πŸ“‹ Microsoft Entra Documentation Changes

Daily summary for changes since March 10th 2026, 9:20 PM PDT

Report generated on March 11th 2026, 9:20 PM PDT

πŸ“Š Summary

71
Total Commits
5
New Files
35
Modified Files
0
Deleted Files
16
Contributors

πŸ†• New Documentation Files

NEW docs/agent-id/identity-platform/agent-id-setup-instructions.md
Added by Arturo Lucatero on Mar 11, 2026 5:01 PM
πŸ“– View on learn.microsoft.com
+367 lines added
Commit: Create agent ID AI instructions document
NEW docs/agent-id/identity-platform/agent-id-ai-guided-setup.md
Added by Arturo Lucatero on Mar 11, 2026 5:43 PM
πŸ“– View on learn.microsoft.com
+304 lines added
Commit: Added AI-guided setup doc
NEW docs/includes/secure-recommendations/27014.md
Added by Jay on Mar 11, 2026 8:22 PM
πŸ“– View on learn.microsoft.com
+46 lines added
Commit: Add includes 27003, 27004, 27014
NEW docs/includes/secure-recommendations/27003.md
Added by Jay on Mar 11, 2026 8:22 PM
πŸ“– View on learn.microsoft.com
+25 lines added
Commit: Add includes 27003, 27004, 27014
NEW docs/includes/secure-recommendations/27004.md
Added by Jay on Mar 11, 2026 8:22 PM
πŸ“– View on learn.microsoft.com
+24 lines added
Commit: Add includes 27003, 27004, 27014

πŸ“ Modified Documentation Files

MODIFIED docs/agent-id/identity-platform/agent-id-ai-guided-setup.md
Modified by Arturo Lucatero on Mar 11, 2026 5:55 PM
πŸ“– View on learn.microsoft.com
+9 / -19 lines changed
Commit: Refine language in AI-guided setup documentation
Changes:
Before
After
author: arlucaID
ms.author: arluca
ms.date: 03/11/2026
ms.topic: how-to
ms.reviewer: rolyon
---
 
> [!IMPORTANT]
> [Microsoft Entra Agent ID](https://www.microsoft.com/security/business/identity-access/microsoft-entra-agent-id) is currently in PREVIEW. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
 
The Agent ID [developer workflow](../identity-platform/index.md) involves multiple steps: creating an agent identity blueprint, configuring credentials, setting up identifier URIs and scopes, creating blueprint principals, and provisioning agent identities. Each step has its own prerequisites, validation checks, and decision points.
 
The AI-guided setup automates this entire workflow by using an AI coding agent (such as GitHub Copilot in VS Code) to execute the steps on your behalf. Instead of navigating between multiple documentation pages and running commands manually, you provide the AI agent with a single instruction file and it walks you through the process interactively.
 
## Benefits
 
### Required tools
 
- [Visual Studio Code](https://code.visualstudio.com/) with [GitHub Copilot](https://marketplace.visualstudio.com/items?itemName=GitHub.copilot) and [GitHub Copilot Chat](https://marketplace.visualstudio.com/items?itemName=GitHub.copilot-chat) extensions installed. The AI-guided setup requires an AI coding agent with terminal access.
- [PowerShell 7](https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell) or later β€” Required for the Microsoft Graph PowerShell module.
author: arlucaID
ms.author: arluca
ms.date: 03/11/2026
ms.reviewer: rolyon
---
 
> [!IMPORTANT]
> [Microsoft Entra Agent ID](https://www.microsoft.com/security/business/identity-access/microsoft-entra-agent-id) is currently in PREVIEW. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
 
Agent ID integration involves multiple steps: creating an agent identity blueprint, configuring credentials, setting up identifier URIs and scopes, creating blueprint principals, and provisioning agent identities. Each step has its own prerequisites, validation checks, and decision points.
 
This AI-guided setup automates this entire workflow by using an AI coding agent (such as GitHub Copilot in VS Code) to execute the steps on your behalf. Instead of navigating between multiple documentation pages and running commands manually, you provide the AI agent with a single instruction file and it walks you through the process interactively.
 
## Benefits
 
### Required tools
 
- [Visual Studio Code](https://code.visualstudio.com/) with [GitHub Copilot](https://marketplace.visualstudio.com/items?itemName=GitHub.copilot) and [GitHub Copilot Chat](https://marketplace.visualstudio.com/items?itemName=GitHub.copilot-chat) extensions installed. The AI-guided setup requires an AI coding agent with terminal access.
- [PowerShell 7](https://learn.microsoft.com/powershell/scripting/install/installing-powershell) or later β€” Required for the Microsoft Graph PowerShell module.
- [Microsoft Graph PowerShell SDK (beta)](https://learn.microsoft.com/powershell/microsoftgraph/installation) β€” Install with `Install-Module Microsoft.Graph.Beta.Applications -Scope CurrentUser -Force`.
MODIFIED docs/agent-id/identity-platform/agent-id-setup-instructions.md
Modified by Robert Lyon on Mar 11, 2026 6:53 PM
πŸ“– View on learn.microsoft.com
+12 / -12 lines changed
Commit: Acrolinx updates for agent-id-setup-instructions.md
Changes:
Before
After
 
