MODIFIED docs/identity/app-provisioning/configure-workday-termination-lookahead.md

Modified by jenniferf-skc on Apr 23, 2026 8:08 PM
📖 View on learn.microsoft.com

+40 / -24 lines changed

Commit: Update Workday termination lookahead article to GA

Changes:

Before

After

#customer intent: As an IT admin, I want to understand how to enable the Workday Termination Lookahead query so I can leverage it for Workday-to-AD/Microsoft Entra ID provisioning.
---
 
# Configure Workday termination lookahead (Preview)
 
The Microsoft Entra Workday provisioning connector retrieves worker data using the Workday Integration System User (ISU) account via the `Get_Workers` SOAP API. However, the Workday ISU account always operates in the Pacific Time Zone (PT), causing delays in processing termination events for workers in time zones ahead of PT.
 
For example, let's say a Workday user in **Melbourne (UTC+10, +17 hours ahead of PDT in May)** is terminated with an effective termination date of **May 14, 2025, 11:59 PM Melbourne time**. Using the Workday ISU account, the Microsoft Entra Workday connector fetches the termination event in the provisioning cycle that runs after **May 14, 2025, 11:59 PM PDT**, which is **May 15, 2025, 4:59 PM Melbourne time**—a significant delay.
 
> [!NOTE]
> We make public previews available to our customers under the terms applicable to previews. These terms are outlined in the overall Microsoft product terms for [online services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all).
 
To mitigate this issue, the connector now includes a **24-hour termination lookahead query**. This query ensures termination-related attributes (`StatusTerminationLastDayOfWork`, `StatusTerminationDate`) appear in the connector feed when the termination day begins in PT. The exact processing time varies due to daylight saving time adjustments.
 
Examples of when termination details start appearing in the feed:
 
- **Melbourne (UTC+10, PDT+17)** → May 14, 2025, **5:00 PM Melbourne time**
 
For a user in Melbourne whose last working day is 14-May-2025, the connector starts including the attributes `StatusTerminationLastDayOfWork` and `StatusTerminationDate`, starting Melbourne time at 5:00pm on 14-May-2025, which corresponds to the 17-hour time difference between PDT and Melbourne time in May.

#customer intent: As an IT admin, I want to understand how to enable the Workday Termination Lookahead query so I can leverage it for Workday-to-AD/Microsoft Entra ID provisioning.
---
 
# Configure Workday termination lookahead
 
The Microsoft Entra Workday provisioning connector retrieves worker data using the Workday Integration System User (ISU) account via the `Get_Workers` SOAP API. However, the Workday ISU account always operates in the Pacific Time Zone (PT), causing delays in processing termination events for workers in time zones ahead of PT.
 
For example, let's say a Workday user in **Melbourne (UTC+10, +17 hours ahead of PDT in May)** is terminated with an effective termination date of **May 14, 2025, 11:59 PM Melbourne time**. Using the Workday ISU account, the Microsoft Entra Workday connector fetches the termination event in the provisioning cycle that runs after **May 14, 2025, 11:59 PM PDT**, which is **May 15, 2025, 4:59 PM Melbourne time**—a significant delay.
 
To mitigate this issue, the connector now includes a **24-hour termination lookahead query**. This query ensures termination-related attributes (`StatusTerminationLastDayOfWork`, `StatusTerminationDate`) appear in the connector feed when the termination day begins in UTC. The exact processing time varies due to daylight saving time adjustments.
 
Examples of when termination details start appearing in the feed:
 
- **Melbourne (AEST, UTC+10)** → May 14, 2025, **10:00 AM Melbourne time**
 
For a user in Melbourne whose last working day is 14-May-2025, the connector starts including the attributes `StatusTerminationLastDayOfWork` and `StatusTerminationDate`, starting Melbourne time at 10:00am on 14-May-2025, which corresponds to the 10-hour time difference between UTC and Melbourne time in May.
 
- **India (IST, UTC+5:30)** → May 14, 2025, **5:30 AM India time**
 
For a user in India whose last working day is 14-May-2025, the connector starts including the attributes `StatusTerminationLastDayOfWork` and `StatusTerminationDate`, starting India time 5:30am on 14-May-2025, which corresponds to the 5.5-hour time difference between UTC and Indian Standard time in May.

MODIFIED docs/external-id/customers/how-to-custom-oidc-federation-customers.md

Modified by Vimala Ranganathan on Apr 24, 2026 1:17 AM
📖 View on learn.microsoft.com

+8 / -7 lines changed

Commit: Copy-edit OIDC and Entra ID federation articles

Changes:

Before

After

ms.topic: how-to
ms.date: 09/15/2025
ms.reviewer: brozbab
ms.custom: it-pro
 
#Customer intent: As a developer, devops, or it administrator, I want to learn how to add an OpenID Connect identity provider for my external tenant.
---
# Add OpenID Connect as an external identity provider
 
 
To federate users to your identity provider, first prepare your identity provider to accept federation requests from your external tenant. To do this preparation, add your redirect URIs and register your identity provider to be recognized.
 
