MODIFIED docs/verified-id/using-facecheck.md

Modified by Justinha on May 7, 2026 1:45 PM
📖 View on learn.microsoft.com

+67 / -1 lines changed

Commit: Add device security requirements FAQ to Face Check article

Changes:

Before

After

title: Tutorial - Use Face Check with Microsoft Entra Verified ID
description: Learn how to set up and use Face Check with Microsoft Entra Verified ID for high-assurance facial matching verifications that protect user privacy at enterprise scale.
ms.topic: tutorial
ms.date: 04/22/2026
ms.custom: sfi-image-nochange
# Customer intent: As an enterprise, we want to enable customers to manage information about themselves by using verifiable credentials.
---
Data isn't stored by or kept by any of the services Microsoft Authenticator, Verified ID, or Azure AI. Furthermore, the footage isn't shared with the verifier application either. The verifier application only gets the confidence score in return. In an AI based system, the confidence score is the probability percentage answer for a query to the system. For this scenario, the confidence score is the likelihood the Verified ID user photo matches user capture on the mobile device.
For more information, see [Data and privacy for Azure AI Services](/legal/cognitive-services/face/data-privacy-security).
 
### How much does Face Check cost?
For the latest information about usage billing and pricing, see [Microsoft Entra pricing](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).

title: Tutorial - Use Face Check with Microsoft Entra Verified ID
description: Learn how to set up and use Face Check with Microsoft Entra Verified ID for high-assurance facial matching verifications that protect user privacy at enterprise scale.
ms.topic: tutorial
ms.date: 05/07/2026
ms.custom: sfi-image-nochange
# Customer intent: As an enterprise, we want to enable customers to manage information about themselves by using verifiable credentials.
---
Data isn't stored by or kept by any of the services Microsoft Authenticator, Verified ID, or Azure AI. Furthermore, the footage isn't shared with the verifier application either. The verifier application only gets the confidence score in return. In an AI based system, the confidence score is the probability percentage answer for a query to the system. For this scenario, the confidence score is the likelihood the Verified ID user photo matches user capture on the mobile device.
For more information, see [Data and privacy for Azure AI Services](/legal/cognitive-services/face/data-privacy-security).
 
### What device security requirements are needed to support Verified ID Face Check?
 
Verified ID Face Check requires devices that meet platform-specific OS and device integrity requirements. These checks help ensure Face Check results are generated on trusted devices and protect against spoofing, tampering, or replay attacks.
 
While the exact enforcement mechanisms differ by platform, both Android and iOS require devices that are secure, unmodified, and running supported OS versions.
 
#### Android device requirements
 
Verified ID Face Check on Android requires both a supported Android version and strong device integrity validation via Google.
 

MODIFIED docs/fundamentals/how-to-customize-branding.md

Modified by shlipsey3 on May 7, 2026 9:36 PM
📖 View on learn.microsoft.com

+5 / -5 lines changed

Commit: fundamentals-branding-typos-050726

Changes:

Before

After

:::image type="content" source="media/how-to-customize-branding/sign-in-page-map.png" alt-text="Screenshot of the sign-in page, with each of the company branding elements highlighted." lightbox="media/how-to-customize-branding/sign-in-page-map-expanded.png":::
 
1. **Favicon:** Small icon that appears on the left side of the browser tab.
1. **Header:** Space across the top of the sign-in page, behind the header log.
1. **Header logo:** Logo that appears in the upper-left corner of the sign-in page.
1. **Background image:** The entire space behind the sign-in box.
1. **Page background color:** The entire space behind the sign-in box.
 
## How to navigate the company branding process
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Organizational Branding Administrator](../identity/role-based-access-control/permissions-reference.md#organizational-branding-administrator).
 
1. Browse to **Entra ID** > **Custom Branding**.
    - If you currently have a customized sign-in experience, the **Edit** button is available.
    - View the [CSS template reference guide](reference-company-branding-css-template.md).
    
    > [!IMPORTANT]
    > Tenants created after January 5, 2026, will not have custom CSS available for company branding in Microsoft Entra ID. Tenants. Tenants created before January 5 can continue to use custom CSS.
 
 

:::image type="content" source="media/how-to-customize-branding/sign-in-page-map.png" alt-text="Screenshot of the sign-in page, with each of the company branding elements highlighted." lightbox="media/how-to-customize-branding/sign-in-page-map-expanded.png":::
 
1. **Favicon:** Small icon that appears on the left side of the browser tab.
1. **Header:** Space across the top of the sign-in page, behind the header logo.
1. **Header logo:** Logo that appears in the upper-left corner of the sign-in page.
1. **Background image:** The entire space behind the sign-in box.
1. **Page background color:** The entire space behind the sign-in box.
 