## IMPORTANT: Read before executing
 
- Execute each step **sequentially** β€” do not skip ahead.
- **Always include `OData-Version: 4.0`** in any Microsoft Graph request that uses `@odata.type`.
- All Agent ID APIs are under the `/beta` endpoint β€” never use `/v1.0` for Agent ID operations.
- **Do not use Azure CLI tokens** (`az account get-access-token`) to call Agent ID APIs. Azure CLI tokens contain `Directory.AccessAsUser.All`, which is explicitly rejected by Agent ID APIs (403 Forbidden).
- After granting admin consent, permissions may take **30–120 seconds** to propagate. Implement retry with backoff on 403 errors.
 
### 1.3 Verify Entra roles
 
Ask the user which role they have:
- **Agent ID Developer** β€” can create blueprints and agent identities.
- **Agent ID Administrator** β€” full administrative access.
 
They also need **Privileged Role Administrator** if granting application permissions, or **Cloud Application Administrator** / **Application Administrator** for delegated permissions.
 
Connect-MgGraph -Scopes "AgentIdentityBlueprint.Create", "AgentIdentityBlueprint.AddRemoveCreds.All", "AgentIdentityBlueprint.ReadWrite.All", "AgentIdentityBlueprintPrincipal.Create", "User.Read"
```
 
 
## IMPORTANT: Read before executing
 
- Execute each step **sequentially** and don't skip ahead.
- **Always include `OData-Version: 4.0`** in any Microsoft Graph request that uses `@odata.type`.
- All Agent ID APIs are under the `/beta` endpoint. Never use `/v1.0` for Agent ID operations.
- **Do not use Azure CLI tokens** (`az account get-access-token`) to call Agent ID APIs. Azure CLI tokens contain `Directory.AccessAsUser.All`, which is explicitly rejected by Agent ID APIs (403 Forbidden).
- After granting admin consent, permissions may take **30–120 seconds** to propagate. Implement retry with backoff on 403 errors.
 
### 1.3 Verify Entra roles
 
Ask the user which role they have:
- **Agent ID Developer** can create blueprints and agent identities.
- **Agent ID Administrator** has full administrative access.
 
They also need **Privileged Role Administrator** if granting application permissions, or **Cloud Application Administrator** / **Application Administrator** for delegated permissions.
 
Connect-MgGraph -Scopes "AgentIdentityBlueprint.Create", "AgentIdentityBlueprint.AddRemoveCreds.All", "AgentIdentityBlueprint.ReadWrite.All", "AgentIdentityBlueprintPrincipal.Create", "User.Read"
```
 
MODIFIED docs/identity/app-proxy/application-proxy-integrate-with-sharepoint-server-saml.md
Modified by Ken Withee on Mar 11, 2026 3:26 PM
πŸ“– View on learn.microsoft.com
+11 / -11 lines changed
Commit: Editorial pass: Integrate SharePoint (SAML) with application proxy
Changes:
Before
After
---
title: Publish an on premises SharePoint farm with Microsoft Entra application proxy
description: Learn how to integrate an on premises SharePoint farm with Microsoft Entra application proxy using Security Assertion Markup Language (SAML).
ms.topic: how-to
ms.date: 05/01/2025
ms.reviewer: ashishj
ai-usage: ai-assisted
ms.custom: sfi-image-nochange
 
# Integrate Microsoft Entra application proxy with SharePoint using Security Assertion Markup Language (SAML)
 
This step-by-step guide explains how to secure the access to the [Microsoft Entra integrated on premises SharePoint (SAML)](~/identity/saas-apps/sharepoint-on-premises-tutorial.md) using Microsoft Entra application proxy, where users in your organization (Microsoft Entra ID, B2B) connect to SharePoint through the Internet.
 
> [!NOTE]
> If you're new to Microsoft Entra application proxy and want to learn more, see [Remote access to on premises applications through Microsoft Entra application proxy](overview-what-is-app-proxy.md).
 
There are three primary advantages of this setup:
 
- Your users can access SharePoint sites as usual without using VPN.
- You can control the access by user assignment on the Microsoft Entra application proxy level and you can increase the security with Microsoft Entra features like Conditional Access and multifactor authentication (MFA).
---
title: Publish an on-premises SharePoint farm with Microsoft Entra application proxy
description: Learn how to integrate an on-premises SharePoint farm with Microsoft Entra application proxy using Security Assertion Markup Language (SAML).
ms.topic: how-to
ms.date: 03/11/2026
ms.reviewer: ashishj
ai-usage: ai-assisted
ms.custom: sfi-image-nochange
 
# Integrate Microsoft Entra application proxy with SharePoint using Security Assertion Markup Language (SAML)
 
This step-by-step guide explains how to secure the access to the [Microsoft Entra integrated on-premises SharePoint (SAML)](~/identity/saas-apps/sharepoint-on-premises-tutorial.md) using Microsoft Entra application proxy, where users in your organization (Microsoft Entra ID, B2B) connect to SharePoint through the Internet.
 