Before moving to next step, add your redirect URIs as follows:
 
`https://<tenant-subdomain>.ciamlogin.com/<tenant-ID>/federation/oauth2`
 
1. Enter the following details for your identity provider:
 
   - **Display name**: The name of your identity provider that you display to your users during the sign-in and sign-up flows. For example, *Sign in with IdP name* or *Sign up with IdP name*.
   - **Well-known endpoint** (also known as metadata URI) is the OIDC discovery URI to [obtain the configuration information](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig) for your identity provider. The response to be retrieved from a well-known location is a JSON document, including its OAuth 2.0 endpoint locations. The metadata document should, at a minimum, contain the following properties: `issuer`, `authorization_endpoint`, `token_endpoint`, `token_endpoint_auth_methods_supported`, `response_types_supported`, `subject_types_supported`, and `jwks_uri`. See [OpenID Connect Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html) specifications for more details.

ms.topic: how-to
ms.date: 09/15/2025
ms.reviewer: brozbab
ms.custom: it-pro, msecd-doc-authoring-1012
 
#customer intent: As a developer, devops, or it administrator, I want to learn how to add an OpenID Connect identity provider for my external tenant.
---
# Add OpenID Connect as an external identity provider
 
 
To federate users to your identity provider, first prepare your identity provider to accept federation requests from your external tenant. To do this preparation, add your redirect URIs and register your identity provider to be recognized.
 
Before moving to the next step, add your redirect URIs as follows:
 
`https://<tenant-subdomain>.ciamlogin.com/<tenant-ID>/federation/oauth2`
 
1. Enter the following details for your identity provider:
 
   - **Display name**: The name of your identity provider that you display to your users during the sign-in and sign-up flows. For example, *Sign in with IdP name* or *Sign up with IdP name*.
   - **Well-known endpoint** (also known as metadata URI) is the OIDC discovery URI to [obtain the configuration information](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig) for your identity provider. The response is a JSON document that includes OAuth 2.0 endpoint locations. At a minimum, the metadata document must contain the following properties: `issuer`, `authorization_endpoint`, `token_endpoint`, `token_endpoint_auth_methods_supported`, `response_types_supported`, `subject_types_supported`, and `jwks_uri`. For more details, see [OpenID Connect Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html) specifications.

MODIFIED docs/external-id/customers/how-to-entra-id-federation-customers.md

Modified by Vimala Ranganathan on Apr 24, 2026 1:17 AM
📖 View on learn.microsoft.com

+7 / -5 lines changed

Commit: Copy-edit OIDC and Entra ID federation articles

Changes:

Before

After

ms.date: 03/09/2026
ms.author: godonnell
author: garrodonnell
ms.custom: it-pro
ai-usage: ai-assisted
 
#Customer intent: As a developer, DevOps, or IT administrator, I want to learn how to add a Microsoft Entra ID tenant as an OpenID Connect identity provider in my external tenant.
---
# Add a Microsoft Entra ID tenant as an OpenID Connect identity provider (Preview)
 
 
## Test the user flow
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/).
1. Browse to **Entra ID** > **External Identities** > **User flows**.
1. Select the user flow you configured. At least one application with a redirect URI must be associated with this user flow.
- Workforce Conditional Access and MFA policies are enforced.
- The sign-in experience is a full redirect to the home tenant, rather than the mixed-branding experience associated with B2B guest sign-in.
 
**Do Microsoft Entra ID Conditional Access and MFA policies apply?**

ms.date: 03/09/2026
ms.author: godonnell
author: garrodonnell
ms.custom: it-pro, msecd-doc-authoring-1012
ai-usage: ai-assisted
 
#customer intent: As a developer, DevOps, or IT administrator, I want to learn how to add a Microsoft Entra ID tenant as an OpenID Connect identity provider in my external tenant.
---
# Add a Microsoft Entra ID tenant as an OpenID Connect identity provider (Preview)
 
 
## Test the user flow
 
To verify your federation setup, test the user flow:
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/).
1. Browse to **Entra ID** > **External Identities** > **User flows**.
1. Select the user flow you configured. At least one application with a redirect URI must be associated with this user flow.
- Workforce Conditional Access and MFA policies are enforced.
- The sign-in experience is a full redirect to the home tenant, rather than the mixed-branding experience associated with B2B guest sign-in.

MODIFIED docs/identity/authentication/how-to-deploy-phishing-resistant-passwordless-authentication.md

Modified by Justinha on Apr 23, 2026 5:25 PM
📖 View on learn.microsoft.com

+5 / -5 lines changed

Commit: Update passkey links in authentication docs

Changes:

Before

After

- [Face Check with Microsoft Entra Verified ID pricing](~/verified-id/verified-id-pricing.md)
- [Microsoft Entra Plans and Pricing](https://www.microsoft.com/security/business/microsoft-entra-pricing)
 
Some organizations might choose other methods than Microsoft Entra Verified ID to onboard users and issue them their first credential. Microsoft recommends those organizations still use TAPs, or another way that lets a user onboard without a password. For example, you can [provision FIDO2 security keys using Microsoft Graph API](how-to-enable-passkey-fido2.md#provision-fido2-security-keys-using-microsoft-graph-api-preview).
 