## How to navigate the company branding process
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as an [Organizational Branding Administrator](../identity/role-based-access-control/permissions-reference.md#organizational-branding-administrator).
 
1. Browse to **Entra ID** > **Custom Branding**.
    - If you currently have a customized sign-in experience, the **Edit** button is available.
    - View the [CSS template reference guide](reference-company-branding-css-template.md).
    
    > [!IMPORTANT]
    > Tenants created after January 5, 2026, won't have custom CSS available for company branding in Microsoft Entra ID. Tenants created before January 5 can continue to use custom CSS.
 
 

MODIFIED docs/global-secure-access/concept-explicit-forward-proxy-session-management.md

Modified by ShawnJackson on May 7, 2026 3:32 PM
📖 View on learn.microsoft.com

+3 / -5 lines changed

Commit: incorporating feedback

Changes:

Before

After

 
# Explicit Forward Proxy (preview) session management
 
Explicit Forward Proxy uses Microsoft Entra ID authentication and authorization to validate user access before allowing network traffic. This validation method allows for adaptive policies in Microsoft Entra Conditional Access, modern credentials like passkeys, and continuous access evaluation with session revocation. Classic proxy authorization methods, such as basic, digest, NTLM, or Kerberos, aren't supported.
 
> [!IMPORTANT]
> The Explicit Forward Proxy feature is currently in preview. This information relates to a prerelease product that might be substantially modified before release. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
 
After the user session is authenticated and authorized, Explicit Forward Proxy records the source IP of that user connection. Subsequent requests from the same IP address are allowed. If no other session management mechanism can be negotiated besides the source IP, Explicit Forward Proxy falls back to baseline security profile enforcement.
 
## Continuous access evaluation
 
If the user session is revoked, Explicit Forward Proxy receives a continuous access evaluation signal from Microsoft Entra ID and invalidates sessions associated with that user identity in near real time (2 to 5 minutes). The revocation can be due to disabling of the user account, password reset/change, reset of multifactor authentication methods, or user risk change.
 
After the invalidation, the user must reauthenticate with Microsoft Entra ID. If the reauthentication is successful, Explicit Forward Proxy connectivity is re-established.
 
## Related content

 
# Explicit Forward Proxy (preview) session management
 
Explicit Forward Proxy uses Microsoft Entra ID authentication and authorization to validate user access before allowing network traffic. This validation method allows for adaptive policies in Microsoft Entra Conditional Access, modern credentials like passkeys, and Continuous Access Evaluation with session revocation. Classic proxy authorization methods, such as basic, digest, NTLM, or Kerberos, aren't supported.
 
> [!IMPORTANT]
> The Explicit Forward Proxy feature is currently in preview. This information relates to a prerelease product that might be substantially modified before release. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
 
After the user session is authenticated and authorized, Explicit Forward Proxy records the source IP of that user connection. Subsequent requests from the same IP address are allowed. If no other session management mechanism can be negotiated besides the source IP, Explicit Forward Proxy falls back to baseline security profile enforcement.
 
## Continuous Access Evaluation
 
If the user session is revoked (for example, due to disabling of the user account, password reset/change, reset of multifactor authentication methods, or user risk change), Explicit Forward Proxy receives a Continuous Access Evaluation signal from Microsoft Entra ID and invalidates sessions associated with that user identity in near real time (2 to 5 minutes). After that, the user must reauthenticate with Microsoft Entra ID. If the reauthentication is successful, Explicit Forward Proxy connectivity is re-established.
 
## Related content

MODIFIED docs/identity-platform/tutorial-custom-authentication-extension-account-recovery.md

Modified by Justinha on May 7, 2026 4:57 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Add lightbox to image references for accessibility

Changes:

Before

After

 
During account recovery, a user who has lost all authentication methods must re-establish their identity. The custom authentication extension adds a claim validation step into this flow:
 
:::image type="content" source="media/custom-extension-account-recovery/account-recovery-flow.png" alt-text="Architecture diagram showing the account recovery flow: user starts recovery, Microsoft Entra ID triggers event listener, custom authentication extension calls REST API endpoint (Logic Apps or Azure Functions), which validates against external system, then response is processed and TAP code is presented.":::
 
The `OnVerifiedIdClaimValidation` event is the pre-proofing hook in the recovery pipeline. It lets you plug in custom validation logic — HR lookups, external database checks, or partner trust verification — before Microsoft Entra ID proceeds with recovery.
 
