuals-guides/online/Lexmark-Cloud-Platform/downloading-certificates-and-copying-urls-v5921516.html).
 
1. Select **Configure Authentication Provider**.
 
### Without Metadata URL
 
If you want to configure the SAML Authentication Provider section without Metadata URL, then perform the following steps:
1. In the **SAML Authentication Provider** section, select **Without Metadata URL**.
![Screenshot of single sign on settings without metadata URL.](media/lexmark-oidc-tutorial/single-sign-on-settings.png)
1. In the **Identity provider entity ID (Required)** field, depending on your location, type either of the following:
- For EU:
+3 / -4 lines changed
Commit: Clarify GSA proxy support: remove grpc_proxy, update connector docs
Changes:
Before
After
author: HULKsmashGithub
ms.topic: reference
ms.author: jayrusso
ms.date: 11/07/2025
ms.custom: agent-id-ignite
 
 
           return "PROXY 10.1.0.10:8080";  // forward the connection to the proxy
}
```
If a direct internet connection isn't possible, configure the client to connect to the Global Secure Access service through a proxy. For example, set the `grpc_proxy` system variable to match the value of the proxy, such as `http://proxy:8080`.
 
To apply the configuration changes, restart the Global Secure Access client Windows services.
 
#### Packet injection
The client only tunnels traffic sent using sockets. It doesn't tunnel traffic injected to the network stack using a driver (for example, some of the traffic generated by Network Mapper (Nmap)). Injected packets go directly to the network.
author: HULKsmashGithub
ms.topic: reference
ms.author: jayrusso
ms.date: 02/24/2026
ms.custom: agent-id-ignite
 
 
           return "PROXY 10.1.0.10:8080";  // forward the connection to the proxy
}
```
> [!IMPORTANT]
> The Global Secure Access client doesn't support connecting through an outbound proxy. If the client is behind an outbound proxy, configure the PAC file exclusions as described previously to bypass the proxy for Global Secure Access traffic.
 
#### Packet injection
The client only tunnels traffic sent using sockets. It doesn't tunnel traffic injected to the network stack using a driver (for example, some of the traffic generated by Network Mapper (Nmap)). Injected packets go directly to the network.
 
Modified by Gearoid O'Donnell on Feb 24, 2026 5:03 PM
📖 View on learn.microsoft.com
+4 / -2 lines changed
Commit: Adding custom validation caveat
Changes:
Before
After
 
You can set a custom regular expression for input validation by configuring the `validationRegEx` for the username attribute. This setting isn't currently available in the admin center UI, but you can configure it using Microsoft Graph. To set this value, use the [authenticationAttributeCollectionInputConfiguration](/graph/api/resources/authenticationattributecollectioninputconfiguration) resource type. For reference, see the example on [updating the page layout of a self-service sign up user flow](/graph/api/authenticationeventsflow-update#example-2-update-the-page-layout-of-a-self-service-sign-up-user-flow).
 
Note that there is no built-in validation for custom regular expressions, apart from ensuring they don’t match the format of an email address. Validation may fail at runtime if the provided value doesn’t match the regex or if the regex itself is invalid.
 
## Prefill or assign usernames
 
Like other attributes, you can customize signup by pre-filling username or assigning it after gathering other user information. To prefill the value, use a custom extension with the [onAttributeCollectionStart](../../identity-platform/custom-extension-onattributecollectionstart-retrieve-return-data.md) event, and configure how it is presented via Page Layout or [via Microsoft Graph](how-to-define-custom-attributes.md#configure-attribute-visibility-and-editability-with-microsoft-graph). If you need to assign, modify, or validate the username after collecting more details, use the [onAttributeCollectionSubmit](../../identity-platform/custom-extension-onattributecollectionsubmit-retrieve-return-data.md) event.
 
 
 
 
You can set a custom regular expression for input validation by configuring the `validationRegEx` for the username attribute. This setting isn't currently available in the admin center UI, but you can configure it using Microsoft Graph. To set this value, use the [authenticationAttributeCollectionInputConfiguration](/graph/api/resources/authenticationattributecollectioninputconfiguration) resource type. For reference, see the example on [updating the page layout of a self-service sign up user flow](/graph/api/authenticationeventsflow-update#example-2-update-the-page-layout-of-a-self-service-sign-up-user-flow).
 
Note that there is no built-in validation for custom regular expressions, apart from ensuring they don't match the format of an email address. Validation may fail at runtime if the provided value doesn't match the regex or if the regex itself is invalid.
 