### Step 2: Bootstrap a portable credential
 
Admins and highly regulated users| FIDO2 security keys | Passkey for Microsoft Authenticator, Certificate-based authentication (Smart Card)|
Any other user | Synced passkey | FIDO2 security key, Passkeys for Microsoft Authenticator App|
 
The passkey authentication credential can be scoped to specific user groups using [passkey profiles](how-to-authentication-passkey-profiles.md). A passkey profile should be set up for each persona with the recommended portable credential selected.
 
Use the following guidance to enable recommended and alternative portable credentials for the relevant user personas for your organization:
 
Method | Guidance
-------|---------
FIDO2 security keys | <li>FIDO2 security keys must be turned on in Microsoft Entra ID. You can [enable FIDO2 security keys in the Authentication methods policy](how-to-enable-passkey-fido2.md).<li>Consider registering keys on behalf of your users with the Microsoft Entra ID provisioning APIs. For more information, see [Provision FIDO2 security keys using Microsoft Graph API](how-to-enable-passkey-fido2.md#provision-fido2-security-keys-using-microsoft-graph-api-preview).
Synced passkey| <li>Synced passkeys must be turned on in Microsoft Entra ID. You can [enable FIDO2 security keys in the Authentication methods policy](how-to-enable-passkey-fido2.md)</li><li>Users can use synced passkeys managed by Apple Keychain and Google cloud or 3rd party passkey managers</li>|
Passkey in Microsoft Authenticator | <li>Passkey in Microsoft Authenticator must be turned on in Microsoft Entra ID. You can [enable FIDO2 security keys in the Authentication methods policy](how-to-enable-passkey-fido2.md)</li><li>Users sign in to Microsoft Authenticator App directly to bootstrap a passkey in the app.<li>Users can use their TAP to sign into Microsoft Authenticator directly on their iOS or Android device. [Register passkeys in Authenticator on Android or iOS devices](how-to-register-passkey-authenticator.md).
Smart card/certificate-based authentication (CBA) | <li>Certificate-based authentication is more complicated to configure than passkeys or other methods. Consider only using it if necessary.<li>[How to configure Microsoft Entra certificate-based authentication](how-to-certificate-based-authentication.md).<li>Make sure to configure your on-premises PKI and Microsoft Entra ID CBA policies so that users truly complete multifactor authentication to sign in. The configuration generally requires the smart card Policy Object Identifier (OID) and the necessary affinity binding settings. For more advanced CBA configurations, see [Understanding the authentication binding policy](concept-certificate-based-authentication-technical-deep-dive.md#authentication-binding-policy).

- [Face Check with Microsoft Entra Verified ID pricing](~/verified-id/verified-id-pricing.md)
- [Microsoft Entra Plans and Pricing](https://www.microsoft.com/security/business/microsoft-entra-pricing)
 
Some organizations might choose other methods than Microsoft Entra Verified ID to onboard users and issue them their first credential. Microsoft recommends those organizations still use TAPs, or another way that lets a user onboard without a password. For example, you can [provision FIDO2 security keys using Microsoft Graph API](how-to-authentication-passkeys-fido2.md#provision-fido2-security-keys-using-microsoft-graph-api-preview).
 
### Step 2: Bootstrap a portable credential
 
Admins and highly regulated users| FIDO2 security keys | Passkey for Microsoft Authenticator, Certificate-based authentication (Smart Card)|
Any other user | Synced passkey | FIDO2 security key, Passkeys for Microsoft Authenticator App|
 
The passkey authentication credential can be scoped to specific user groups using [passkey profiles](how-to-authentication-passkeys-fido2.md). A passkey profile should be set up for each persona with the recommended portable credential selected.
 
Use the following guidance to enable recommended and alternative portable credentials for the relevant user personas for your organization:
 
Method | Guidance
-------|---------
FIDO2 security keys | <li>FIDO2 security keys must be turned on in Microsoft Entra ID. You can [enable FIDO2 security keys in the Authentication methods policy](how-to-authentication-passkeys-fido2.md).<li>Consider registering keys on behalf of your users with the Microsoft Entra ID provisioning APIs. For more information, see [Provision FIDO2 security keys using Microsoft Graph API](how-to-authentication-passkeys-fido2.md#provision-fido2-security-keys-using-microsoft-graph-api-preview).
Synced passkey| <li>Synced passkeys must be turned on in Microsoft Entra ID. You can [enable FIDO2 security keys in the Authentication methods policy](how-to-authentication-passkeys-fido2.md)</li><li>Users can use synced passkeys managed by Apple Keychain and Google cloud or 3rd party passkey managers</li>|
Passkey in Microsoft Authenticator | <li>Passkey in Microsoft Authenticator must be turned on in Microsoft Entra ID. You can [enable FIDO2 security keys in the Authentication methods policy](how-to-authentication-passkeys-fido2.md)</li><li>Users sign in to Microsoft Authenticator App directly to bootstrap a passkey in the app.<li>Users can use their TAP to sign into Microsoft Authenticator directly on their iOS or Android device. [Register passkeys in Authenticator on Android or iOS devices](how-to-register-passkey-authenticator.md).
Smart card/certificate-based authentication (CBA) | <li>Certificate-based authentication is more complicated to configure than passkeys or other methods. Consider only using it if necessary.<li>[How to configure Microsoft Entra certificate-based authentication](how-to-certificate-based-authentication.md).<li>Make sure to configure your on-premises PKI and Microsoft Entra ID CBA policies so that users truly complete multifactor authentication to sign in. The configuration generally requires the smart card Policy Object Identifier (OID) and the necessary affinity binding settings. For more advanced CBA configurations, see [Understanding the authentication binding policy](concept-certificate-based-authentication-technical-deep-dive.md#authentication-binding-policy).