1. In the **Selected extension** dropdown, select the custom authentication extension you created in Step 2 (`Account Recovery Claims Validation`).
 
    :::image type="content" source="media/custom-extension-account-recovery/account-recovery-identity-verification-profile.png" alt-text="Screenshot showing the identity verification profile with the custom authentication extension selected.":::
 
1. Select **Review and finalize**, then **Save**.

 
During account recovery, a user who has lost all authentication methods must re-establish their identity. The custom authentication extension adds a claim validation step into this flow:
 
:::image type="content" source="media/custom-extension-account-recovery/account-recovery-flow.png" lightbox="media/custom-extension-account-recovery/account-recovery-flow.png" alt-text="Architecture diagram showing the account recovery flow: user starts recovery, Microsoft Entra ID triggers event listener, custom authentication extension calls REST API endpoint (Logic Apps or Azure Functions), which validates against external system, then response is processed and TAP code is presented.":::
 
The `OnVerifiedIdClaimValidation` event is the pre-proofing hook in the recovery pipeline. It lets you plug in custom validation logic — HR lookups, external database checks, or partner trust verification — before Microsoft Entra ID proceeds with recovery.
 
1. In the **Selected extension** dropdown, select the custom authentication extension you created in Step 2 (`Account Recovery Claims Validation`).
 
    :::image type="content" source="media/custom-extension-account-recovery/account-recovery-identity-verification-profile.png" lightbox="media/custom-extension-account-recovery/account-recovery-identity-verification-profile.png" alt-text="Screenshot showing the identity verification profile with the custom authentication extension selected.":::
 
1. Select **Review and finalize**, then **Save**.

MODIFIED docs/id-governance/entitlement-management-access-package-assignments.md

Modified by Ortagus Winfrey on May 7, 2026 7:56 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Update lifecycle governance picture and docs

Changes:

Before

After

description: Learn how to view, add, and remove assignments for an access package in entitlement management.
ms.subservice: entitlement-management
ms.topic: how-to
ms.date: 06/26/2025
ms.custom: sfi-image-nochange
#Customer Intent: As an IT admin, I want to view, add, and remove assignments for an access package so that I can manage who has access to bundled resources.
---

description: Learn how to view, add, and remove assignments for an access package in entitlement management.
ms.subservice: entitlement-management
ms.topic: how-to
ms.date: 05/07/2026
ms.custom: sfi-image-nochange
#Customer Intent: As an IT admin, I want to view, add, and remove assignments for an access package so that I can manage who has access to bundled resources.
---

MODIFIED docs/includes/licensing-agent-id.md

Modified by Ortagus Winfrey on May 7, 2026 6:10 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Fix

Changes:

Before

After

 
- **Conditional Access for agents**: Microsoft Entra ID P1 or Microsoft 365 E3.
- **ID Protection for agents**: Microsoft Entra ID P2, Microsoft 365 E5, or Microsoft Entra Suite.
- **ID Governance for agents**: Microsoft Entra ID P1 or Microsoft 365 E3
- **Network controls for agents**: Microsoft Entra Internet Access, included in Microsoft Entra Suite or licensed separately. For more information, see [What is Global Secure Access](../global-secure-access/overview-what-is-global-secure-access.md#licensing-overview).

 
- **Conditional Access for agents**: Microsoft Entra ID P1 or Microsoft 365 E3.
- **ID Protection for agents**: Microsoft Entra ID P2, Microsoft 365 E5, or Microsoft Entra Suite.
- **ID Governance for agents**: Microsoft Entra ID P1 or Microsoft 365 E3.
- **Network controls for agents**: Microsoft Entra Internet Access, included in Microsoft Entra Suite or licensed separately. For more information, see [What is Global Secure Access](../global-secure-access/overview-what-is-global-secure-access.md#licensing-overview).

MODIFIED docs/global-secure-access/concept-explicit-forward-proxy.md

Modified by ShawnJackson on May 7, 2026 3:32 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: incorporating feedback

Changes:

Before

After

 
During the session lifetime, Explicit Forward Proxy attempts to revalidate the user at regular intervals by using single sign-on. If validation is successful, Explicit Forward Proxy extends the user's cache entry by the lifetime of the new access token.
 
Explicit Forward Proxy supports *continuous access evaluation*. With continuous access evaluation, the user's Explicit Forward Proxy session terminates with identity change events detected by Microsoft Entra ID and sent as a signal to Explicit Forward Proxy. These events include password reset/change, reset of multifactor authentication methods, session revocation, and user risk change. In that case, explicit navigation to a new web resource triggers the authentication flow in 2 to 5 minutes and requires the user to sign in to Microsoft Entra ID.
 