> [!NOTE]
> If you're new to Microsoft Entra application proxy and want to learn more, see [Remote access to on-premises applications through Microsoft Entra application proxy](overview-what-is-app-proxy.md).
 
There are three primary advantages of this setup:
 
- Your users can access SharePoint sites as usual without using VPN.
- You can control the access by user assignment on the Microsoft Entra application proxy level and you can increase the security with Microsoft Entra features like Conditional Access and multifactor authentication (MFA).
MODIFIED docs/includes/secure-recommendations/27014.md
Modified by Jay on Mar 11, 2026 8:40 PM
πŸ“– View on learn.microsoft.com
+5 / -10 lines changed
Commit: Convert layer headings to inline bold
Changes:
Before
After
---
The Global Secure Access Secure Web Gateway (SWG) implements defense-in-depth through five security layers that together create a comprehensive inspection chain for internet-bound traffic. Each layer serves a distinct protective function:
 
#### Layer 1: Context-aware network security
This layer routes internet traffic through the SWG and applies identity- and context-aware policy enforcement. Without this layer, traffic bypasses all downstream inspection.
 
#### Layer 2: Web content, threat intelligence filtering, and AI Gateway
This layer blocks access to malicious, inappropriate, or policy-violating destinations and governs interactions with generative AI services.
 
#### Layer 3: Content filtering and network DLP
This layer inspects file transfers and content payloads to prevent sensitive data exfiltration.
 
#### Layer 4: Cloud firewall
This layer applies network-level firewall rules that protect branch office internet traffic routed through remote networks.
 
#### Layer 5: Advanced threat protection
This layer uses TLS inspection to decrypt encrypted traffic so that you can scan payloads for malware, data exfiltration, and command-and-control communications.
 
When any layer is missing, threat actors can exploit the gap to download tools, exfiltrate data, or maintain persistent command-and-control channels.
 
---
The Global Secure Access Secure Web Gateway (SWG) implements defense-in-depth through five security layers that together create a comprehensive inspection chain for internet-bound traffic. Each layer serves a distinct protective function:
 
- **Layer 1: Context-aware network security** This layer routes internet traffic through the SWG and applies identity- and context-aware policy enforcement. Without this layer, traffic bypasses all downstream inspection.
 
- **Layer 2: Web content, threat intelligence filtering, and AI Gateway** This layer blocks access to malicious, inappropriate, or policy-violating destinations and governs interactions with generative AI services.
 
- **Layer 3: Content filtering and network DLP** This layer inspects file transfers and content payloads to prevent sensitive data exfiltration.
 
- **Layer 4: Cloud firewall** This layer applies network-level firewall rules that protect branch office internet traffic routed through remote networks.
 
- **Layer 5: Advanced threat protection** This layer uses TLS inspection to decrypt encrypted traffic so that you can scan payloads for malware, data exfiltration, and command-and-control communications.
 
When any layer is missing, threat actors can exploit the gap to download tools, exfiltrate data, or maintain persistent command-and-control channels.
 
 
 
 
 
 
MODIFIED docs/identity/app-proxy/application-proxy-integrate-with-power-bi.md
Modified by Ken Withee on Mar 11, 2026 3:04 PM
πŸ“– View on learn.microsoft.com
+6 / -6 lines changed
Commit: Editorial pass: Enable remote access to Power BI
Changes:
Before
After
---
title: Enable remote access to Power BI with Microsoft Entra application proxy
description: Covers the basics about how to integrate an on-premises Power BI with Microsoft Entra application proxy.
ms.topic: how-to
ms.date: 05/01/2025
ms.reviewer: ashishj
ms.custom: has-adal-ref
ai-usage: ai-assisted
 
- Deploy Reporting Services in your environment.
- Enable [Microsoft Entra application proxy](application-proxy-add-on-premises-application.md).
- When possible, use the same internal and external domains for Power BI. To learn more about custom domains, see [Working with custom domains in application proxy](how-to-configure-custom-domain.md).
 
## Step 1: Configure Kerberos Constrained Delegation (KCD)
 
For on-premises applications that use Windows authentication, you can achieve single sign-on (SSO) with the Kerberos authentication protocol and a feature called Kerberos constrained delegation (KCD). The private network connector uses KCD to obtain a Windows token for a user, even if the user isn't signed into Windows directly. To learn more about KCD, see [Kerberos Constrained Delegation Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj553400(v=ws.11)) and [Kerberos Constrained Delegation for single sign-on to your apps with application proxy](how-to-configure-sso-with-kcd.md).
 
There isn’t much to configure on the Reporting Services side. A valid Service Principal Name (SPN) is required for proper Kerberos authentication to occur. Enable the Reporting Services server for `Negotiate` authentication.
 