Also, if you configure a custom regex for both the sign-up attribute validation (this step) and the sign-in identifier policy they must be compatible or authentication may fail. For example, a username that passes sign-up validation but doesn't match the sign-in identifier policy regex will cause authentication to fail at runtime.
 
## Prefill or assign usernames (preview)
 
Like other attributes, you can customize signup by pre-filling username or assigning it after gathering other user information. To prefill the value, use a custom extension with the [onAttributeCollectionStart](../../identity-platform/custom-extension-onattributecollectionstart-retrieve-return-data.md) event, and configure how it is presented via Page Layout or [via Microsoft Graph](how-to-define-custom-attributes.md#configure-attribute-visibility-and-editability-with-microsoft-graph). If you need to assign, modify, or validate the username after collecting more details, use the [onAttributeCollectionSubmit](../../identity-platform/custom-extension-onattributecollectionsubmit-retrieve-return-data.md) event.
 
+2 / -3 lines changed
Commit: Fix duplicate Tenant URL instructions
Changes:
Before
After
5. Under the **Admin Credentials** section, input your GitHub Enterprise Managed User (OIDC) Tenant URL and Secret Token. Select **Test Connection** to ensure Microsoft Entra ID can connect to GitHub Enterprise Managed User (OIDC). If the connection fails, ensure your GitHub Enterprise Managed User (OIDC) account has created the secret token as an enterprise owner and try again.
 
* For "Tenant URL", type the tenant URL you identified earlier.
 
For an enterprise called octo-corp on GitHub.com, the Tenant URL is `https://api.github.com/scim/v2/enterprises/octo-corp`.
For an enterprise called octo-corp on GHE.com, the Tenant URL is `https://api.octo-corp.ghe.com/scim/v2/enterprises/octo-corp`.
 
* For "Secret token", paste the GitHub personal access token that you created earlier.
5. Under the **Admin Credentials** section, input your GitHub Enterprise Managed User (OIDC) Tenant URL and Secret Token. Select **Test Connection** to ensure Microsoft Entra ID can connect to GitHub Enterprise Managed User (OIDC). If the connection fails, ensure your GitHub Enterprise Managed User (OIDC) account has created the secret token as an enterprise owner and try again.
 
* For "Tenant URL", type the tenant URL you identified earlier.
- For an enterprise called octo-corp on GitHub.com, the Tenant URL is `https://api.github.com/scim/v2/enterprises/octo-corp`.
- For an enterprise called octo-corp on GHE.com, the Tenant URL is `https://api.octo-corp.ghe.com/scim/v2/enterprises/octo-corp`.
 
* For "Secret token", paste the GitHub personal access token that you created earlier.
 
Modified by Jeevan Desarda on Feb 24, 2026 9:08 PM
📖 View on learn.microsoft.com
+3 / -1 lines changed
Commit: Updating the Salesforce app instructions to include OIDC V1 endpoint
Changes:
Before
After
* Manage your accounts in one central location.
 
> [!Note]
> We are aware that Salesforce will enforce the [device activation changes for Single Sign-On (SSO) Logins](https://help.salesforce.com/s/articleView?id=005237070&type=1) starting **February 3, 2026**. We have worked closely with the Salesforce team, and beginning February 3, Salesforce will start accepting the **authnmethodreferences** claim included by default in the SAML token issued by Entra ID. If the **authnmethodreferences** claim contains the value **multipleauthn**, Salesforce will treat the device as trusted. Please ensure that your Conditional Access policy which will enforce MFA is configured to satisfy this requirement. You can read more about this claim [here](~/identity-platform/single-sign-on-saml-protocol.md#authnmethodreferences).
>
> For customers using AD FS as the federation provider with Entra ID, please follow the guidance published [here](~/identity/authentication/how-to-mfa-expected-inbound-assertions.md#using-saml-20-federated-idp) so that Entra ID will have this claim in the SAML token.
 
 
 
* Manage your accounts in one central location.
 
