📋 Microsoft Entra Documentation Changes

 

This article shows you how to create and manage a catalog of resources and access packages in entitlement management. Catalogs are also used in [access reviews (preview)](catalog-access-reviews.md).

 

 

# Clear on-premises attributes from migrated Microsoft Entra ID users

 

 

However, you may encounter issues in Windows, Intune, and Outlook due to legacy values remaining in the user attributes that were previously synchronized from on-premises. For example, hybrid device joining may fail because the system pulls the username and domain from these outdated attributes.

 

 

## How to update these attributes

 

 

### Required roles

- [Windows PowerShell 7](/powershell/scripting/install/installing-powershell-on-windows)

- [Microsoft Graph SDK PowerShell module](/powershell/microsoftgraph/installation)

 

 

``` powershell

---

description: Frequently asked questions about the improved Conditional Access enforcement behavior for policies that target All resources with resource exclusions.

ms.topic: faq

ms.date: 04/14/2026

ai-usage: ai-assisted

---

 

 

This article answers frequently asked questions about the improved Conditional Access enforcement for policies that target **All resources** with resource exclusions.

 

 

### What is the upcoming Conditional Access behavior change for baseline scopes?

 

 

1. A user signs in through a **public client application** (for example, desktop apps such as Microsoft Teams desktop client) that requests only the baseline scopes (OIDC or directory). Examples:

- A user signs into Visual Studio Code desktop client, which requests `openid` and `profile` scopes.

- A user signs in using Azure CLI, which requests only `User.Read`.

 

1. Sign in to your [Leapsome Admin Console](https://www.Leapsome.com/app/#/login). Navigate to **Settings > Admin Settings**.

 

 

1. Navigate to **Integrations > SCIM User provisioning**.

 

 

1. Copy the **SCIM Authentication Token**. This value is entered in the Secret Token field in the Provisioning tab of your Leapsome application.

 

 

## Add Leapsome from the gallery

 

1. Browse to **Entra ID** > **Enterprise apps** > **New application**.

1. In the **Add from the gallery** section, type **Leapsome**, select **Leapsome** in the search box.

1. Select **Leapsome** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

 

 

### Automation account

 

 

For more details on Automation users and how to create one, see [this article](https://forum.jostle.us/hc/en-us/articles/360057364073).

 

1. Under **User data to/from other systems** select **Manage user provisioning** .If you don't see "Manage user provisioning" here and have verified that your account includes SSO/user provisioning, contact Support <[email protected]> to have this page enabled in your Admin Settings).

1. In the **User Provisioning API details** section, go to **Your Base URL** field, select the Copy button and save the URL somewhere you can easily access it later.

 

1. Next, select the **Add a new key**... button

1. On the following screen, go to the **Automation User** field and use the drop-down menu to select your Automation user account.

 

1. In the **Provisioning API key description** field give your key a name (such as `Azure`) and then select the **Add** button.

 

1. Once your key is generated, **make sure to copy it right away** and save it where you saved your URL (since it's the only time your key appears).

1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator).

---

description: Learn how to monitor and analyze Model Context Protocol (MCP) traffic between AI agents and remote MCP servers using the Global Secure Access Generative AI Insights page.

author: jenniferf-skc

ms.author: jfields

 

---

 

 

Global Secure Access [Model Context Protocol (MCP)](https://modelcontextprotocol.io/) logging provides advanced monitoring and analysis capabilities for MCP traffic between client MCP on devices and remote MCP servers. This feature provides thorough visibility into which MCP servers are being used, what tools and resources they expose, and how those tools are invoked. MCP Logging helps you discover shadow MCP servers in your organization and enforce stronger security and governance controls on AI agent communications and helps in understanding what tool is exposed and what tools are used. MCP logging also monitors a client MCP that is used by the Copilot Studio agent and a remote MCP server in case you have enabled [GSA MCP integration for Copilot Studio agents](/power-platform/admin/security/secure-web-ai-gateway-agents#enable-network-controls-for-copilot-studio-agents).

 

MCP Logging uses deep packet inspection to identify MCP traffic based on the protocol itself, rather than a predefined cloud app catalog. This approach enables discovery of previously unknown or private MCP servers that employees might be using.

 

 

## Prerequisites

 

You can preview the improved enforcement behavior before the rollout begins:

 

1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) as at least a [Conditional Access administrator](../role-based-access-control/permissions-reference.md#conditional-access-administrator).

1. Choose **default target resource** (Windows Azure Active Directory).

1. Select **Save**.

 

 

### How can I preview the enforcement change ahead of the rollout?

 

 

### How can I retain the legacy behavior after the rollout?

 

 

## Overview

 

 

Previously, certain low-privilege scopes were automatically excluded from policy enforcement when a resource exclusion existed. With this change, those scopes are now evaluated as directory access and are subject to your Conditional Access policies.

 

 

## What is changing

 

 

- **Public client applications** (like desktop apps) that request only baseline scopes. For example, a user signs into Visual Studio Code desktop client, which requests `openid` and `profile` scopes, or Azure CLI, which requests only `User.Read`.

- **Confidential client applications** (like web apps) that are excluded from an All resources policy and request only baseline directory scopes. For example, a web application excluded from the policy that requests only `User.Read` and `People.Read`.

 