### Configure the Service Principal Name (SPN)
---
title: Enable remote access to Power BI with Microsoft Entra application proxy
description: Learn how to integrate an on-premises Power BI with Microsoft Entra application proxy.
ms.topic: how-to
ms.date: 03/11/2026
ms.reviewer: ashishj
ms.custom: has-adal-ref
ai-usage: ai-assisted
 
- Deploy Reporting Services in your environment.
- Enable [Microsoft Entra application proxy](application-proxy-add-on-premises-application.md).
- When possible, use the same internal and external domains for Power BI. For more information about custom domains, see [Working with custom domains in application proxy](how-to-configure-custom-domain.md).
 
## Step 1: Configure Kerberos Constrained Delegation (KCD)
 
For on-premises applications that use Windows authentication, you can achieve single sign-on (SSO) with the Kerberos authentication protocol and a feature called Kerberos constrained delegation (KCD). The private network connector uses KCD to obtain a Windows token for a user, even if the user isn't signed into Windows directly. For more information about KCD, see [Kerberos Constrained Delegation Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj553400(v=ws.11)) and [Kerberos Constrained Delegation for single sign-on to your apps with application proxy](how-to-configure-sso-with-kcd.md).
 
There isn’t much to configure on the Reporting Services side. A valid Service Principal Name (SPN) is required for proper Kerberos authentication to occur. Enable the Reporting Services server for `Negotiate` authentication.
 
### Configure the Service Principal Name (SPN)
MODIFIED docs/fundamentals/zero-trust-protect-networks.md
Modified by Jay on Mar 11, 2026 8:22 PM
πŸ“– View on learn.microsoft.com
+9 / -0 lines changed
Commit: Add includes 27003, 27004, 27014
Changes:
Before
After
### TLS inspection certificates have a sufficient validity period
[!INCLUDE [27002](../includes/secure-recommendations/27002.md)]
 
### Threat intelligence filtering protects internet traffic
[!INCLUDE [25412](../includes/secure-recommendations/25412.md)]
 
### Global Secure Access cloud firewall protects branch office internet traffic
[!INCLUDE [25416](../includes/secure-recommendations/25416.md)]
 
### Microsoft 365 traffic is actively flowing through Global Secure Access
[!INCLUDE [25376](../includes/secure-recommendations/25376.md)]
 
 
 
 
 
 
 
 
 
### TLS inspection certificates have a sufficient validity period
[!INCLUDE [27002](../includes/secure-recommendations/27002.md)]
 
### TLS inspection failure rate is below 1%
[!INCLUDE [27003](../includes/secure-recommendations/27003.md)]
 
### TLS inspection custom bypass rules don't duplicate system bypass destinations
[!INCLUDE [27004](../includes/secure-recommendations/27004.md)]
 
### Threat intelligence filtering protects internet traffic
[!INCLUDE [25412](../includes/secure-recommendations/25412.md)]
 
### Global Secure Access cloud firewall protects branch office internet traffic
[!INCLUDE [25416](../includes/secure-recommendations/25416.md)]
 
### Internet traffic is inspected across all Secure Web Gateway defense layers
[!INCLUDE [27014](../includes/secure-recommendations/27014.md)]
 
### Microsoft 365 traffic is actively flowing through Global Secure Access
[!INCLUDE [25376](../includes/secure-recommendations/25376.md)]
MODIFIED docs/identity/app-proxy/application-proxy-application-gateway-waf.md
Modified by Ken Withee on Mar 11, 2026 3:26 PM
πŸ“– View on learn.microsoft.com
+4 / -4 lines changed
Commit: Editorial pass: Application Gateway WAF with application proxy
Changes:
Before
After
---
title: Using Application Gateway WAF to protect your application
description: How to add Web Application Firewall (WAF) protection for apps published with Microsoft Entra application proxy.
ms.topic: how-to
ms.date: 05/01/2025
ms.reviewer: ashishj, besilvei
ai-usage: ai-assisted
ms.custom: sfi-image-nochange
---
 
# Using Application Gateway WAF to protect your applications
 
Add Web Application Firewall (WAF) protection for apps published with Microsoft Entra application proxy.
 
To learn more about Web Application Firewall, see [What is Azure Web Application Firewall on Azure Application Gateway?][waf-overview].
 
## Deployment steps
 
---
title: Use Application Gateway WAF to protect your application
description: How to add Web Application Firewall (WAF) protection for apps published with Microsoft Entra application proxy.
ms.topic: how-to
ms.date: 03/11/2026
ms.reviewer: ashishj, besilvei
ai-usage: ai-assisted
ms.custom: sfi-image-nochange
---
 
# Use Application Gateway WAF to protect your applications
 
Add Web Application Firewall (WAF) protection for apps published with Microsoft Entra application proxy.
 
For more information about Web Application Firewall, see [What is Azure Web Application Firewall on Azure Application Gateway?][waf-overview].
 