MODIFIED docs/identity/authentication/concept-authentication-passkeys-fido2.md

Modified by Justinha on Apr 23, 2026 5:25 PM
📖 View on learn.microsoft.com

+4 / -4 lines changed

Commit: Update passkey links in authentication docs

Changes:

Before

After

- Users are **3x more successful signing-in with synced passkey than legacy authentication methods (95% vs 30%)** 
- Synced passkeys in Microsoft Entra ID bring MFA simplicity at scale for all enterprise users. They're a convenient and low-cost alternative to traditional MFA options like SMS and authenticator apps. 
 
For more information about how to deploy passkeys in your organization, see [How to enable synced passkeys](how-to-authentication-synced-passkeys.md). 
 
**Attestation** verifies the authenticity of the passkey provider or device during registration. When enforced:
 
 
## Related content
 
- [Enable passkeys (FIDO2) in Microsoft Entra ID](how-to-enable-passkey-fido2.md)
- [Enable passkey profiles in Microsoft Entra ID](how-to-authentication-passkey-profiles.md)
- [Enable synced passkeys in Microsoft Entra ID](how-to-authentication-synced-passkeys.md)
- [Passkeys in Authenticator App](concept-authentication-authenticator-app.md#passkey-sign-in)
- [Attestation requirements](concept-fido2-hardware-vendor.md#attestation-requirements)

- Users are **3x more successful signing-in with synced passkey than legacy authentication methods (95% vs 30%)** 
- Synced passkeys in Microsoft Entra ID bring MFA simplicity at scale for all enterprise users. They're a convenient and low-cost alternative to traditional MFA options like SMS and authenticator apps. 
 
For more information about how to deploy passkeys in your organization, see [How to enable synced passkeys](how-to-authentication-passkeys-fido2.md). 
 
**Attestation** verifies the authenticity of the passkey provider or device during registration. When enforced:
 
 
## Related content
 
- [Enable passkeys (FIDO2) in Microsoft Entra ID](how-to-authentication-passkeys-fido2.md)
- [Enable passkey profiles in Microsoft Entra ID](how-to-authentication-passkeys-fido2.md)
- [Enable synced passkeys in Microsoft Entra ID](how-to-authentication-passkeys-fido2.md)
- [Passkeys in Authenticator App](concept-authentication-authenticator-app.md#passkey-sign-in)
- [Attestation requirements](concept-fido2-hardware-vendor.md#attestation-requirements)

MODIFIED docs/fundamentals/whats-new-ignite-2025.md

Modified by Justinha on Apr 23, 2026 5:09 PM
📖 View on learn.microsoft.com

+4 / -4 lines changed

Commit: Consolidate passkey FAQs into single topic

Changes:

Before

After

- [Account recovery cost savings estimator](../identity/authentication/how-to-account-recovery-cost-savings-estimator.md) (New)
- [Enable account recovery](../identity/authentication/how-to-account-recovery-enable.md) (New)
- [Account recovery for users](../identity/authentication/how-to-account-recovery-for-users.md) (New)
- [Passkey profiles](../identity/authentication/how-to-authentication-passkey-profiles.md) (New)
- [Synced passkeys](../identity/authentication/how-to-authentication-synced-passkeys.md) (New)
- [Self-service account recovery](../identity/authentication/self-service-account-recovery.yml) (New)
- [Synced passkey FAQ](../identity/authentication/synced-passkey-faq.yml) (New)
- [Microsoft Authenticator app](../identity/authentication/concept-authentication-authenticator-app.md) (Updated)
- [Manage authentication methods](../identity/authentication/concept-authentication-methods-manage.md) (Updated)
- [Authentication methods](../identity/authentication/overview-authentication.md) (Updated)
- [Phone authentication options](../identity/authentication/concept-authentication-phone-options.md) (Updated)
- [FIDO2 hardware vendor considerations](../identity/authentication/concept-fido2-hardware-vendor.md) (Updated)
- [Deploy phishing-resistant passwordless authentication](../identity/authentication/how-to-deploy-phishing-resistant-passwordless-authentication.md) (Updated)
- [Enable passkey (FIDO2)](../identity/authentication/how-to-enable-passkey-fido2.md) (Updated)
- [Plan persona-based phishing-resistant passwordless authentication](../identity/authentication/how-to-plan-persona-phishing-resistant-passwordless-authentication.md) (Updated)
- [Plan prerequisites for phishing-resistant passwordless authentication](../identity/authentication/how-to-plan-prerequisites-phishing-resistant-passwordless-authentication.md) (Updated)
- [Register passkey with security key](../identity/authentication/how-to-register-passkey-with-security-key.md) (Updated)

