MODIFIED docs/includes/secure-recommendations/25537.md

Modified by Jay on Feb 25, 2026 7:09 PM
📖 View on learn.microsoft.com

+7 / -7 lines changed

Commit: Update Azure network security docs & wording

Changes:

Before

After

author: HULKsmashGithub
ms.service: entra-id
ms.topic: include
ms.date: 02/24/2026
manager: dougeby
ms.custom: Network-Secure-Recommendation
# minimumlicense: Azure Firewall Standard
# sfipillar: Protect networks
# category: Azure Network Security
# risklevel: High
# userimpact: Low
# implementationcost: Low
---
Azure Firewall threat intelligence-based filtering alerts on and denies traffic to and from known malicious IP addresses, fully qualified domain names (FQDNs), and URLs sourced from the Microsoft Threat Intelligence feed. When threat intelligence isn't enabled in Alert and Deny mode, Azure Firewall doesn't actively block traffic to known malicious destinations.
 
Without threat intelligence enabled in Deny mode:
 
- Threat actors can communicate with known malicious infrastructure, enabling data exfiltration and command-and-control communication without active blocking.
- Organizations that use Alert-only mode can see threat activity in logs but can't prevent connections to known bad destinations.
- All firewall policy tiers remain exposed to threats that the Microsoft Threat Intelligence feed has already identified.

author: HULKsmashGithub
ms.service: entra-id
ms.topic: include
ms.date: 02/25/2026
manager: dougeby
ms.custom: Network-Secure-Recommendation
# minimumlicense: Azure Firewall Premium
# sfipillar: Protect networks
# category: Azure Network Security
# risklevel: High
# userimpact: Low
# implementationcost: Low
---
Azure Firewall threat intelligence-based filtering alerts on and denies traffic to and from known malicious IP addresses, fully qualified domain names (FQDNs), and URLs sourced from the Microsoft Threat Intelligence feed. When you don't enable threat intelligence in `Alert and deny` mode, Azure Firewall doesn't actively block traffic to known malicious destinations.
 
If you don't enable threat intelligence in `Alert and deny` mode:
 
- Threat actors can communicate with known malicious infrastructure, enabling data exfiltration and command-and-control communication without active blocking.
- Organizations that use `Alert only` mode can see threat activity in logs but can't prevent connections to known bad destinations.
- All firewall policy tiers remain exposed to threats that the Microsoft Threat Intelligence feed already identified.

MODIFIED docs/identity/hybrid/connect/reference-connect-health-version-history.md

Modified by omondiatieno on Feb 25, 2026 11:57 AM
📖 View on learn.microsoft.com

+9 / -2 lines changed

Commit: updates on the latest version and metadata

Changes:

Before

After

---
title: Microsoft Entra Connect Health Version History
description: This document describes the releases for Microsoft Entra Connect Health and what has been included in those releases.
author: zhiweiwangmsft
manager: mwongerapk
ms.assetid: 8dd4e998-747b-4c52-b8d3-3900fe77d88f
ms.service: entra-id
ms.subservice: hybrid-connect
ms.tgt_pltfrm: na
ms.topic: reference
ms.date: 04/09/2025
ms.author: jomondi
ms.custom: sfi-ga-nochange
---
 
For feature feedback, vote at [Connect Health User Voice channel](https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789)
 
## September 2025
**Agent Updates**
 

---
title: Microsoft Entra Connect Health Version History
description: This document describes the releases for Microsoft Entra Connect Health and what has been included in those releases.
author: omondiatieno
manager: mwongerapk
ms.assetid: 8dd4e998-747b-4c52-b8d3-3900fe77d88f
ms.service: entra-id
ms.subservice: hybrid-connect
ms.tgt_pltfrm: na
ms.topic: reference
ms.date: 02/25/2026
ms.author: jomondi
ms.custom: sfi-ga-nochange
---
 
For feature feedback, vote at [Connect Health User Voice channel](https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789)
 
## February 2026
**Agent Updates**
 

MODIFIED docs/includes/secure-recommendations/25539.md

Modified by Jay on Feb 25, 2026 7:09 PM
📖 View on learn.microsoft.com

+5 / -5 lines changed

Commit: Update Azure network security docs & wording

Changes:

Before

After

author: HULKsmashGithub
ms.service: entra-id
ms.topic: include
ms.date: 02/24/2026
manager: dougeby
ms.custom: Network-Secure-Recommendation
# minimumlicense: Azure Firewall Premium
# userimpact: Low
# implementationcost: Low
---
Azure Firewall Premium provides signature-based intrusion detection and prevention (IDPS) that identifies attacks by detecting specific patterns in network traffic, such as byte sequences and known malicious instruction sequences used by malware. IDPS applies to inbound, east-west (spoke-to-spoke), and outbound traffic across Layers 3-7. When IDPS isn't configured in Alert and Deny mode, Azure Firewall only logs detected threats without blocking them.
 