## Deployment steps
 
MODIFIED docs/identity/app-proxy/application-proxy-qlik.md
Modified by Ken Withee on Mar 11, 2026 3:26 PM
πŸ“– View on learn.microsoft.com
+4 / -4 lines changed
Commit: Editorial pass: Application proxy and Qlik Sense
Changes:
Before
After
---
title: Microsoft Entra application proxy and Qlik Sense
description: Integrate Microsoft Entra application proxy with Qlik Sense.
ms.topic: how-to
ms.date: 05/01/2025
ms.reviewer: ashishj
ai-usage: ai-assisted
---
- **Internal URL**: This application should have an internal URL that is the Qlik Sense URL itself. For example, `https//demo.qlikemm.com:4244`.
- **Pre-authentication method**: Microsoft Entra ID (recommended but not required).
1. Select **Add** at the bottom of the page. Your application is added, and the quick start menu opens.
2. In the quick start menu, select **Assign a user for testing**, and add at least one user to the application. Make sure this test account has access to the on premises application.
3. Select **Assign** to save the test user assignment.
4. (Optional) On the app management page, select single sign-on. Choose **Kerberos Constrained Delegation** from the drop-down menu, and fill out the required fields based on your Qlik Sense configuration. Select **Save**.
 
Your application is now ready to test. Access the external URL you used to publish Qlik Sense in Application #1, and sign in as a user assigned to both applications.
 
## References
For more information about publishing Qlik Sense with application proxy, see following the Qlik Community Articles:
- [Microsoft Entra ID with integrated Windows authentication using a Kerberos Constrained Delegation with Qlik Sense](https://community.qlik.com/docs/DOC-20183)
---
title: Microsoft Entra application proxy and Qlik Sense
description: Integrate Microsoft Entra application proxy with Qlik Sense.
ms.topic: how-to
ms.date: 03/11/2026
ms.reviewer: ashishj
ai-usage: ai-assisted
---
- **Internal URL**: This application should have an internal URL that is the Qlik Sense URL itself. For example, `https//demo.qlikemm.com:4244`.
- **Pre-authentication method**: Microsoft Entra ID (recommended but not required).
1. Select **Add** at the bottom of the page. Your application is added, and the quick start menu opens.
2. In the quick start menu, select **Assign a user for testing**, and add at least one user to the application. Make sure this test account has access to the on-premises application.
3. Select **Assign** to save the test user assignment.
4. (Optional) On the app management page, select single sign-on. Choose **Kerberos Constrained Delegation** from the drop-down menu, and fill out the required fields based on your Qlik Sense configuration. Select **Save**.
 
Your application is now ready to test. Access the external URL you used to publish Qlik Sense in Application #1, and sign in as a user assigned to both applications.
 
## References
For more information about publishing Qlik Sense with application proxy, see the following Qlik Community Articles:
- [Microsoft Entra ID with integrated Windows authentication using a Kerberos Constrained Delegation with Qlik Sense](https://community.qlik.com/docs/DOC-20183)
MODIFIED docs/identity/app-proxy/application-proxy-integrate-with-remote-desktop-services.md
Modified by Ken Withee on Mar 11, 2026 3:04 PM
πŸ“– View on learn.microsoft.com
+3 / -3 lines changed
Commit: Editorial pass: Publish Remote Desktop with application proxy
Changes:
Before
After
---
title: Publish Remote Desktop with Microsoft Entra application proxy
description: Covers how to configure application proxy with Remote Desktop Services (RDS)
ms.topic: how-to
ms.date: 05/01/2025
ms.reviewer: ashishj
ai-usage: ai-assisted
ms.custom: sfi-image-nochange
- When publishing RD Web, use the same internal and external Fully Qualified Domain Name (FQDN) when possible. If the internal and external Fully Qualified Domain Names (FQDNs) are different, disable Request Header Translation to avoid the client receiving invalid links.
- If you're using the RD Web client, you *must* use the same internal and external FQDN. If the internal and external FQDNs are different, you encounter websocket errors when making a RemoteApp connection through the RD Web client.
- If you're using RD Web on Internet Explorer, you need to enable the RDS ActiveX add-on.
- If you're using the RD Web client, you'll need to use the application proxy [connector version 1.5.1975 or later](./application-proxy-release-version-history.md).
- For the Microsoft Entra pre authentication flow, users can only connect to resources published to them in the **RemoteApp and Desktops** pane. Users can't connect to a desktop using the **Connect to a remote PC** pane.
- If you're using Windows Server 2019, you need to disable HTTP2 protocol. For more information, see [Tutorial: Add an on-premises application for remote access through application proxy in Microsoft Entra ID](~/identity/app-proxy/application-proxy-add-on-premises-application.md).
 