- [Account recovery cost savings estimator](../identity/authentication/how-to-account-recovery-cost-savings-estimator.md) (New)
- [Enable account recovery](../identity/authentication/how-to-account-recovery-enable.md) (New)
- [Account recovery for users](../identity/authentication/how-to-account-recovery-for-users.md) (New)
- [Passkey profiles](../identity/authentication/how-to-authentication-passkeys-fido2.md) (New)
- [Synced passkeys](../identity/authentication/how-to-authentication-passkeys-fido2.md) (New)
- [Self-service account recovery](../identity/authentication/self-service-account-recovery.yml) (New)
- [Passkey FAQ](../identity/authentication/passkey-faq.yml) (New)
- [Microsoft Authenticator app](../identity/authentication/concept-authentication-authenticator-app.md) (Updated)
- [Manage authentication methods](../identity/authentication/concept-authentication-methods-manage.md) (Updated)
- [Authentication methods](../identity/authentication/overview-authentication.md) (Updated)
- [Phone authentication options](../identity/authentication/concept-authentication-phone-options.md) (Updated)
- [FIDO2 hardware vendor considerations](../identity/authentication/concept-fido2-hardware-vendor.md) (Updated)
- [Deploy phishing-resistant passwordless authentication](../identity/authentication/how-to-deploy-phishing-resistant-passwordless-authentication.md) (Updated)
- [Enable passkey (FIDO2)](../identity/authentication/how-to-authentication-passkeys-fido2.md) (Updated)
- [Plan persona-based phishing-resistant passwordless authentication](../identity/authentication/how-to-plan-persona-phishing-resistant-passwordless-authentication.md) (Updated)
- [Plan prerequisites for phishing-resistant passwordless authentication](../identity/authentication/how-to-plan-prerequisites-phishing-resistant-passwordless-authentication.md) (Updated)
- [Register passkey with security key](../identity/authentication/how-to-register-passkey-with-security-key.md) (Updated)

MODIFIED docs/identity/authentication/concept-mandatory-multifactor-authentication.md

Modified by Justinha on Apr 23, 2026 5:25 PM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: Update passkey links in authentication docs

Changes:

Before

After

 
All accounts that sign in to perform operations cited in the [applications section](#application-ids-and-urls) must complete MFA when the enforcement begins. Users aren't required to use MFA if they access other applications, websites, or services hosted on Azure. Each application, website, or service owner listed earlier controls the authentication requirements for users. 
 
[Break glass or emergency access accounts](/entra/identity/role-based-access-control/security-emergency-access) are also required to sign in with MFA once enforcement begins. We recommend that you update these accounts to use [passkey (FIDO2)](~/identity/authentication/how-to-enable-passkey-fido2.md) or configure [certificate-based authentication](~/identity/authentication/how-to-certificate-based-authentication.md) for MFA. Both methods satisfy the MFA requirement. 
 
Workload identities, such as managed identities and service principals, aren't impacted by [either phase](#enforcement-phases) of this MFA enforcement. If user identities are used to sign in as a service account to run automation (including scripts or other automated tasks), those user identities need to sign in with MFA once enforcement begins. User identities aren't recommended for automation. You should migrate those user identities to [workload identities](~/workload-id/workload-identities-overview.md).
 
**Question**: What if I have a "break glass" scenario?  
 
**Answer**: We recommend updating these accounts to use [passkey (FIDO2)](~/identity/authentication/how-to-enable-passkey-fido2.md) or configure [certificate-based authentication](~/identity/authentication/how-to-certificate-based-authentication.md) for MFA. Both methods satisfy the MFA requirement. 
 
**Question**: What if I don't receive an email about enabling MFA before it was enforced, and then I get locked-out. How should I resolve it? 
 
**Answer**: Users shouldn't be locked out, but they may get a message that prompts them to enable MFA once enforcement for their tenant has started. If the user is locked out, there may be other issues. For more information, see [Account has been locked](https://support.microsoft.com/account-billing/account-has-been-locked-805e8b0d-4141-29b2-7b65-df6ff6c9ce27).

 
All accounts that sign in to perform operations cited in the [applications section](#application-ids-and-urls) must complete MFA when the enforcement begins. Users aren't required to use MFA if they access other applications, websites, or services hosted on Azure. Each application, website, or service owner listed earlier controls the authentication requirements for users. 
 
[Break glass or emergency access accounts](/entra/identity/role-based-access-control/security-emergency-access) are also required to sign in with MFA once enforcement begins. We recommend that you update these accounts to use [passkey (FIDO2)](~/identity/authentication/how-to-authentication-passkeys-fido2.md) or configure [certificate-based authentication](~/identity/authentication/how-to-certificate-based-authentication.md) for MFA. Both methods satisfy the MFA requirement. 
 