## Limitations

 
During the session lifetime, Explicit Forward Proxy attempts to revalidate the user at regular intervals by using single sign-on. If validation is successful, Explicit Forward Proxy extends the user's cache entry by the lifetime of the new access token.
 
Explicit Forward Proxy supports Continuous Access Evaluation. With Continuous Access Evaluation, the user's Explicit Forward Proxy session terminates with identity change events detected by Microsoft Entra ID and sent as a signal to Explicit Forward Proxy. These events include password reset/change, reset of multifactor authentication methods, session revocation, and user risk change. In that case, explicit navigation to a new web resource triggers the authentication flow in 2 to 5 minutes and requires the user to sign in to Microsoft Entra ID.
 
## Limitations

MODIFIED docs/identity/hybrid/cloud-sync/connect-to-cloud-sync-decision-guide.md

Modified by Diana Richards on May 7, 2026 3:19 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: preexisting acrolinx

Changes:

Before

After

 
### Advanced disconnected forest capabilities
 
Cloud Sync natively supports synchronization from multiple disconnected Active Directory forests. These scenarios are commonly required during mergers, acquisitions, or complex organizational structures. Unlike Connect sync, which requires complicated configurations or multiple instances for disconnected forests, Cloud Sync handles these scenarios through its multi-tenant architecture.
 
Each disconnected forest can have dedicated agents while maintaining unified management through the cloud service. This capability simplifies complex organizational scenarios and reduces the infrastructure complexity traditionally required for multi-forest synchronization.

 
### Advanced disconnected forest capabilities
 
Cloud Sync natively supports synchronization from multiple disconnected Active Directory forests. These scenarios are commonly required during mergers, acquisitions, or complex organizational structures. Unlike Connect sync, which requires complicated configurations or multiple instances for disconnected forests, Cloud Sync handles these scenarios through its multitenant architecture.
 
Each disconnected forest can have dedicated agents while maintaining unified management through the cloud service. This capability simplifies complex organizational scenarios and reduces the infrastructure complexity traditionally required for multi-forest synchronization.

MODIFIED docs/verified-id/whats-new.md

Modified by Justinha on May 7, 2026 2:40 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Fix broken bookmark link in whats-new.md

Changes:

Before

After

 
- **Non-FIPS compliant signing keys (P-256K) retirement**: Non-FIPS compliant signing keys (P-256K) will be retired on July 1, 2026. If you haven't already, [upgrade your signing keys](signing-key-upgrade.md) to become FIPS compliant.
 
- **Face Check device security FAQ**: Added [frequently asked questions](using-facecheck.md#what-are-the-device-security-requirements-for-face-check) about device security requirements for Face Check on Android and iOS devices.
 
- **Microsoft Entra ID account recovery**: Microsoft Entra ID account recovery with Verified ID is now generally available. For more information, see [plan your verification solution](plan-verification-solution.md).

 
- **Non-FIPS compliant signing keys (P-256K) retirement**: Non-FIPS compliant signing keys (P-256K) will be retired on July 1, 2026. If you haven't already, [upgrade your signing keys](signing-key-upgrade.md) to become FIPS compliant.
 
- **Face Check device security FAQ**: Added [frequently asked questions](using-facecheck.md#what-device-security-requirements-are-needed-to-support-verified-id-face-check) about device security requirements for Face Check on Android and iOS devices.
 
- **Microsoft Entra ID account recovery**: Microsoft Entra ID account recovery with Verified ID is now generally available. For more information, see [plan your verification solution](plan-verification-solution.md).

MODIFIED docs/identity/authentication/concept-fido2-compatibility.md

Modified by Justin Hall on May 7, 2026 1:46 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Update FIDO2 compatibility details for Android

Changes:

Before

After

 
### Android
- Sign-in with passkey requires Google Play Services 21 or later because Microsoft Entra ID requires user verification for multifactor authentication.
- BLE and NFC security keys aren't supported on Android by Google.
- Sign-in with passkey isn't supported in Firefox on Android.

 
### Android
- Sign-in with passkey requires Google Play Services 21 or later because Microsoft Entra ID requires user verification for multifactor authentication.
- BLE security keys aren't supported on Android by Google.
- Sign-in with passkey isn't supported in Firefox on Android.

📋 Microsoft Entra Documentation Changes

📊 Summary

📝 Modified Documentation Files