---
title: Publish Remote Desktop with Microsoft Entra application proxy
description: Learn how to configure application proxy with Remote Desktop Services (RDS)
ms.topic: how-to
ms.date: 03/11/2026
ms.reviewer: ashishj
ai-usage: ai-assisted
ms.custom: sfi-image-nochange
- When publishing RD Web, use the same internal and external Fully Qualified Domain Name (FQDN) when possible. If the internal and external Fully Qualified Domain Names (FQDNs) are different, disable Request Header Translation to avoid the client receiving invalid links.
- If you're using the RD Web client, you *must* use the same internal and external FQDN. If the internal and external FQDNs are different, you encounter websocket errors when making a RemoteApp connection through the RD Web client.
- If you're using RD Web on Internet Explorer, you need to enable the RDS ActiveX add-on.
- If you're using the RD Web client, you need to use the application proxy [connector version 1.5.1975 or later](./application-proxy-release-version-history.md).
- For the Microsoft Entra pre authentication flow, users can only connect to resources published to them in the **RemoteApp and Desktops** pane. Users can't connect to a desktop using the **Connect to a remote PC** pane.
- If you're using Windows Server 2019, you need to disable HTTP2 protocol. For more information, see [Tutorial: Add an on-premises application for remote access through application proxy in Microsoft Entra ID](~/identity/app-proxy/application-proxy-add-on-premises-application.md).
 
MODIFIED docs/identity/app-proxy/application-proxy-ping-access-publishing-guide.md
Modified by Ken Withee on Mar 11, 2026 3:04 PM
πŸ“– View on learn.microsoft.com
+3 / -3 lines changed
Commit: Editorial pass: Header-based auth with PingAccess
Changes:
Before
After
---
title: Header based authentication with PingAccess for Microsoft Entra application proxy
description: Support header-based authentication with PingAccess and Microsoft Entra application proxy.
ms.topic: how-to
ms.date: 05/01/2025
ms.reviewer: ashishj
ai-usage: ai-assisted
ms.custom: sfi-image-nochange
---
 
# Header based authentication for single sign-on with application proxy and PingAccess
 
Microsoft partnered with PingAccess to provide more access applications. PingAccess provides another option beyond integrated [header-based single sign-on](application-proxy-configure-single-sign-on-with-headers.md).
 
---
title: Header-based authentication with PingAccess for Microsoft Entra application proxy
description: Support header-based authentication with PingAccess and Microsoft Entra application proxy.
ms.topic: how-to
ms.date: 03/11/2026
ms.reviewer: ashishj
ai-usage: ai-assisted
ms.custom: sfi-image-nochange
---
 
# Header-based authentication for single sign-on with application proxy and PingAccess
 
Microsoft partnered with PingAccess to provide more access applications. PingAccess provides another option beyond integrated [header-based single sign-on](application-proxy-configure-single-sign-on-with-headers.md).
 
MODIFIED docs/identity/users/groups-restore-deleted.md
Modified by barclayn on Mar 11, 2026 8:42 PM
πŸ“– View on learn.microsoft.com
+2 / -2 lines changed
Commit: Add cloud security groups to user restore permissions
Changes:
Before
After
title: Restore a deleted Microsoft 365 group or cloud security group
description: Learn how to restore a deleted group, view restorable groups, and permanently delete a group in Microsoft Entra ID.
ms.topic: quickstart
ms.date: 11/03/2025
ms.reviewer: krbain
ms.custom: it-pro, mode-other, has-azure-ad-ps-ref, azure-ad-ref-level-one-done, sfi-ga-nochange
---
--------- | ---------
Global Administrator, Group Administrator, Partner Tier 2 Support, and Intune Administrator | Can restore any deleted Microsoft 365 group or cloud security group
User Administrator and Partner Tier 1 Support | Can restore any deleted Microsoft 365 group or cloud security group except those groups assigned to the Global Administrator role
User | Can restore any deleted Microsoft 365 group that they own
 
>[!NOTE]
> Soft delete is available for Microsoft 365 groups with assigned membership, Microsoft 365 groups with dynamic membership, and cloud security groups.
title: Restore a deleted Microsoft 365 group or cloud security group
description: Learn how to restore a deleted group, view restorable groups, and permanently delete a group in Microsoft Entra ID.
ms.topic: quickstart
ms.date: 03/11/2026
ms.reviewer: krbain
ms.custom: it-pro, mode-other, has-azure-ad-ps-ref, azure-ad-ref-level-one-done, sfi-ga-nochange
---
--------- | ---------
Global Administrator, Group Administrator, Partner Tier 2 Support, and Intune Administrator | Can restore any deleted Microsoft 365 group or cloud security group
User Administrator and Partner Tier 1 Support | Can restore any deleted Microsoft 365 group or cloud security group except those groups assigned to the Global Administrator role
User | Can restore any deleted Microsoft 365 or cloud security group that they own
 