Without IDPS enabled in Deny mode:
 
- Threat actors can send traffic that matches known attack signatures without being blocked.
- Organizations running IDPS in Alert-only mode gain visibility into threats but can't prevent intrusion attempts from reaching their workloads.
- Lateral movement and exfiltration traffic that matches known attack signatures passes through the firewall without active intervention.
 
**Remediation action**
 

author: HULKsmashGithub
ms.service: entra-id
ms.topic: include
ms.date: 02/25/2026
manager: dougeby
ms.custom: Network-Secure-Recommendation
# minimumlicense: Azure Firewall Premium
# userimpact: Low
# implementationcost: Low
---
Azure Firewall Premium provides signature-based intrusion detection and prevention (IDPS) that identifies attacks by detecting specific patterns in network traffic, such as byte sequences and known malicious instruction sequences used by malware. IDPS applies to inbound, east-west (spoke-to-spoke), and outbound traffic across Layers 3-7. When IDPS isn't configured in `Alert and deny` mode, Azure Firewall only logs detected threats without blocking them.
 
Without IDPS enabled in `Alert and deny` mode:
 
- Threat actors can send traffic that matches known attack signatures without being blocked.
- Organizations running IDPS in `Alert only` mode gain visibility into threats but can't prevent intrusion attempts from reaching their workloads.
- Lateral movement and exfiltration traffic that matches known attack signatures passes through the firewall without active intervention.
 
**Remediation action**
 

MODIFIED docs/includes/secure-recommendations/25543.md

Modified by Jay on Feb 25, 2026 7:09 PM
📖 View on learn.microsoft.com

+4 / -4 lines changed

Commit: Update Azure network security docs & wording

Changes:

Before

After

author: HULKsmashGithub
ms.service: entra-id
ms.topic: include
ms.date: 02/24/2026
manager: dougeby
ms.custom: Network-Secure-Recommendation
# minimumlicense: Azure Front Door Standard
Without WAF in Prevention mode:
 
- Threat actors can exploit web application vulnerabilities because matched requests are only logged, not blocked.
- Organizations lose active protection at the global edge that managed and custom WAF rules provide, which reduces WAF to an observability tool rather than a security control.
 
**Remediation action**
 
- [Configure WAF for Azure Front Door](/azure/web-application-firewall/afds/afds-overview) to switch the WAF policy mode from **Detection** to **Prevention**.
- [Configure WAF policy settings for Azure Front Door](/azure/web-application-firewall/afds/waf-front-door-policy-settings#waf-mode) to enable Prevention mode in the policy settings.

author: HULKsmashGithub
ms.service: entra-id
ms.topic: include
ms.date: 02/25/2026
manager: dougeby
ms.custom: Network-Secure-Recommendation
# minimumlicense: Azure Front Door Standard
Without WAF in Prevention mode:
 
- Threat actors can exploit web application vulnerabilities because matched requests are only logged, not blocked.
- Organizations lose active protection at the global edge that managed and custom WAF rules provide, which reduces WAF to an observation tool rather than a security control.
 
**Remediation action**
 
- [Configure WAF for Azure Front Door](/azure/web-application-firewall/afds/afds-overview) to switch the WAF policy from **Detection mode** to **Prevention mode**.
- [Configure WAF policy settings for Azure Front Door](/azure/web-application-firewall/afds/waf-front-door-policy-settings#waf-mode) to enable **Prevention mode** in the policy settings.