Workload identities, such as managed identities and service principals, aren't impacted by [either phase](#enforcement-phases) of this MFA enforcement. If user identities are used to sign in as a service account to run automation (including scripts or other automated tasks), those user identities need to sign in with MFA once enforcement begins. User identities aren't recommended for automation. You should migrate those user identities to [workload identities](~/workload-id/workload-identities-overview.md).
 
**Question**: What if I have a "break glass" scenario?  
 
**Answer**: We recommend updating these accounts to use [passkey (FIDO2)](~/identity/authentication/how-to-authentication-passkeys-fido2.md) or configure [certificate-based authentication](~/identity/authentication/how-to-certificate-based-authentication.md) for MFA. Both methods satisfy the MFA requirement. 
 
**Question**: What if I don't receivean email about enabling MFA before it was enforced, and then I get locked-out. How should I resolve it? 
 
**Answer**: Users shouldn't be locked out, but they may get a message that prompts them to enable MFA once enforcement for their tenant has started. If the user is locked out, there may be other issues. For more information, see [Account has been locked](https://support.microsoft.com/account-billing/account-has-been-locked-805e8b0d-4141-29b2-7b65-df6ff6c9ce27).

MODIFIED docs/identity/conditional-access/concept-conditional-access-conditions.md

Modified by Miguel Ferreira on Apr 23, 2026 4:06 PM
📖 View on learn.microsoft.com

+2 / -4 lines changed

Commit: Learn Editor: Update concept-conditional-access-conditions.md

Changes:

Before

After

| Windows Server 2019 | Microsoft Edge, [Chrome](#chrome-support) |
| iOS | Microsoft Edge, Safari (see the notes) |
| Android | Microsoft Edge, Chrome |
| macOS | Microsoft Edge, Chrome, [Firefox 133+](https://support.mozilla.org/kb/firefox-enterprise-133-release-notes), Safari |
| Linux Desktop|Microsoft Edge|
 
These browsers support device authentication, allowing the device to be identified and validated against a policy. The device check fails if the browser is running in private mode or if cookies are disabled. 
>
> [Chrome 111+](https://chromeenterprise.google/policies/#CloudAPAuthEnabled) is supported for device-based Conditional Access, but "CloudApAuthEnabled" needs to be enabled.
>
> macOS devices using the Enterprise SSO plugin require the [Microsoft Single Sign On](https://chromewebstore.google.com/detail/windows-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji) extension to support SSO and device-based Conditional Access in Google Chrome.
> 
> macOS devices using the Firefox browser must be running macOS version 10.15 or newer and have the [Microsoft Enterprise SSO plug-in installed](/mem/intune-service/user-help/enroll-your-device-in-intune-macos-cp) and [configured appropriately](/entra/identity-platform/apple-sso-plugin#microsoft-intune-configuration).
 
#### Why do I see a certificate prompt in the browser
 
To automatically enable the CloudAPAuthEnabled policy in Chrome, create the following registry key:
 
 - Path: `HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome`
 - Name: `CloudAPAuthEnabled` 

| Windows Server 2019 | Microsoft Edge, [Chrome](#chrome-support) |
| iOS | Microsoft Edge, Safari (see the notes) |
| Android | Microsoft Edge, Chrome |
| macOS | Microsoft Edge, [Chrome](#chrome-support), [Firefox 133+](https://support.mozilla.org/kb/firefox-enterprise-133-release-notes), Safari |
| Linux Desktop|Microsoft Edge|
 
These browsers support device authentication, allowing the device to be identified and validated against a policy. The device check fails if the browser is running in private mode or if cookies are disabled. 
>
> [Chrome 111+](https://chromeenterprise.google/policies/#CloudAPAuthEnabled) is supported for device-based Conditional Access, but "CloudApAuthEnabled" needs to be enabled.
>
> macOS devices using the Firefox browser must be running macOS version 10.15 or newer and have the [Microsoft Enterprise SSO plug-in installed](/mem/intune-service/user-help/enroll-your-device-in-intune-macos-cp) and [configured appropriately](/entra/identity-platform/apple-sso-plugin#microsoft-intune-configuration).
 
#### Why do I see a certificate prompt in the browser
 
To automatically enable the CloudAPAuthEnabled policy in Chrome, create the following registry key:
 
- Path: `HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome`
 - Name: `CloudAPAuthEnabled` 
 - Value: `0x00000001`
 - PropertyType: `DWORD`

MODIFIED docs/id-governance/privileged-identity-management/pim-troubleshoot.md

Modified by Ortagus Winfrey on Apr 24, 2026 1:20 AM
📖 View on learn.microsoft.com

+1 / -4 lines changed

Commit: Add customer intent to pim-troubleshoot.md

Changes:

Before

After

ms.date: 03/23/2026
ms.reviewer: shaunliu
 
---
 
# Troubleshoot access to Azure resources denied in Privileged Identity Management
 
> [!div class="op_single_selector"]
> - **Customer intent:** As an administrator, I want to troubleshoot and resolve access issues in PIM to ensure proper management of Azure resource roles.
 