>[!NOTE]
> Soft delete is available for Microsoft 365 groups with assigned membership, Microsoft 365 groups with dynamic membership, and cloud security groups.
MODIFIED docs/identity/app-proxy/application-proxy-powershell-samples.md
Modified by Ken Withee on Mar 11, 2026 6:59 PM
πŸ“– View on learn.microsoft.com
+2 / -2 lines changed
Commit: Editorial pass: PowerShell samples and scripts (16 files)
Changes:
Before
After
title: PowerShell samples for Microsoft Entra application proxy
description: Use these PowerShell samples for Microsoft Entra application proxy to get information about application proxy apps and connectors in your directory, assign users and groups to apps, and get certificate information.
ms.topic: sample
ms.date: 05/01/2025
ms.reviewer: ashishj
ai-usage: ai-assisted
---
|---|---|
|**Application proxy apps**||
| [List basic information for all application proxy apps](scripts/powershell-get-all-app-proxy-apps-basic.md) | Lists basic information (AppId, DisplayName, ObjId) about all the application proxy apps in your directory. |
| [List extended information for all application proxy apps](scripts/powershell-get-all-app-proxy-apps-extended.md) | Lists extended information (AppId, DisplayName, ExternalUrl, InternalUrl, ExternalAuthenticationType) about all the application proxy apps in your directory. |
| [List all application proxy apps by connector group](scripts/powershell-get-all-app-proxy-apps-by-connector-group.md) | Lists information about all the application proxy apps in your directory and which connector groups the apps are assigned to. |
| [Get all application proxy apps with a token lifetime policy](scripts/powershell-get-all-app-proxy-apps-with-policy.md) | Lists all application proxy apps in your directory with a token lifetime policy and its details.|
|**Connector groups**||
title: PowerShell samples for Microsoft Entra application proxy
description: Use these PowerShell samples for Microsoft Entra application proxy to get information about application proxy apps and connectors in your directory, assign users and groups to apps, and get certificate information.
ms.topic: sample
ms.date: 03/11/2026
ms.reviewer: ashishj
ai-usage: ai-assisted
---
|---|---|
|**Application proxy apps**||
| [List basic information for all application proxy apps](scripts/powershell-get-all-app-proxy-apps-basic.md) | Lists basic information (AppId, DisplayName, ObjId) about all the application proxy apps in your directory. |
| [List extended information for all application proxy apps](scripts/powershell-get-all-app-proxy-apps-extended.md) | Lists extended information (AppId, DisplayName, ExternalUrl, InternalUrl, ExternalAuthenticationType) about all the application proxy apps in your directory. |
| [List all application proxy apps by connector group](scripts/powershell-get-all-app-proxy-apps-by-connector-group.md) | Lists information about all the application proxy apps in your directory and which connector groups the apps are assigned to. |
| [Get all application proxy apps with a token lifetime policy](scripts/powershell-get-all-app-proxy-apps-with-policy.md) | Lists all application proxy apps in your directory with a token lifetime policy and its details.|
|**Connector groups**||
MODIFIED docs/identity/app-proxy/app-proxy-protect-ndes.md
Modified by Ken Withee on Mar 11, 2026 3:01 PM
πŸ“– View on learn.microsoft.com
+2 / -2 lines changed
Commit: Editorial pass: Integrate NDES with application proxy
Changes:
Before
After
title: Use Microsoft Entra application proxy with a Network Device Enrollment Service (NDES) server
description: Learn how to use Microsoft Entra application proxy to protect your Network Device Enrollment Service (NDES).
ms.topic: how-to
ms.date: 05/01/2025
ai-usage: ai-assisted
ms.custom: sfi-image-nochange
---
**Internal Url**: Enter the internal URL/FQDN of your NDES server on which you installed the connector.
 
**Pre Authentication**: Select **Passthrough**. It’s not possible to use any form of pre authentication. The protocol used for certificate requests, Simple Certificate Enrollment Protocol (SCEP), doesn't provide such option.
 
Copy the provided **External URL** to your clipboard.
1. Select **+Add** to save your application.
title: Use Microsoft Entra application proxy with a Network Device Enrollment Service (NDES) server
description: Learn how to use Microsoft Entra application proxy to protect your Network Device Enrollment Service (NDES).
ms.topic: how-to
ms.date: 03/11/2026
ai-usage: ai-assisted
ms.custom: sfi-image-nochange
---
**Internal Url**: Enter the internal URL/FQDN of your NDES server on which you installed the connector.
 
**Pre Authentication**: Select **Passthrough**. It’s not possible to use any form of preauthentication. The protocol used for certificate requests, Simple Certificate Enrollment Protocol (SCEP), doesn't provide such option.
 