```python

Switch([StatusTerminationLastDayOfWork], 

"0", "False", 

"1", IIF(DateDiff("d", DateAdd("h","9",Now()),CDate(

    Switch([StatusTerminationLastDayOfWork],[StatusTerminationLastDayOfWork],

  Switch([Active], "False",

"0", "True", 

"1", IIF(DateDiff("d", DateAdd("h","9",Now()),CDate(

"","9999-12-31")

    )

  ) <= 0, "True", "False")

 

The issuer is an organization that creates an issuance solution requesting information from a user. The information is used to verify the user’s identity. For example, Woodgrove, Inc. has an issuance solution that enables them to create and distribute verifiable credentials (VCs) to all their employees. The employee uses the Authenticator app to sign in with their username and password, which passes an ID token to the issuing service. Once Woodgrove, Inc. validates the ID token submitted, the issuance solution creates a VC that includes claims about the employee and is signed with Woodgrove, Inc. DID. The employee now has an employer signed verifiable credential which includes the employee's DID as the subject DID.

 

### User

 

The user is the person or entity that is requesting a VC. For example, Alice is a new Woodgrove employee and was previously issued her proof of employment verifiable credential. When Alice needs to provide proof of employment to get a discount at Proseware, she can grant access to the credential in her Authenticator app by signing a verifiable presentation that proves Alice is the owner of the DID. Proseware is able to validate Woodgrove-issued credentials and Alice's verifiable credential ownership.

 

Conditional Access policies that target All resources with one or more resource exclusions, or policies that explicitly target Azure AD Graph, are enforced in user sign-in flows where the client application requests only these scopes. There is no change in behavior when an application requests any additional scope beyond those listed above.

 

 

> [!NOTE]

> The [Azure AD Graph retirement](https://techcommunity.microsoft.com/blog/microsoft-entra-blog/important-update-azure-ad-graph-retirement/4364990) does not affect the Azure AD Graph (Windows Azure Active Directory) resource registered in your tenant.

8. Leave the portal and open the provisioning agent installer, agree to the terms of service, and select **Install**.

9. Wait for the Microsoft Entra provisioning agent configuration wizard and then select **Next**.

10. In the **Select Extension** step, select **On-premises application provisioning** and then select **Next**.

12. Provide credentials for a Microsoft Entra administrator when you're prompted to authorize. The user is required to have at least the [Hybrid Identity Administrator](/entra/identity/role-based-access-control/permissions-reference#hybrid-identity-administrator) role.

13. Select **Confirm** to confirm the setting. Once installation is successful, you can select **Exit**, and also close the Provisioning Agent Package installer.

 

| access package | A bundle of resources that a team or project needs and is governed with policies. An access package is always contained in a catalog. You would create a new access package for a scenario in which identities need to request access for themselves. |

| access request | A request to access the resources in an access package. A request typically goes through an approval workflow. If approved, the requesting identity receives an access package assignment. |

| assignment | An assignment of an access package to an identity ensures the identity has all the resource roles of that access package. Access package assignments typically have a time limit before they expire. |

| catalog creator | A collection of identities who are authorized to create new catalogs. When a nonadministrator identity who is authorized to be a catalog creator creates a new catalog, they automatically become the owner of that catalog. |

| connected organization | An external Microsoft Entra directory or domain that you have a relationship with. The identities from a connected organization can be specified in a policy as being allowed to request access. |

| policy | A set of rules that defines the access lifecycle, such as how identities get access, who can approve, and how long they have access through an assignment. A policy is linked to an access package. For example, an access package could have two policies - one for employees to request access and a second for external identities to request access. |

 

 

> [!NOTE]

 

## Scenarios for Microsoft Entra role assignment using access packages

 

- Manage user lifecycle at scale. As your organization grows, the need for other resources to manage user lifecycle decreases.

- Reduce or remove manual tasks.

- Apply logic apps to extend workflows for more complex scenarios with your existing logic apps.

 

Those capabilities can help ensure a holistic experience by allowing you to remove other dependencies and applications to achieve the same result. You can then increase efficiency in new employee orientation and in removal of former employees from the system.

 

 

- [Create a custom workflow by using the Microsoft Entra admin center](tutorial-onboard-custom-workflow-portal.md)

- [Create a lifecycle workflow](create-lifecycle-workflow.md)