## Overview
 
If you're experiencing issues with Privileged Identity Management (PIM) in Microsoft Entra ID, the information included in this article can help you resolve these issues.

ms.date: 03/23/2026
ms.reviewer: shaunliu
 
#Customer Intent: As an administrator, I want to troubleshoot and resolve access issues in PIM to ensure proper management of Azure resource roles.
---
# Troubleshoot access to Azure resources denied in Privileged Identity Management
 
## Overview
 
If you're experiencing issues with Privileged Identity Management (PIM) in Microsoft Entra ID, the information included in this article can help you resolve these issues.

MODIFIED docs/id-governance/privileged-identity-management/pim-security-wizard.md

Modified by Ortagus Winfrey on Apr 24, 2026 1:20 AM
📖 View on learn.microsoft.com

+1 / -4 lines changed

Commit: Add customer intent to pim-security-wizard.md

Changes:

Before

After

ms.reviewer: shaunliu
ms.custom: pim, H1Hack27Feb2017, sfi-ga-nochange, sfi-image-nochange
---
 
# Discovery and insights (preview) for Microsoft Entra roles (formerly Security Wizard)
 
> [!div class="op_single_selector"]
> - **Customer intent:** As an administrator, I want to discover existing permanent role assignments and convert them to just-in-time assignments using PIM.
 
## Overview
 
If you're starting out using Privileged Identity Management (PIM) in Microsoft Entra ID to manage role assignments in your organization, you can use the **Discovery and insights (preview)** page to get started. This feature shows you who is assigned to privileged roles in your organization and how to use PIM to quickly change permanent role assignments into just-in-time assignments. You can view or make changes to your permanent privileged role assignments in **Discovery and insights (preview)**. It's an analysis tool and an action tool.

ms.reviewer: shaunliu
ms.custom: pim, H1Hack27Feb2017, sfi-ga-nochange, sfi-image-nochange
---
#Customer Intent: As an administrator, I want to discover existing permanent role assignments and convert them to just-in-time assignments using PIM.
# Discovery and insights (preview) for Microsoft Entra roles (formerly Security Wizard)
 
## Overview
 
If you're starting out using Privileged Identity Management (PIM) in Microsoft Entra ID to manage role assignments in your organization, you can use the **Discovery and insights (preview)** page to get started. This feature shows you who is assigned to privileged roles in your organization and how to use PIM to quickly change permanent role assignments into just-in-time assignments. You can view or make changes to your permanent privileged role assignments in **Discovery and insights (preview)**. It's an analysis tool and an action tool.

MODIFIED docs/id-governance/privileged-identity-management/pim-roles.md

Modified by Ortagus Winfrey on Apr 24, 2026 1:20 AM
📖 View on learn.microsoft.com

+1 / -4 lines changed

Commit: Add customer intent to pim-roles.md

Changes:

Before

After

ms.date: 03/23/2026
ms.reviewer: shaunliu
---
 
# Roles you can't manage in Privileged Identity Management
 
> [!div class="op_single_selector"]
> - **Customer intent:** As an administrator, I want to understand which roles cannot be managed in PIM to plan my privileged access management strategy.
 
## Overview
 
You can manage just-in-time assignments to all [Microsoft Entra roles](~/identity/role-based-access-control/permissions-reference.md) and all [Azure roles](/azure/role-based-access-control/built-in-roles) using Privileged Identity Management (PIM) in Microsoft Entra ID. Azure roles include built-in and custom roles attached to your management groups, subscriptions, resource groups, and resources. However, there are a few roles that you can't manage. This article describes the roles you can't manage in Privileged Identity Management.

ms.date: 03/23/2026
ms.reviewer: shaunliu
---
#Customer Intent: As an administrator, I want to understand which roles cannot be managed in PIM to plan my privileged access management strategy.
# Roles you can't manage in Privileged Identity Management
 
## Overview
 
You can manage just-in-time assignments to all [Microsoft Entra roles](~/identity/role-based-access-control/permissions-reference.md) and all [Azure roles](/azure/role-based-access-control/built-in-roles) using Privileged Identity Management (PIM) in Microsoft Entra ID. Azure roles include built-in and custom roles attached to your management groups, subscriptions, resource groups, and resources. However, there are a few roles that you can't manage. This article describes the roles you can't manage in Privileged Identity Management.

MODIFIED docs/id-governance/privileged-identity-management/pim-resource-roles-renew-extend.md

Modified by Ortagus Winfrey on Apr 24, 2026 1:20 AM
📖 View on learn.microsoft.com

+1 / -4 lines changed

Commit: Add customer intent to pim-resource-roles-renew-extend.md

Changes:

Before

After

ms.reviewer: shaunliu
ms.custom: pim, sfi-image-nochange
---
 
# Extend or renew Azure resource role assignments in Privileged Identity Management
 
> [!div class="op_single_selector"]
> - **Customer intent:** As an administrator or user, I want to extend or renew time-bound Azure resource role assignments before they expire to maintain necessary access.
 