MODIFIED docs/includes/secure-recommendations/25541.md

Modified by Jay on Feb 25, 2026 7:09 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Update Azure network security docs & wording

Changes:

Before

After

author: HULKsmashGithub
ms.service: entra-id
ms.topic: include
ms.date: 02/24/2026
manager: dougeby
ms.custom: Network-Secure-Recommendation
# minimumlicense: Azure Application Gateway WAF_v2
 
**Remediation action**
 
- [Configure WAF on Azure Application Gateway](/azure/web-application-firewall/ag/ag-overview#waf-modes) to switch the WAF policy mode from **Detection** to **Prevention**.
- [Create and manage WAF policies for Application Gateway](/azure/web-application-firewall/ag/create-waf-policy-ag) to apply Prevention mode settings across all Application Gateway instances.

author: HULKsmashGithub
ms.service: entra-id
ms.topic: include
ms.date: 02/25/2026
manager: dougeby
ms.custom: Network-Secure-Recommendation
# minimumlicense: Azure Application Gateway WAF_v2
 
**Remediation action**
 
- [Configure WAF on Azure Application Gateway](/azure/web-application-firewall/ag/ag-overview#waf-modes) to switch the WAF policy from **Detection mode** to **Prevention mode**.
- [Create and manage WAF policies for Application Gateway](/azure/web-application-firewall/ag/create-waf-policy-ag) to apply Prevention mode settings across all Application Gateway instances.

MODIFIED docs/identity/devices/manage-device-identities.md

Modified by emilykelsey on Feb 25, 2026 5:47 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Update docs/identity/devices/manage-device-identities.md

Changes:

Before

After

 
Additionally, columns can be managed by selecting **Manage view > Columns** to toggle which columns you would like to export.
 
>[!Note]
>Selecting "Owner" or "User principal name" will make processing take longer. If you prefer faster results, leave these options unchecked; enable them when you need the extra information.
 
## Configure device settings

 
Additionally, columns can be managed by selecting **Manage view > Columns** to toggle which columns you would like to export.
 
> [!NOTE]
>Selecting **Owner** or **User principal name** can make processing take longer. If you prefer faster results, leave these options unchecked; enable them when you need the extra information.
 
## Configure device settings

MODIFIED docs/identity/hybrid/connect/how-to-connect-install-prerequisites.md

Modified by omondiatieno on Feb 25, 2026 5:48 PM
📖 View on learn.microsoft.com

+2 / -1 lines changed

Commit: resolve issue of lost meaning in localization

Changes:

Before

After

 
#### Installation prerequisites
 
Microsoft Entra Connect must be installed on a domain-joined server that runs Windows Server 2025 or Windows Server 2022. You can deploy Microsoft Entra Connect on older Windows Server versions in extended support; however, support for this configuration may require [a paid support program](/lifecycle/policies/fixed#extended-support).
 
> [!IMPORTANT]
> There is a [known issue](/windows/release-health/resolved-issues-windows-server-2025#directory-synchronization-fails-for-ad-groups-exceeding-10-000-members) on Windows Server 2025 that can cause Microsoft Entra Connect Sync to encounter synchronization problems. If you upgraded to Windows Server 2025, make sure you have installed [October 20, 2025 - KB5070773](https://support.microsoft.com/topic/october-20-2025-kb5070773-os-build-26100-6901-out-of-band-f8effaa1-1c73-41e5-bcb3-e58a46c7601e) update, or later. After installing this update, restart the server for the changes to take effect.

 
#### Installation prerequisites
 
Microsoft Entra Connect must be installed on a domain-joined server.
We recommend using Windows Server 2025 or Windows Server 2022. You can also deploy Microsoft Entra Connect on older Windows Server versions that are in extended support; however, support for this configuration may require [a paid support program](/lifecycle/policies/fixed#extended-support).
 
> [!IMPORTANT]
> There is a [known issue](/windows/release-health/resolved-issues-windows-server-2025#directory-synchronization-fails-for-ad-groups-exceeding-10-000-members) on Windows Server 2025 that can cause Microsoft Entra Connect Sync to encounter synchronization problems. If you upgraded to Windows Server 2025, make sure you have installed [October 20, 2025 - KB5070773](https://support.microsoft.com/topic/october-20-2025-kb5070773-os-build-26100-6901-out-of-band-f8effaa1-1c73-41e5-bcb3-e58a46c7601e) update, or later. After installing this update, restart the server for the changes to take effect. 