> [!Note]
> We are aware that Salesforce has enforced the [device activation changes for Single Sign-On (SSO) Logins](https://help.salesforce.com/s/articleView?id=005237070&type=1) starting **February 3, 2026**. We have worked closely with the Salesforce team, and beginning February 3, Salesforce will start accepting the **authnmethodreferences** claim included by default in the SAML token issued by Entra ID. If the **authnmethodreferences** claim contains the value **multipleauthn**, Salesforce will treat the device as trusted. Please ensure that your Conditional Access policy which will enforce MFA is configured to satisfy this requirement. You can read more about this claim [here](~/identity-platform/single-sign-on-saml-protocol.md#authnmethodreferences).
>
> For customers using [OpenID Connect Authentication with Salesforce](https://help.salesforce.com/s/articleView?id=xcloud.sso_provider_microsoft_only.htm&type=5) or if you have configured Salesforce with [custom OpenID Connect provider](https://help.salesforce.com/s/articleView?id=xcloud.sso_provider_plugin_custom.htm&type=5) then please ensure that you are using Entra ID V1 endpoint only as the V1 endpoint can provide the AMR claim in the token to Salesforce. V2 endpoint support will come soon but till that time please use V1 endpoint only.
>
> For customers using AD FS as the federation provider with Entra ID, please follow the guidance published [here](~/identity/authentication/how-to-mfa-expected-inbound-assertions.md#using-saml-20-federated-idp) so that Entra ID will have this claim in the SAML token.
 
Modified by Jay on Feb 24, 2026 6:20 PM
📖 View on learn.microsoft.com
+2 / -2 lines changed
Commit: Update doc date and link GDPR reference
Changes:
Before
After
author: HULKsmashGithub
ms.service: entra-id
ms.topic: include
ms.date: 02/23/2026
manager: dougeby
ms.custom: Network-Secure-Recommendation
# minimumlicense: P1, Microsoft Entra Suite Add-on for Microsoft Entra ID P2
Without adequate log retention:
 
- Security teams can't establish baseline behavior patterns, perform retrospective threat hunting, or correlate network access events across extended timeframes.
- Organizations subject to regulatory frameworks like GDPR, HIPAA, PCI DSS, and SOX face compliance violations when they're unable to produce audit trails for mandated retention periods.
- Root cause analysis during incident response is limited, potentially allowing threat actors to maintain persistence while organizations focus on visible symptoms.
 
**Remediation action**
author: HULKsmashGithub
ms.service: entra-id
ms.topic: include
ms.date: 02/24/2026
manager: dougeby
ms.custom: Network-Secure-Recommendation
# minimumlicense: P1, Microsoft Entra Suite Add-on for Microsoft Entra ID P2
Without adequate log retention:
 
- Security teams can't establish baseline behavior patterns, perform retrospective threat hunting, or correlate network access events across extended timeframes.
- Organizations subject to regulatory frameworks like [GDPR](/compliance/regulatory/gdpr), HIPAA, PCI DSS, and SOX face compliance violations when they're unable to produce audit trails for mandated retention periods.
- Root cause analysis during incident response is limited, potentially allowing threat actors to maintain persistence while organizations focus on visible symptoms.
 
**Remediation action**
Modified by Ortagus Winfrey on Feb 24, 2026 5:58 PM
📖 View on learn.microsoft.com
+2 / -2 lines changed
Commit: preview removed
Changes:
Before
After
---
 
 
# Delegated workflow management (preview)
 
Workflows by default, unless specified during creation, are managed by users with either the Lifecycle Workflows, or Global, administrator roles. As workflows grow and change to meet the needs of members of your organization, so does the need to limit who can manage them. With delegated workflow management, you can scope management of workflows using [Administrative Units](../identity/role-based-access-control/administrative-units.md). When scoped, specific admins are only granted access to manage specific workflows. Scoping allows for greater security within your environment by following Microsoft's least privileged access guidelines by only giving access to specifically what's needed.
 
 
1. On the workflow overview page, select **Administration Scope**.
> [!TIP]
> You can also select the **Administration scope (Preview)** card on the overview page to get to the administration scope page.
1. On the administration scope page, select **Assign Administration scope**.
 
1. From the administration scope pane, you can see the list of all administrative units in your tenant.
---
 
 
# Delegated workflow management
 
Workflows by default, unless specified during creation, are managed by users with either the Lifecycle Workflows, or Global, administrator roles. As workflows grow and change to meet the needs of members of your organization, so does the need to limit who can manage them. With delegated workflow management, you can scope management of workflows using [Administrative Units](../identity/role-based-access-control/administrative-units.md). When scoped, specific admins are only granted access to manage specific workflows. Scoping allows for greater security within your environment by following Microsoft's least privileged access guidelines by only giving access to specifically what's needed.
 
 
1. On the workflow overview page, select **Administration Scope**.
> [!TIP]
> You can also select the **Administration scope** card on the overview page to get to the administration scope page.
1. On the administration scope page, select **Assign Administration scope**.
 
1. From the administration scope pane, you can see the list of all administrative units in your tenant.