## Overview
 
Microsoft Entra Privileged Identity Management (PIM) provides controls to manage the access and assignment lifecycle for Azure resources. Administrators can assign roles using start and end date-time properties. When the assignment end approaches, Privileged Identity Management sends email notifications to the affected users or groups. It also sends email notifications to administrators of the resource to ensure that appropriate access is maintained. Assignments might be renewed and remain visible in an expired state for up to 30 days, even if access isn't extended.

ms.reviewer: shaunliu
ms.custom: pim, sfi-image-nochange
---
#Customer Intent: As an administrator or user, I want to extend or renew time-bound Azure resource role assignments before they expire to maintain necessary access.
# Extend or renew Azure resource role assignments in Privileged Identity Management
 
## Overview
 
Microsoft Entra Privileged Identity Management (PIM) provides controls to manage the access and assignment lifecycle for Azure resources. Administrators can assign roles using start and end date-time properties. When the assignment end approaches, Privileged Identity Management sends email notifications to the affected users or groups. It also sends email notifications to administrators of the resource to ensure that appropriate access is maintained. Assignments might be renewed and remain visible in an expired state for up to 30 days, even if access isn't extended.

MODIFIED docs/id-governance/privileged-identity-management/pim-resource-roles-overview-dashboards.md

Modified by Ortagus Winfrey on Apr 24, 2026 1:20 AM
📖 View on learn.microsoft.com

+1 / -4 lines changed

Commit: Add customer intent to pim-resource-roles-overview-dashboards.md

Changes:

Before

After

ms.reviewer: shaunliu
ms.custom: pim
---
 
# Use a resource dashboard to perform an access review in Privileged Identity Management
 
> [!div class="op_single_selector"]
> - **Customer intent:** As an administrator, I want to use the PIM resource dashboard to monitor role activations and perform access reviews.
 
## Overview
 
You can use a resource dashboard to perform an access review in Privileged Identity Management (PIM). The Admin View dashboard in Microsoft Entra ID, part of Microsoft Entra, has three primary components:

ms.reviewer: shaunliu
ms.custom: pim
---
#Customer Intent: As an administrator, I want to use the PIM resource dashboard to monitor role activations and perform access reviews.
# Use a resource dashboard to perform an access review in Privileged Identity Management
 
## Overview
 
You can use a resource dashboard to perform an access review in Privileged Identity Management (PIM). The Admin View dashboard in Microsoft Entra ID, part of Microsoft Entra, has three primary components:

MODIFIED docs/id-governance/privileged-identity-management/pim-resource-roles-discover-resources.md

Modified by Ortagus Winfrey on Apr 24, 2026 1:20 AM
📖 View on learn.microsoft.com

+1 / -4 lines changed

Commit: Add customer intent to pim-resource-roles-discover-resources.md

Changes:

Before

After

ms.reviewer: shaunliu
ms.custom: sfi-ga-nochange
---
 
# Discover Azure resources to manage in Privileged Identity Management
 
> [!div class="op_single_selector"]
> - **Customer intent:** As an administrator, I want to discover and onboard Azure resources to PIM to protect access to my subscriptions and resource groups.
 
## Overview
 
You can use Privileged Identity Management (PIM) in Microsoft Entra ID, to improve the protection of your Azure resources. This helps:

ms.reviewer: shaunliu
ms.custom: sfi-ga-nochange
---
#Customer Intent: As an administrator, I want to discover and onboard Azure resources to PIM to protect access to my subscriptions and resource groups.
# Discover Azure resources to manage in Privileged Identity Management
 
## Overview
 
You can use Privileged Identity Management (PIM) in Microsoft Entra ID, to improve the protection of your Azure resources. This helps:

MODIFIED docs/id-governance/privileged-identity-management/pim-resource-roles-configure-role-settings.md

Modified by Ortagus Winfrey on Apr 24, 2026 1:09 AM
📖 View on learn.microsoft.com

+1 / -4 lines changed

Commit: Add customer intent to pim-resource-roles-configure-role-settings.md

Changes:

Before

After

ms.custom: sfi-ga-nochange, sfi-image-nochange
ai-usage: ai-assisted
---
 
# Configure Azure resource role settings in Privileged Identity Management
 
> [!div class="op_single_selector"]
> - **Customer intent:** As an administrator, I want to configure role settings for Azure resource roles including approval workflows, MFA requirements, and assignment duration.
 
## Overview
 
In Privileged Identity Management (PIM) in Microsoft Entra ID, which is part of Microsoft Entra, role settings define role assignment properties. These properties include multifactor authentication and approval requirements for activation, assignment maximum duration, and notification settings. This article shows you how to configure role settings and set up the approval workflow to specify who can approve or deny requests to elevate privilege.

ms.custom: sfi-ga-nochange, sfi-image-nochange
ai-usage: ai-assisted
---
#Customer Intent: As an administrator, I want to configure role settings for Azure resource roles including approval workflows, MFA requirements, and assignment duration.
# Configure Azure resource role settings in Privileged Identity Management
 
## Overview
 
In Privileged Identity Management (PIM) in Microsoft Entra ID, which is part of Microsoft Entra, role settings define role assignment properties. These properties include multifactor authentication and approval requirements for activation, assignment maximum duration, and notification settings. This article shows you how to configure role settings and set up the approval workflow to specify who can approve or deny requests to elevate privilege.

📋 Microsoft Entra Documentation Changes

📊 Summary

📝 Modified Documentation Files