Copy the provided **External URL** to your clipboard.
1. Select **+Add** to save your application.
MODIFIED docs/fundamentals/configure-security.md
Modified by Jay on Mar 11, 2026 8:22 PM
πŸ“– View on learn.microsoft.com
+3 / -0 lines changed
Commit: Add includes 27003, 27004, 27014
Changes:
Before
After
| [TLS inspection is enabled and correctly configured for outbound traffic](zero-trust-protect-networks.md#tls-inspection-is-enabled-and-correctly-configured-for-outbound-traffic) | Microsoft Entra ID P1 |
| [TLS inspection bypass rules are regularly reviewed](zero-trust-protect-networks.md#tls-inspection-bypass-rules-are-regularly-reviewed) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [TLS inspection certificates have a sufficient validity period](zero-trust-protect-networks.md#tls-inspection-certificates-have-a-sufficient-validity-period) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [Threat intelligence filtering protects internet traffic](zero-trust-protect-networks.md#threat-intelligence-filtering-protects-internet-traffic) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [File transfer policies are configured to prevent data exfiltration](zero-trust-protect-networks.md#file-transfer-policies-are-configured-to-prevent-data-exfiltration) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [AI Gateway protects enterprise generative AI applications from prompt injection attacks](zero-trust-protect-networks.md#ai-gateway-protects-enterprise-generative-ai-applications-from-prompt-injection-attacks) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [Global Secure Access cloud firewall protects branch office internet traffic](zero-trust-protect-networks.md#global-secure-access-cloud-firewall-protects-branch-office-internet-traffic) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [Network validation is configured through Universal Continuous Access Evaluation](zero-trust-protect-networks.md#network-validation-is-configured-through-universal-continuous-access-evaluation) | Microsoft Entra ID P1 or Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [Global Secure Access client is deployed on all managed endpoints](zero-trust-protect-networks.md#global-secure-access-client-is-deployed-on-all-managed-endpoints) | Microsoft Entra ID P1 or Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [Global Secure Access licenses are available in the tenant and assigned to users](zero-trust-protect-networks.md#global-secure-access-licenses-are-available-in-the-tenant-and-assigned-to-users) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
 
 
 
| [TLS inspection is enabled and correctly configured for outbound traffic](zero-trust-protect-networks.md#tls-inspection-is-enabled-and-correctly-configured-for-outbound-traffic) | Microsoft Entra ID P1 |
| [TLS inspection bypass rules are regularly reviewed](zero-trust-protect-networks.md#tls-inspection-bypass-rules-are-regularly-reviewed) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [TLS inspection certificates have a sufficient validity period](zero-trust-protect-networks.md#tls-inspection-certificates-have-a-sufficient-validity-period) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [TLS inspection failure rate is below 1%](zero-trust-protect-networks.md#tls-inspection-failure-rate-is-below-1) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [TLS inspection custom bypass rules don't duplicate system bypass destinations](zero-trust-protect-networks.md#tls-inspection-custom-bypass-rules-dont-duplicate-system-bypass-destinations) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [Threat intelligence filtering protects internet traffic](zero-trust-protect-networks.md#threat-intelligence-filtering-protects-internet-traffic) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [File transfer policies are configured to prevent data exfiltration](zero-trust-protect-networks.md#file-transfer-policies-are-configured-to-prevent-data-exfiltration) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [AI Gateway protects enterprise generative AI applications from prompt injection attacks](zero-trust-protect-networks.md#ai-gateway-protects-enterprise-generative-ai-applications-from-prompt-injection-attacks) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [Global Secure Access cloud firewall protects branch office internet traffic](zero-trust-protect-networks.md#global-secure-access-cloud-firewall-protects-branch-office-internet-traffic) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [Internet traffic is inspected across all Secure Web Gateway defense layers](zero-trust-protect-networks.md#internet-traffic-is-inspected-across-all-secure-web-gateway-defense-layers) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [Network validation is configured through Universal Continuous Access Evaluation](zero-trust-protect-networks.md#network-validation-is-configured-through-universal-continuous-access-evaluation) | Microsoft Entra ID P1 or Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [Global Secure Access client is deployed on all managed endpoints](zero-trust-protect-networks.md#global-secure-access-client-is-deployed-on-all-managed-endpoints) | Microsoft Entra ID P1 or Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
| [Global Secure Access licenses are available in the tenant and assigned to users](zero-trust-protect-networks.md#global-secure-access-licenses-are-available-in-the-tenant-and-assigned-to-users) | Microsoft Entra Suite Add-on for Microsoft Entra ID P2 |
MODIFIED docs/identity/app-proxy/scripts/powershell-assign-group-to-app.md
Modified by Ken Withee on Mar 11, 2026 6:59 PM
πŸ“– View on learn.microsoft.com
+2 / -1 lines changed
Commit: Editorial pass: PowerShell samples and scripts (16 files)
Changes:
Before
After
description: PowerShell example that assigns a group to a Microsoft Entra application proxy application.
ms.custom:
ms.topic: sample
ms.date: 05/01/2025
ms.reviewer: ashishj
---
 
# Assign a group to a specific Microsoft Entra application proxy application
 
description: PowerShell example that assigns a group to a Microsoft Entra application proxy application.
ms.custom:
ms.topic: sample
ms.date: 03/11/2026
ms.reviewer: ashishj
ai-usage: ai-assisted
---
 
# Assign a group to a specific Microsoft Entra application proxy application

πŸ€– This report was automatically generated by the Entra Docs Monitor

πŸ“§ Delivered to [email protected]

πŸ”— Visit Repository