📝 Modified Documentation Files

MODIFIED docs/identity/devices/concept-soft-delete-devices.md

Modified by Justinha on May 6, 2026 7:31 PM
📖 View on learn.microsoft.com

+9 / -7 lines changed

Commit: Add preview annotations to device soft delete topic

Changes:

Before

After

---
title: Device soft delete in Microsoft Entra ID
description: Learn about device soft delete in Microsoft Entra ID, which moves deleted devices to a recoverable state instead of permanently removing them.
author: Justinha
ms.author: justinha
ms.service: entra-id
 
---
 
# Device soft delete overview
 
Device soft delete is a recoverability feature in Microsoft Entra ID that moves deleted device objects to a suspended state instead of permanently removing them. When a device is soft deleted, the Azure Device Registration Service (ADRS) de-registers the device and moves the device object into a separate soft-deleted container in the directory. The device is removed from active device lists but remains recoverable for up to 30 days.
 
This feature helps prevent accidental loss of important device data, such as BitLocker recovery keys and Local Administrator Password Solution (LAPS) passwords. It also reduces the risk of hitting tenant object quotas from orphaned device objects and provides an undo option for device deletions, similar to how soft delete works for users and groups.
 
> [!IMPORTANT]
> Device soft delete is currently in public preview. Some features and behaviors might change before general availability.
 
## How device soft delete works
 

---
title: Device soft delete in Microsoft Entra ID (preview)
description: Learn about device soft delete (preview) in Microsoft Entra ID, which moves deleted devices to a recoverable state instead of permanently removing them.
author: Justinha
ms.author: justinha
ms.service: entra-id
 
---
 
# Device soft delete overview (preview)
 
Device soft delete is a recoverability feature in Microsoft Entra ID that moves deleted device objects to a suspended state instead of permanently removing them. When a device is soft deleted, the Azure Device Registration Service (ADRS) de-registers the device and moves the device object into a separate soft-deleted container in the directory. The device is removed from active device lists but remains recoverable for up to 30 days.
 
This feature helps prevent accidental loss of important device data, such as BitLocker recovery keys and Local Administrator Password Solution (LAPS) passwords. It also reduces the risk of hitting tenant object quotas from orphaned device objects and provides an undo option for device deletions, similar to how soft delete works for users and groups.
 
[!INCLUDE [preview-alert](~/../docs/reusable-content/ce-skilling/azure/includes/entra-previews.md)]
 
> [!IMPORTANT]
> Device soft delete is currently in preview. Some features and behaviors might change before general availability.
 

MODIFIED docs/identity/app-provisioning/configure-workload-identity-sap-successfactors-provisioning.md

Modified by jenniferf-skc on May 27, 2026 2:54 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Address ttorble review feedback

Changes:

Before

After

2. **SAP Cloud Identity Service exchanges the JWT for an access token.** The signed JWT is presented to SAP Cloud Identity Service, which is trusted by SAP SuccessFactors. SAP Cloud Identity Service validates the JWT against the trust rules you configure in the SAP Cloud Identity Service admin console and returns a short-lived access token that can only be used to query the SAP SuccessFactors OData API.
3. **The provisioning service calls the OData API.** Microsoft Entra provisioning service uses the short-lived access token to query the SAP SuccessFactors OData API. The access token includes a client ID that's mapped to a technical/API user in SAP SuccessFactors with role-based permission to access SAP SuccessFactors entities.
 
:::image type="content" source="./media/configure-workload-identity-sap-successfactors-provisioning/entra-sap-workload-identity-detailed-flow.png" alt-text="Detailed runtime flow showing AT1 acquisition from Microsoft Entra, exchange for AT2 at SAP Cloud Identity Service, and the OData API call to SAP SuccessFactors." lightbox="./media/configure-workload-identity-sap-successfactors-provisioning/entra-sap-workload-identity-detailed-flow.png":::
 
### Token exchange sequence diagram

2. **SAP Cloud Identity Service exchanges the JWT for an access token.** The signed JWT is presented to SAP Cloud Identity Service, which is trusted by SAP SuccessFactors. SAP Cloud Identity Service validates the JWT against the trust rules you configure in the SAP Cloud Identity Service admin console and returns a short-lived access token that can only be used to query the SAP SuccessFactors OData API.
3. **The provisioning service calls the OData API.** Microsoft Entra provisioning service uses the short-lived access token to query the SAP SuccessFactors OData API. The access token includes a client ID that's mapped to a technical/API user in SAP SuccessFactors with role-based permission to access SAP SuccessFactors entities.
 
:::image type="content" source="./media/configure-workload-identity-sap-successfactors-provisioning/entra-sap-workload-identity-detailed-flow.png" alt-text="Diagram of the detailed runtime flow showing AT1 acquisition from Microsoft Entra, exchange for AT2 at SAP Cloud Identity Service, and the OData API call to SAP SuccessFactors." lightbox="./media/configure-workload-identity-sap-successfactors-provisioning/entra-sap-workload-identity-detailed-flow.png":::
 
### Token exchange sequence diagram

📋 Microsoft Entra Documentation Changes

📊 Summary

🆕 New Documentation Files

📝 Modified Documentation Files