MODIFIED docs/identity-platform/tutorial-web-app-node-sign-in-prepare-app.md

Modified by Kenga Derdus on Feb 25, 2026 11:48 AM
📖 View on learn.microsoft.com

+1 / -2 lines changed

Commit: update Metadata

Changes:

Before

After

ms.author: kengaderdus
ms.service: identity-platform
ms.topic: tutorial
ms.date: 01/03/2025
#Customer intent: As a developer, devops, I want to learn about how to build a Node.js/Express web app that signs in users into customer facing app by in an external tenant or employees in a workforce tenant by using Microsoft identity platform'
---
 
# Tutorial: Set up a Node.js web app to sign in users by using Microsoft identity platform

ms.author: kengaderdus
ms.service: identity-platform
ms.topic: tutorial
ms.date: 02/25/2025
---
 
# Tutorial: Set up a Node.js web app to sign in users by using Microsoft identity platform
 

MODIFIED docs/fundamentals/configure-security.md

Modified by Jay on Feb 25, 2026 7:09 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Update Azure network security docs & wording

Changes:

Before

After

| [Quick Access has user or group assignments](zero-trust-protect-networks.md#quick-access-has-user-or-group-assignments) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [All Private Access apps have user or group assignments](zero-trust-protect-networks.md#all-private-access-apps-have-user-or-group-assignments) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [Outbound traffic from VNet integrated workloads is routed through Azure Firewall](zero-trust-protect-networks.md#outbound-traffic-from-vnet-integrated-workloads-is-routed-through-azure-firewall) | Azure Firewall Basic |
| [Threat intelligence is enabled in deny mode on Azure Firewall](zero-trust-protect-networks.md#threat-intelligence-is-enabled-in-deny-mode-on-azure-firewall) | Azure Firewall Standard |
| [IDPS inspection is enabled in deny mode on Azure Firewall](zero-trust-protect-networks.md#idps-inspection-is-enabled-in-deny-mode-on-azure-firewall) | Azure Firewall Premium |
| [Application Gateway WAF is enabled in prevention mode](zero-trust-protect-networks.md#application-gateway-waf-is-enabled-in-prevention-mode) | Azure Application Gateway WAF_v2 |
| [Azure Front Door WAF is enabled in prevention mode](zero-trust-protect-networks.md#azure-front-door-waf-is-enabled-in-prevention-mode) | Azure Front Door Standard |

| [Quick Access has user or group assignments](zero-trust-protect-networks.md#quick-access-has-user-or-group-assignments) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [All Private Access apps have user or group assignments](zero-trust-protect-networks.md#all-private-access-apps-have-user-or-group-assignments) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [Outbound traffic from VNet integrated workloads is routed through Azure Firewall](zero-trust-protect-networks.md#outbound-traffic-from-vnet-integrated-workloads-is-routed-through-azure-firewall) | Azure Firewall Basic |
| [Threat intelligence is enabled in deny mode on Azure Firewall](zero-trust-protect-networks.md#threat-intelligence-is-enabled-in-deny-mode-on-azure-firewall) | Azure Firewall Premium |
| [IDPS inspection is enabled in deny mode on Azure Firewall](zero-trust-protect-networks.md#idps-inspection-is-enabled-in-deny-mode-on-azure-firewall) | Azure Firewall Premium |
| [Application Gateway WAF is enabled in prevention mode](zero-trust-protect-networks.md#application-gateway-waf-is-enabled-in-prevention-mode) | Azure Application Gateway WAF_v2 |
| [Azure Front Door WAF is enabled in prevention mode](zero-trust-protect-networks.md#azure-front-door-waf-is-enabled-in-prevention-mode) | Azure Front Door Standard |

MODIFIED docs/id-governance/microsoft-entra-id-governance-licensing-for-guest-users.md

Modified by Ortagus Winfrey on Feb 25, 2026 10:16 AM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: update date

Changes:

Before

After

description: Learn how Microsoft Entra ID is licensed for guest users.
ms.subservice: entitlement-management
ms.topic: reference
ms.date: 02/03/2026
ms.reviewer: jercon
---
 

description: Learn how Microsoft Entra ID is licensed for guest users.
ms.subservice: entitlement-management
ms.topic: reference
ms.date: 02/25/2026
ms.reviewer: jercon
---
 

📋 Microsoft Entra Documentation Changes

📊 Summary

📝 Modified Documentation Files